Research On Malware Detection And Classification Based On Graph Neural Network

Modern development makes the Internet play a vital role in daily life,and network security issues are the first to become one of the key factors considering the future development of informatization,and the high proportion of malware in network security issues makes its detection and classification work has practical significance.Application programming interface is an interface for operating system to develop applications,and its sequence can intuitively and objectively represent the real behavior of malware,which means the number and order of API function calls in different softwares API call sequence have its obvious characteristics.However,malware developers will perturb the API call sequence to avoid detection,bringing new challenges and difficulties to malware detection and classification.Recently,Graph neural network(GNN)has a good performance in acquiring graph data node features and structural features,and it has gradually been widely used applicated in processing sequences and malware research because of its good performance on capturing potential correlation among data in the sequence.This thesis proposes a malware detection model for evasion detection problem based on Graph convolutional network(GCN),which can effectively deal with evasion detection problem caused by malware developers inserting,deleting or replacing useless API functions in the malware API call sequence.At the same time,a malware multi-classification model based on heterogeneous graph is proposed to improve the accuracy of multi-classification.The main research contents and achievements of this paper are as follows:This thesis proposes a malware detection algorithm based on association rules and GCN.In order to deal with the malware evasion detection problem caused by the perturbation behavior of inserting,deleting or replacing useless API functions in the malware API call sequence,this paper first establish association rules between APIs to better mine the hidden relationship between APIs.Then build isomorphic graph structure data based on this rule,finally use GCN to classify software samples.After ablation experiments and comparison experiments,we can verify that the model has a good performance on malware detection,and the perturbation operation test on the original data sample shows that the model has good robustness.This thesis proposes a malware family classification algorithm based on heterogeneous graph.Since heterogeneous networks can better utilize different types of node features to capture richer relational semantic information,in this paper,a heterogeneous graph containing software samples and API nodes is set up.In order to better obtain the influence of the same type of malware nodes and the different types of API nodes on the central malware node respectively.The graph performs random walks based on breadth-first and depth-first search,and aggregates the sequences obtained by the same search method based on Long Short-Term Memory(LSTM).In order to consider the impact of different paths,multi-head attention is used.Finally,embedded vectors are input into the linear layer for multi-classification.Experimental results show that the model has a good classification effect.