MINES: Multi-perspective API Call Sequence Behavior Fusion Malware Classification

The growing variety of malicious software, i.e., malware, has caused great damage and economic loss to computer systems. The API call sequence of malware reflects its dynamic behavior during execution, which is difficult to disguise. Therefore, API call sequence can serve as a robust feature for the detection and classification of malware. There are two distinct characteristics within the API call sequences of malware: 1) the API existence feature caused by frequent calls to the APIs with some special functions, and 2) the API transition feature caused by frequent calls to some special API subsequence patterns. Based on these two characteristics, this paper proposes the Multi-perspective apI call sequeNce bEhavior fuSion malware classification Method, called MINES. It adopts the graph contrastive learning framework to extract the API existence feature from two graphs that model relationships between APIs from different perspectives. Similarly, a CNN-based contrastive learning framework is adopted to extract the API transition feature from two sets of multi-hop transition matrices. Finally, the extracted two features are fused to classify malware. Experiments on five datasets demonstrate the superiority of MINES over various state-of-the-arts by a large margin.