A Graph Neural Network Framework for Dynamic Malware Detection Using Api Calls and Lightweight Containers

The growing sophistication of malware poses a persistent challenge to traditional detection systems. To address the limitations of conventional static and dynamic analysis methods, this paper proposes a novel malware detection framework that integrates dynamic behavior monitoring with graph-based le...

Celý popis

Uložené v:
Podrobná bibliografia
Vydané v:2025 5th International Conference on Intelligent Communications and Computing (ICICC) s. 294 - 301
Hlavní autori: Wu, Haoyu, Luan, Dongyu, Zheng, Luxin, Zhou, Xiaoshan, Zhou, Jiajun, Yu, Shanqing, Xuan, Qi
Médium: Konferenčný príspevok..
Jazyk:English
Vydavateľské údaje: IEEE 15.08.2025
Predmet:
Accuracy
API Calls
Containers
Data mining
Dynamic Analysis
Graph Neural Network
Graph neural networks
Linux
Malware
Monitoring
Reviews
Robustness
Semantics
On-line prístup:Získať plný text
Tagy: Pridať tag
Žiadne tagy, Buďte prvý, kto otaguje tento záznam!
Popis
Shrnutí:The growing sophistication of malware poses a persistent challenge to traditional detection systems. To address the limitations of conventional static and dynamic analysis methods, this paper proposes a novel malware detection framework that integrates dynamic behavior monitoring with graph-based learning. Leveraging lightweight container (LXC) technology, we construct an efficient and isolated environment for capturing fine-grained API call sequences and contextual parameters during malware execution. These behavioral traces are transformed into heterogeneous graphs, where API calls, process/thread identifiers, and program entities are modeled as nodes with semantic embeddings, while their temporal and structural dependencies are encoded as weighted edges. To extract and aggregate structural and semantic information from the constructed graphs, we design a deep graph classification architecture based on a multi-layer Graph Attention Network (GAT). The network incorporates hierarchical attention mechanisms, including multi-head intra-layer attention and crosslayer residual connections, to effectively capture both local and global behavioral patterns. Additionally, a Self-Attention Graph Pooling (SAGPooling) strategy is applied to retain the most informative substructures, while a joint readout mechanism combining global max and average pooling enhances graph-level representation. The final classification is performed through a multi-layer perceptron, optimized with Focal Loss to address label imbalance in real-world datasets. Extensive experiments on multiple benchmark datasets-including Linux and Windows malware corpora-demonstrate the superiority of the proposed method over conventional baselines in terms of accuracy, precision, recall, and \mathbf{F 1} score. This work contributes an effective and scalable solution for dynamic malware detection and highlights the promise of deep graph neural architectures in advanced cybersecurity applications.
DOI:10.1109/ICICC66840.2025.11199642