Toward Detecting Malware Based on Process-Aware Behaviors

Malware continuously evolve and become more and more sophisticated. Learning on execution behavior is proven to be effective for malware detection. However, little work has been done to delve into the implications of full process information for malware detection. In this paper, we present a deep neural network based malware detection approach that performs learning on process-aware behaviors for Windows programs. It first employs logistic regression-based weighting method and machine learning-based API score learning method to aware the inner-process behavior, including API sequences and their run-time arguments. Next, it constructs the process graph by inter-process interactions from which a set of attributes are extracted, for characterizing the relationship among various processes in term of invoke actions. Finally, it feeds the process-aware features into the deep neural network for training a binary classifier to detect malware. In addition to designing, we have implemented and evaluated our proposed method on two datasets. The results demonstrate that our method outperforms naïve models when taking raw APIs as input, verifying the effectiveness of our method. Moreover, we have evaluated the robustness to adversarial attacks and concept drift on our model, and the results demonstrates the robustness of our method.