Dynamic malware detection based on supervised contrastive learning

Abstract

Application Programming Interface (API) calls record interactions between a program and the operating system or other programs during runtime. Due to this precise tracking capability, API call information is extensively utilized in malware detection. However, most approaches only focus on the API names or simply combine them with API parameters, leading to insufficient semantic information extraction. Additionally, with the continuous development of network technology, the behavioral feature differences between malware and benign software are gradually blurring, which makes it difficult to detect hard samples (e.g., well-disguised or atypical malware) in static analysis or simple behavioral patterns. Therefore, in this paper, we propose DMASCL, a framework that utilizes Dynamic Malware Analysis based on API calls and Supervised Contrastive Learning techniques, which encodes semantic as well as statistical features in each sample, dynamically compares samples from different categories, learns inter-sample differences and performs classification. In particular, we combine API names with API parameters to construct API sentences containing rich semantic information, and propose a hybrid feature encoder for obtaining the semantics and statistical features of API parameters. We then apply supervised contrastive learning techniques for further feature learning, utilizing Gaussian noise to construct contrast tasks. The model is optimized by combining cross-entropy loss for classification with supervised contrastive loss to reinforce relationships between samples, thus enhancing the model’s ability to recognize malicious behavior. Our method achieves a 98.42% F1-score and a 98.03% recall in Dataset 1. It achieves a 99.59% F1-score and a 98.86% recall in Dataset 2. The experimental results show an increase in accuracy of 1.05% and 2.27%, respectively, compared to the state-of-the-art method.