Behavioral Malware Detection Using Deep Graph
Convolutional Neural Networks
A Preprint
Angelo Oliveira
∗
Universidade Nove de Julho, Brazil
alpha@angeloliveira.net
Renato José Sassi
Universidade Nove de Julho, Brazil
renato.sassi@ieee.org
October 24, 2019
Abstract
Malware behavioral graphs provide a rich source of information that can be leveraged for
detection and classification tasks. In this paper, we propose a novel behavioral malware
detection method based on Deep Graph Convolutional Neural Networks (DGCNNs) to learn
directly from API call sequences and their associated behavioral graphs. In order to train
and evaluate the models, we created a new public domain dataset of more than 40,000
API call sequences resulting from the execution of malware and goodware instances in a
sandboxed environment. Experimental results show that our models achieve similar Area
Under the ROC Curve (AUC-ROC) and F1-Score to Long-Short Term Memory (LSTM)
networks, widely used as the base architecture for behavioral malware detection methods,
thus indicating that the models can effectively learn to distinguish between malicious and
benign temporal patterns through convolution operations on graphs. To the best of our
knowledge, this is the first paper that investigates the applicability of DGCNN to behavioral
malware detection using API call sequences.
K eywords
malware detection
·
behavioral graphs
·
deep graph convolutional neural networks
·
deep
learning · computer security
1 Introduction
According to a report published by AV-TEST [1], 9.74 million new malware specimens were released just in
September of 2019, totaling 948 million known specimens in the wild. Dealing with the rapid increase of
∗
Corresp onding author.
A preprint - October 24, 2019
malware in number, complexity, and variability requires the research and development of new intelligent,
automatic malware detection methods capable of scaling accordingly. There are two main approaches to
detecting malware; static malware analysis, and dynamic malware analysis [2]. On the one hand, static
malware analysis can be conducted quickly by comparing a set of handcrafted features of the incoming file to
previously observed malware features or signatures, which makes static analysis vulnerable to code obfuscation
techniques employed by polymorphic and metamorphic malware [3], as well as to complete new specimens of
malware or zero-days. Traditional signature-based malware detection methods are the cornerstone of the
majority of the commercial endpoint protection systems since they are relatively fast and do not depend
on any additional infrastructure to collect and analyze the data; however, they require expert knowledge to
reverse engineer malware instances and produce the features that will be used for detection. Evidently, this
approach does not scale as fast as malware production. On the other hand, dynamic malware analysis or
behavioral analysis is based on behavioral data such as API or system calls, which is harder to obfuscate [4].
In order to collect dynamic analysis data, it is often necessary to run the program in a sandbox environment
[5]. A sandbox provides a controlled and isolated environment for the guest program to run while monitoring
and tracking its activities. Once the data is collected and preprocessed, it can be used to feed behavioral
detection algorithms [6]. Deep Learning algorithms have shown unprecedented success in various domains
such as image classification, natural language processing, and speech recognition [7]. Following this trend,
Deep Learning algorithms have also been applied to malware detection and classification tasks using static
and dynamic analysis data exploiting its temporal [8, 9, 10], spatial [11, 12], or spatio-temporal [13, 14]
structure. In this work, we propose a novel behavioral malware detection method that exploits yet another
structure of the dynamic analysis data, the graph structure of the API call sequences. To accomplish this
task, our method is based on a state-of-the-art Deep Learning architecture designed for graph classification;
more specifically, the Deep Graph Convolutional Neural Network (DGCNN) [15]. Due to their capability of
learning from non-Euclidean data such as graphs, Graph Neural Networks (GNNs) [16, 17] can be applied to
problems in a vast range of domains from protein classification [18] to Materials science [19]. By defining a
graph structure to represent the API call sequence of a program, we combine both the spatial and temporal
information from its behavior. Then, we introduce a simplified version of the DGCNN to learn high-level
representations that can be used by a classifier to detect whether the program is malware. Experimental
results show that the proposed method achieves similar AUC-ROC [20] and F1-Score to specialized Deep
Learning architectures for sequence learning such as LSTM networks [21], widely used as the base architecture
for behavioral malware detection methods [22]. In particular, our models achieve higher AUC-ROC, F1-Score,
Precision, Recall, and Accuracy than LSTM networks when trained and tested on a balanced dataset. To the
best of our knowledge, this is the first paper that investigates the applicability of DGCNN to behavioral
malware detection using API call sequences. The rest of the paper is organized as follows. Related work is
reviewed in Section 2. A brief background on DGCNNs is introduced in Section 3. The proposed method is
2
A preprint - October 24, 2019
detailed in Section 4. Performance evaluation is described in Section 5. Results, discussion, limitations, and
future work are presented in Section 6. Finally, conclusions are drawn in Section 7.
2 Related Work
Classical Deep Learning algorithms such as Convolutional Neural Networks (CNNs) [23] and LSTM networks
have been successfully applied to malware detection and classification problems using both static and dynamic
analysis data [22]; however, Deep Learning on graphs has been mainly applied to data extracted employing
static analysis methods. [24] proposed a malware classification method (MAGIC) based on a modified version
of the DGCNN to learn directly from attributed control flow graphs (ACFGs) extracted from disassembled
binaries, in which each vertex summarizes code characteristics as numerical values. [25] introduced a
malware detection approach using graph embedding to map the control flow graphs (CFGs) extracted from
disassembled binaries to low-dimensional vectors as inputs for two stacked denoising autoencoders (SDAs)
that are responsible for representation learning. [26] presented a method for Android malware detection that
creates CFGs using data extracted from decompiled applications’ source codes and information from their
manifest files. Then, a Graph Convolutional Network (GCN) [27] was used to learn high-level representations
that could be used in detection tasks. [28] studied the effectiveness of DGCNNs in processing large-scale
graphs with hundreds of thousands of nodes by conducting experiments on malware detection and software
defect prediction. Our work follows a similar approach to [24] and shares the same theoretical basis on
applying DGCNNs for classification tasks [15]. However, we use the standpoint of dynamic analysis by
extracting behavioral graphs from the API call sequences and using both the API call sequences and the
behavioral graphs as inputs to a modified version of the DGCNN. In addition, the standard LSTM network
was chosen as a benchmark since it has been successfully applied as the base architecture for several behavioral
malware detection and classification methods using API call sequences data [22].
3 Background on Deep Graph Convolutional Neural Networks
DGCNN is a state-of-the-art neural network architecture that can directly accept graphs of arbitrary structures
to learn a graph classification function [15]. In other words, DGCNNs deal with the task of graph classification
as opposed to node classification [27]. Let
G
be a directed graph of order
n ∈ N
and
A ∈ Z
n×n
its associated
adjacency matrix. Now, let us define the following: The augmented adjacency matrix of
G
,
˜
A
=
A
+
I
n
, to
ensure that the convolution operation takes into account the features of each node as well as its neighbours’
features. The augmented diagonal degree matrix of
G
,
˜
D
i,i
=
P
j
˜
A
i,j
for row-wise normalization. The node
feature matrix
X ∈ R
n×c
,
c ∈ N
, where each row of
X
is a node “feature descriptor”, and each column of
X
is a node “feature channel.” The matrix of learning parameters
W ∈ R
c×c
0
, where
c
0
∈ N
is the number
of output feature channels, with the non-linear activation function
f
:
R
n×c
0
→ R
n×c
0
. Then, the graph
3
A preprint - October 24, 2019
convolution operation can be written as follows [15]:
Z = f(
˜
D
−1
˜
AXW ) (1)
The graph convolution operation defined by Equation 1 aggregates local substructure information by
considering the nodes’ immediate neighborhoods. In order to extract multi-scale substructure features,
Equation 1 can be stacked to form a deep network, using the following recurrence relation [15]:
Z
(t+1)
= f(
˜
D
−1
˜
AZ
(t)
W
(t)
), where Z
(0)
= X and W
(t)
∈ R
c
t
×c
t+1
, t ∈ N (2)
In summary, standard DGCNNs have four sequential steps [15]: 1) Graph convolutional layers generalize the
convolution operation from Euclidean domains or grid-like structures such as image data to non-Euclidean
domains such as graph data by generating node representations as the aggregation of their own feature
descriptors and their neighbors’ feature descriptors. 2) Unordered graph data from each convolutional
layer are concatenated along their feature channels (or columns), resulting in matrix
Z ∈ R
n×
P
t
c
t
. 3) A
SortPooling layer sorts the unordered graph data according to their feature descriptors or structural roles.
This step guarantees that the nodes of different graphs will be placed in similar positions, according to their
weighted feature descriptors. 4) The ordered graph data is flattened and passed to a standard 1-dimensional
CNN layer followed by a fully connected layer to learn a classification function. For a more comprehensive
review, please refer to [15].
4 Proposed Method
As illustrated in Figure 1, our method has eight sequential steps from data gathering to detection. First of
all, Portable Executable (PE) files (1) are fed to a Cuckoo Sandbox [29] environment (2), which in turn runs
the PE files and generates raw JSON reports containing dynamic analysis data such as API call sequences,
generated traffic and dropped files (3). Next, the API call sequences are extracted from the reports and
post-processed in order to identify and convert the API calls into ordinal categorical values (4). At this point,
we have tracked the temporal behavioral information from the PE files and the ordered set of all possible API
calls. Behavioral graphs are then generated based on both the API call sequences and the set of API calls
(5), and both are passed to a graph convolutional layer to learn high-level representations of the spatial and
temporal relations among the API calls (6). If multiple graph convolutional layers are stacked together to
form a deep network, it is necessary to concatenate their results in order to consider multi-scale substructure
features. Finally, the learned representations are passed to a fully connected layer (7), followed by a sigmoid
layer (8) binary classification. In the next sections, a more in-depth description of the method is presented.
4
A preprint - October 24, 2019
(1)
PE Files
(2)
Cuckoo Sandbox
(3)
Cuckoo Reports
(4)
API Call Sequences
(5)
Behavioral Graphs
Generation
(6)
Graph Convolutional
Layers
(7)
Fully Connected
Layers
(8)
Sigmoid Layer
Data Collection and Post-Processing
High-level Features Binary Classification
Temporal Data
Spatial Data
Raw PE Files Runtime Enviroment Raw JSON Files
Figure 1: High-level flow of the proposed method.
4.1 Data Collection and Post-Processing
We introduced a new public domain dataset of 42,797 malware API call sequences and 1,079 goodware API
call sequences each [30]. Our motivation was twofold. On the one hand, we were motivated by the lack
of public domain PE dynamic malware analysis dataset for training and evaluating our models. On the
other hand, we were motivated by the desire to provide an open dataset that the research community could
further utilize and extend. Malware samples were collected from VirusShare [31], and goodware samples were
collected from both portablepps.com [32] and a 32-bit Windows 7 Ultimate directory. Both online download
and local goodware were included to increase the variability of the dataset and decrease its imbalance. In
order to gather the API call sequences from each sample, we chose Cuckoo Sandbox, which is a largely used,
open-source automated malware analysis system capable of monitoring processes behavior while running in
an isolated environment. Once the data was collected, three additional post-processing steps were performed.
1) Similar to [13], it was considered the first 100 non-consecutive repeated API calls to avoid tracking loops.
2) Since in malware detection tasks, it is prominent to recognize malicious patterns as early as possible, the
sequences were extracted from the parent process only. 3) We built the list of unique API calls, considering
all the samples, and then converted each API call name into a unique integer identifier equal to the index of
the API call name in the list. As a result, 307 distinct API calls were identified. We produced a dataset where
the first column contains the MD5 hash of the sample. The next 100 columns contain ordinal categorical
values between 0 and 306, representing the API call sequence of the sample. The last column contains the
label of the sample, 0 for goodware, and 1 for malware. The total running time to collect the data was about
3000 hours, resulting in approximately 50,000 Cuckoo JSON report files and 1.5 TB of raw data. Our Cuckoo
sandbox environment was based on an Intel Xeon D-1540, 8 cores, 16 threads, 2.6 GHz, 64 GB RAM, and
2 TB SSD running Ubuntu Server 16.04 as the Cuckoo host and 8 32-bit Windows 7 Ultimate VirtualBox
virtual machines running in parallel as Cuckoo analysis guests.
5