GraphShield: Advanced dynamic graph-based malware detection using graph neural networks

IF 7.5 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Expert Systems with Applications Pub Date : 2025-09-26 DOI:10.1016/j.eswa.2025.129812

Eslam Amer , Shaker El-Sappagh , Tamer Abuhamad , Bander Ali Saleh Al-Rimy , Alaa Mohasseb

{"title":"GraphShield: Advanced dynamic graph-based malware detection using graph neural networks","authors":"Eslam Amer , Shaker El-Sappagh , Tamer Abuhamad , Bander Ali Saleh Al-Rimy , Alaa Mohasseb","doi":"10.1016/j.eswa.2025.129812","DOIUrl":null,"url":null,"abstract":"<div><div>The rising complexity of modern malware-such as polymorphic, fileless, and sandbox-aware variants-has severely diminished the reliability of conventional detection techniques. Models based on sequential data frequently miss intricate behavioral patterns and long-range dependencies, resulting in poor accuracy and limited adaptability to new threats. This paper introduces GraphShield, a graph-centric behavioral detection framework that identifies malware with high precision by analyzing dynamic API call sequences. GraphShield converts raw API calls into temporal graphs, applies semantic vectorization, and leverages attention mechanisms to extract both localized activity and extended behavioral correlations, directly addressing the weaknesses of earlier systems. We design and assess multiple Graph Neural Network (GNN) variants, including Graph Convolutional Networks (GCNs), Graph Attention Networks (GATs), Graph Isomorphism Networks (GINs), and Transformer-based architectures combining convolutional, recurrent, and autoencoding layers. These models capture structural and temporal traits of execution traces using both classification-only and combined classification-reconstruction strategies. To enhance transparency, we incorporate GNN interpretation tools that isolate key API call subgraphs and critical decision pathways, making detection outcomes explainable for analysts. GraphShield is trained on 300,000 balanced instances and tested on a separate 200,000-sample holdout set, achieving over 58 % improvement in accuracy over advanced sequence-driven deep learning models while maintaining a false positive rate under 1 %. Key features include BERT-based API call grouping for reducing dimensionality and a Markov-inspired graph stabilization method for managing graphs of variable length. Our top models attain a 99.5 % F1-score on the test set. GraphShield aligns recent graph learning techniques with operational cybersecurity needs, delivering accurate detection and clear, interpretable results.</div></div>","PeriodicalId":50461,"journal":{"name":"Expert Systems with Applications","volume":"298 ","pages":"Article 129812"},"PeriodicalIF":7.5000,"publicationDate":"2025-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Expert Systems with Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S095741742503427X","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

The rising complexity of modern malware-such as polymorphic, fileless, and sandbox-aware variants-has severely diminished the reliability of conventional detection techniques. Models based on sequential data frequently miss intricate behavioral patterns and long-range dependencies, resulting in poor accuracy and limited adaptability to new threats. This paper introduces GraphShield, a graph-centric behavioral detection framework that identifies malware with high precision by analyzing dynamic API call sequences. GraphShield converts raw API calls into temporal graphs, applies semantic vectorization, and leverages attention mechanisms to extract both localized activity and extended behavioral correlations, directly addressing the weaknesses of earlier systems. We design and assess multiple Graph Neural Network (GNN) variants, including Graph Convolutional Networks (GCNs), Graph Attention Networks (GATs), Graph Isomorphism Networks (GINs), and Transformer-based architectures combining convolutional, recurrent, and autoencoding layers. These models capture structural and temporal traits of execution traces using both classification-only and combined classification-reconstruction strategies. To enhance transparency, we incorporate GNN interpretation tools that isolate key API call subgraphs and critical decision pathways, making detection outcomes explainable for analysts. GraphShield is trained on 300,000 balanced instances and tested on a separate 200,000-sample holdout set, achieving over 58 % improvement in accuracy over advanced sequence-driven deep learning models while maintaining a false positive rate under 1 %. Key features include BERT-based API call grouping for reducing dimensionality and a Markov-inspired graph stabilization method for managing graphs of variable length. Our top models attain a 99.5 % F1-score on the test set. GraphShield aligns recent graph learning techniques with operational cybersecurity needs, delivering accurate detection and clear, interpretable results.

查看原文本刊更多论文

GraphShield：使用图形神经网络的高级动态基于图形的恶意软件检测

现代恶意软件不断增加的复杂性（如多态、无文件和沙箱感知的变种）严重降低了传统检测技术的可靠性。基于顺序数据的模型经常错过复杂的行为模式和长期依赖关系，导致准确性差，对新威胁的适应性有限。本文介绍了GraphShield，一个以图为中心的行为检测框架，通过分析动态API调用序列来高精度识别恶意软件。GraphShield将原始API调用转换为时间图，应用语义矢量化，并利用注意力机制提取局部活动和扩展的行为相关性，直接解决早期系统的弱点。我们设计和评估了多个图神经网络（GNN）变体，包括图卷积网络（GCNs）、图注意网络（GATs）、图同构网络（GINs）和基于变压器的结构，结合了卷积、循环和自动编码层。这些模型使用仅分类和组合分类重建策略捕获执行轨迹的结构和时间特征。为了提高透明度，我们结合了GNN解释工具，分离关键API调用子图和关键决策路径，使检测结果对分析师来说是可解释的。GraphShield在30万个平衡实例上进行训练，并在一个单独的20万个样本保留集上进行测试，与先进的序列驱动深度学习模型相比，准确率提高了58%以上，同时将误报率保持在1%以下。主要功能包括基于bert的API调用分组，用于降低维数，以及用于管理可变长度图的马尔可夫启发的图稳定方法。我们的顶级模特在测试集中获得了99.5%的f1分数。GraphShield将最新的图形学习技术与运营网络安全需求结合起来，提供准确的检测和清晰、可解释的结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Expert Systems with Applications 工程技术-工程：电子与电气

CiteScore

13.80

自引率

10.60%

发文量

2045

审稿时长

8.7 months

期刊介绍： Expert Systems With Applications is an international journal dedicated to the exchange of information on expert and intelligent systems used globally in industry, government, and universities. The journal emphasizes original papers covering the design, development, testing, implementation, and management of these systems, offering practical guidelines. It spans various sectors such as finance, engineering, marketing, law, project management, information management, medicine, and more. The journal also welcomes papers on multi-agent systems, knowledge management, neural networks, knowledge discovery, data mining, and other related areas, excluding applications to military/defense systems.