CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters

Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to captu...
Ausführliche Beschreibung

Gespeichert in:

Autor*in:	Chen, Tieming [verfasserIn] Zeng, Huan [verfasserIn] Lv, Mingqi [verfasserIn] Zhu, Tiantian [verfasserIn]

Format:	E-Artikel
Sprache:	Englisch

Erschienen:	2023

Schlagwörter:	Malware detection API sequence Cyber threat intelligence Deep learning

Übergeordnetes Werk:	Enthalten in: Computers & security - Amsterdam [u.a.] : Elsevier Science, 1982, 136
Übergeordnetes Werk:	volume:136

DOI / URN:	10.1016/j.cose.2023.103518

Katalog-ID:	ELV065765907

Internformat


LEADER	01000caa a22002652 4500
001	ELV065765907
003	DE-627
005	20240111093138.0
007	cr uuu---uuuuu
008	231123s2023 xx \|\|\|\|\|o 00\| \|\|eng c
024	7		\|a 10.1016/j.cose.2023.103518 \|2 doi
035			\|a (DE-627)ELV065765907
035			\|a (ELSEVIER)S0167-4048(23)00428-5
040			\|a DE-627 \|b ger \|c DE-627 \|e rda
041			\|a eng
082	0	4	\|a 004 \|q VZ
084			\|a 54.38 \|2 bkl
100	1		\|a Chen, Tieming \|e verfasserin \|4 aut
245	1	0	\|a CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters
264		1	\|c 2023
336			\|a nicht spezifiziert \|b zzz \|2 rdacontent
337			\|a Computermedien \|b c \|2 rdamedia
338			\|a Online-Ressource \|b cr \|2 rdacarrier
520			\|a Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).
650		4	\|a Malware detection
650		4	\|a API sequence
650		4	\|a Cyber threat intelligence
650		4	\|a Deep learning
700	1		\|a Zeng, Huan \|e verfasserin \|4 aut
700	1		\|a Lv, Mingqi \|e verfasserin \|0 (orcid)0000-0003-4810-7491 \|4 aut
700	1		\|a Zhu, Tiantian \|e verfasserin \|0 (orcid)0000-0002-8657-662X \|4 aut
773	0	8	\|i Enthalten in \|t Computers & security \|d Amsterdam [u.a.] : Elsevier Science, 1982 \|g 136 \|h Online-Ressource \|w (DE-627)320415864 \|w (DE-600)2001917-8 \|w (DE-576)094531331 \|7 nnns
773	1	8	\|g volume:136
912			\|a GBV_USEFLAG_U
912			\|a GBV_ELV
912			\|a SYSFLAG_U
912			\|a GBV_ILN_20
912			\|a GBV_ILN_22
912			\|a GBV_ILN_23
912			\|a GBV_ILN_24
912			\|a GBV_ILN_31
912			\|a GBV_ILN_32
912			\|a GBV_ILN_40
912			\|a GBV_ILN_60
912			\|a GBV_ILN_62
912			\|a GBV_ILN_65
912			\|a GBV_ILN_69
912			\|a GBV_ILN_70
912			\|a GBV_ILN_73
912			\|a GBV_ILN_74
912			\|a GBV_ILN_90
912			\|a GBV_ILN_95
912			\|a GBV_ILN_100
912			\|a GBV_ILN_101
912			\|a GBV_ILN_105
912			\|a GBV_ILN_110
912			\|a GBV_ILN_150
912			\|a GBV_ILN_151
912			\|a GBV_ILN_187
912			\|a GBV_ILN_213
912			\|a GBV_ILN_224
912			\|a GBV_ILN_230
912			\|a GBV_ILN_370
912			\|a GBV_ILN_602
912			\|a GBV_ILN_702
912			\|a GBV_ILN_2001
912			\|a GBV_ILN_2003
912			\|a GBV_ILN_2004
912			\|a GBV_ILN_2005
912			\|a GBV_ILN_2007
912			\|a GBV_ILN_2008
912			\|a GBV_ILN_2009
912			\|a GBV_ILN_2010
912			\|a GBV_ILN_2011
912			\|a GBV_ILN_2014
912			\|a GBV_ILN_2015
912			\|a GBV_ILN_2020
912			\|a GBV_ILN_2021
912			\|a GBV_ILN_2025
912			\|a GBV_ILN_2026
912			\|a GBV_ILN_2027
912			\|a GBV_ILN_2034
912			\|a GBV_ILN_2044
912			\|a GBV_ILN_2048
912			\|a GBV_ILN_2049
912			\|a GBV_ILN_2050
912			\|a GBV_ILN_2055
912			\|a GBV_ILN_2056
912			\|a GBV_ILN_2059
912			\|a GBV_ILN_2061
912			\|a GBV_ILN_2064
912			\|a GBV_ILN_2088
912			\|a GBV_ILN_2106
912			\|a GBV_ILN_2110
912			\|a GBV_ILN_2111
912			\|a GBV_ILN_2112
912			\|a GBV_ILN_2122
912			\|a GBV_ILN_2129
912			\|a GBV_ILN_2143
912			\|a GBV_ILN_2152
912			\|a GBV_ILN_2153
912			\|a GBV_ILN_2190
912			\|a GBV_ILN_2232
912			\|a GBV_ILN_2336
912			\|a GBV_ILN_2470
912			\|a GBV_ILN_2507
912			\|a GBV_ILN_4035
912			\|a GBV_ILN_4037
912			\|a GBV_ILN_4112
912			\|a GBV_ILN_4125
912			\|a GBV_ILN_4242
912			\|a GBV_ILN_4249
912			\|a GBV_ILN_4251
912			\|a GBV_ILN_4305
912			\|a GBV_ILN_4306
912			\|a GBV_ILN_4307
912			\|a GBV_ILN_4313
912			\|a GBV_ILN_4322
912			\|a GBV_ILN_4323
912			\|a GBV_ILN_4324
912			\|a GBV_ILN_4325
912			\|a GBV_ILN_4326
912			\|a GBV_ILN_4333
912			\|a GBV_ILN_4334
912			\|a GBV_ILN_4338
912			\|a GBV_ILN_4393
912			\|a GBV_ILN_4700
936	b	k	\|a 54.38 \|j Computersicherheit \|q VZ
951			\|a AR
952			\|d 136

Indexfelder

author_variant	t c tc h z hz m l ml t z tz
matchkey_str	chentiemingzenghuanlvmingqizhutiantian:2023----:tmcbrhetnelgnenacdawrdtcinsnaia
hierarchy_sort_str	2023
bklnumber	54.38
publishDate	2023
allfields	10.1016/j.cose.2023.103518 doi (DE-627)ELV065765907 (ELSEVIER)S0167-4048(23)00428-5 DE-627 ger DE-627 rda eng 004 VZ 54.38 bkl Chen, Tieming verfasserin aut CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters 2023 nicht spezifiziert zzz rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %). Malware detection API sequence Cyber threat intelligence Deep learning Zeng, Huan verfasserin aut Lv, Mingqi verfasserin (orcid)0000-0003-4810-7491 aut Zhu, Tiantian verfasserin (orcid)0000-0002-8657-662X aut Enthalten in Computers & security Amsterdam [u.a.] : Elsevier Science, 1982 136 Online-Ressource (DE-627)320415864 (DE-600)2001917-8 (DE-576)094531331 nnns volume:136 GBV_USEFLAG_U GBV_ELV SYSFLAG_U GBV_ILN_20 GBV_ILN_22 GBV_ILN_23 GBV_ILN_24 GBV_ILN_31 GBV_ILN_32 GBV_ILN_40 GBV_ILN_60 GBV_ILN_62 GBV_ILN_65 GBV_ILN_69 GBV_ILN_70 GBV_ILN_73 GBV_ILN_74 GBV_ILN_90 GBV_ILN_95 GBV_ILN_100 GBV_ILN_101 GBV_ILN_105 GBV_ILN_110 GBV_ILN_150 GBV_ILN_151 GBV_ILN_187 GBV_ILN_213 GBV_ILN_224 GBV_ILN_230 GBV_ILN_370 GBV_ILN_602 GBV_ILN_702 GBV_ILN_2001 GBV_ILN_2003 GBV_ILN_2004 GBV_ILN_2005 GBV_ILN_2007 GBV_ILN_2008 GBV_ILN_2009 GBV_ILN_2010 GBV_ILN_2011 GBV_ILN_2014 GBV_ILN_2015 GBV_ILN_2020 GBV_ILN_2021 GBV_ILN_2025 GBV_ILN_2026 GBV_ILN_2027 GBV_ILN_2034 GBV_ILN_2044 GBV_ILN_2048 GBV_ILN_2049 GBV_ILN_2050 GBV_ILN_2055 GBV_ILN_2056 GBV_ILN_2059 GBV_ILN_2061 GBV_ILN_2064 GBV_ILN_2088 GBV_ILN_2106 GBV_ILN_2110 GBV_ILN_2111 GBV_ILN_2112 GBV_ILN_2122 GBV_ILN_2129 GBV_ILN_2143 GBV_ILN_2152 GBV_ILN_2153 GBV_ILN_2190 GBV_ILN_2232 GBV_ILN_2336 GBV_ILN_2470 GBV_ILN_2507 GBV_ILN_4035 GBV_ILN_4037 GBV_ILN_4112 GBV_ILN_4125 GBV_ILN_4242 GBV_ILN_4249 GBV_ILN_4251 GBV_ILN_4305 GBV_ILN_4306 GBV_ILN_4307 GBV_ILN_4313 GBV_ILN_4322 GBV_ILN_4323 GBV_ILN_4324 GBV_ILN_4325 GBV_ILN_4326 GBV_ILN_4333 GBV_ILN_4334 GBV_ILN_4338 GBV_ILN_4393 GBV_ILN_4700 54.38 Computersicherheit VZ AR 136
spelling	10.1016/j.cose.2023.103518 doi (DE-627)ELV065765907 (ELSEVIER)S0167-4048(23)00428-5 DE-627 ger DE-627 rda eng 004 VZ 54.38 bkl Chen, Tieming verfasserin aut CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters 2023 nicht spezifiziert zzz rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %). Malware detection API sequence Cyber threat intelligence Deep learning Zeng, Huan verfasserin aut Lv, Mingqi verfasserin (orcid)0000-0003-4810-7491 aut Zhu, Tiantian verfasserin (orcid)0000-0002-8657-662X aut Enthalten in Computers & security Amsterdam [u.a.] : Elsevier Science, 1982 136 Online-Ressource (DE-627)320415864 (DE-600)2001917-8 (DE-576)094531331 nnns volume:136 GBV_USEFLAG_U GBV_ELV SYSFLAG_U GBV_ILN_20 GBV_ILN_22 GBV_ILN_23 GBV_ILN_24 GBV_ILN_31 GBV_ILN_32 GBV_ILN_40 GBV_ILN_60 GBV_ILN_62 GBV_ILN_65 GBV_ILN_69 GBV_ILN_70 GBV_ILN_73 GBV_ILN_74 GBV_ILN_90 GBV_ILN_95 GBV_ILN_100 GBV_ILN_101 GBV_ILN_105 GBV_ILN_110 GBV_ILN_150 GBV_ILN_151 GBV_ILN_187 GBV_ILN_213 GBV_ILN_224 GBV_ILN_230 GBV_ILN_370 GBV_ILN_602 GBV_ILN_702 GBV_ILN_2001 GBV_ILN_2003 GBV_ILN_2004 GBV_ILN_2005 GBV_ILN_2007 GBV_ILN_2008 GBV_ILN_2009 GBV_ILN_2010 GBV_ILN_2011 GBV_ILN_2014 GBV_ILN_2015 GBV_ILN_2020 GBV_ILN_2021 GBV_ILN_2025 GBV_ILN_2026 GBV_ILN_2027 GBV_ILN_2034 GBV_ILN_2044 GBV_ILN_2048 GBV_ILN_2049 GBV_ILN_2050 GBV_ILN_2055 GBV_ILN_2056 GBV_ILN_2059 GBV_ILN_2061 GBV_ILN_2064 GBV_ILN_2088 GBV_ILN_2106 GBV_ILN_2110 GBV_ILN_2111 GBV_ILN_2112 GBV_ILN_2122 GBV_ILN_2129 GBV_ILN_2143 GBV_ILN_2152 GBV_ILN_2153 GBV_ILN_2190 GBV_ILN_2232 GBV_ILN_2336 GBV_ILN_2470 GBV_ILN_2507 GBV_ILN_4035 GBV_ILN_4037 GBV_ILN_4112 GBV_ILN_4125 GBV_ILN_4242 GBV_ILN_4249 GBV_ILN_4251 GBV_ILN_4305 GBV_ILN_4306 GBV_ILN_4307 GBV_ILN_4313 GBV_ILN_4322 GBV_ILN_4323 GBV_ILN_4324 GBV_ILN_4325 GBV_ILN_4326 GBV_ILN_4333 GBV_ILN_4334 GBV_ILN_4338 GBV_ILN_4393 GBV_ILN_4700 54.38 Computersicherheit VZ AR 136
allfields_unstemmed	10.1016/j.cose.2023.103518 doi (DE-627)ELV065765907 (ELSEVIER)S0167-4048(23)00428-5 DE-627 ger DE-627 rda eng 004 VZ 54.38 bkl Chen, Tieming verfasserin aut CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters 2023 nicht spezifiziert zzz rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %). Malware detection API sequence Cyber threat intelligence Deep learning Zeng, Huan verfasserin aut Lv, Mingqi verfasserin (orcid)0000-0003-4810-7491 aut Zhu, Tiantian verfasserin (orcid)0000-0002-8657-662X aut Enthalten in Computers & security Amsterdam [u.a.] : Elsevier Science, 1982 136 Online-Ressource (DE-627)320415864 (DE-600)2001917-8 (DE-576)094531331 nnns volume:136 GBV_USEFLAG_U GBV_ELV SYSFLAG_U GBV_ILN_20 GBV_ILN_22 GBV_ILN_23 GBV_ILN_24 GBV_ILN_31 GBV_ILN_32 GBV_ILN_40 GBV_ILN_60 GBV_ILN_62 GBV_ILN_65 GBV_ILN_69 GBV_ILN_70 GBV_ILN_73 GBV_ILN_74 GBV_ILN_90 GBV_ILN_95 GBV_ILN_100 GBV_ILN_101 GBV_ILN_105 GBV_ILN_110 GBV_ILN_150 GBV_ILN_151 GBV_ILN_187 GBV_ILN_213 GBV_ILN_224 GBV_ILN_230 GBV_ILN_370 GBV_ILN_602 GBV_ILN_702 GBV_ILN_2001 GBV_ILN_2003 GBV_ILN_2004 GBV_ILN_2005 GBV_ILN_2007 GBV_ILN_2008 GBV_ILN_2009 GBV_ILN_2010 GBV_ILN_2011 GBV_ILN_2014 GBV_ILN_2015 GBV_ILN_2020 GBV_ILN_2021 GBV_ILN_2025 GBV_ILN_2026 GBV_ILN_2027 GBV_ILN_2034 GBV_ILN_2044 GBV_ILN_2048 GBV_ILN_2049 GBV_ILN_2050 GBV_ILN_2055 GBV_ILN_2056 GBV_ILN_2059 GBV_ILN_2061 GBV_ILN_2064 GBV_ILN_2088 GBV_ILN_2106 GBV_ILN_2110 GBV_ILN_2111 GBV_ILN_2112 GBV_ILN_2122 GBV_ILN_2129 GBV_ILN_2143 GBV_ILN_2152 GBV_ILN_2153 GBV_ILN_2190 GBV_ILN_2232 GBV_ILN_2336 GBV_ILN_2470 GBV_ILN_2507 GBV_ILN_4035 GBV_ILN_4037 GBV_ILN_4112 GBV_ILN_4125 GBV_ILN_4242 GBV_ILN_4249 GBV_ILN_4251 GBV_ILN_4305 GBV_ILN_4306 GBV_ILN_4307 GBV_ILN_4313 GBV_ILN_4322 GBV_ILN_4323 GBV_ILN_4324 GBV_ILN_4325 GBV_ILN_4326 GBV_ILN_4333 GBV_ILN_4334 GBV_ILN_4338 GBV_ILN_4393 GBV_ILN_4700 54.38 Computersicherheit VZ AR 136
allfieldsGer	10.1016/j.cose.2023.103518 doi (DE-627)ELV065765907 (ELSEVIER)S0167-4048(23)00428-5 DE-627 ger DE-627 rda eng 004 VZ 54.38 bkl Chen, Tieming verfasserin aut CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters 2023 nicht spezifiziert zzz rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %). Malware detection API sequence Cyber threat intelligence Deep learning Zeng, Huan verfasserin aut Lv, Mingqi verfasserin (orcid)0000-0003-4810-7491 aut Zhu, Tiantian verfasserin (orcid)0000-0002-8657-662X aut Enthalten in Computers & security Amsterdam [u.a.] : Elsevier Science, 1982 136 Online-Ressource (DE-627)320415864 (DE-600)2001917-8 (DE-576)094531331 nnns volume:136 GBV_USEFLAG_U GBV_ELV SYSFLAG_U GBV_ILN_20 GBV_ILN_22 GBV_ILN_23 GBV_ILN_24 GBV_ILN_31 GBV_ILN_32 GBV_ILN_40 GBV_ILN_60 GBV_ILN_62 GBV_ILN_65 GBV_ILN_69 GBV_ILN_70 GBV_ILN_73 GBV_ILN_74 GBV_ILN_90 GBV_ILN_95 GBV_ILN_100 GBV_ILN_101 GBV_ILN_105 GBV_ILN_110 GBV_ILN_150 GBV_ILN_151 GBV_ILN_187 GBV_ILN_213 GBV_ILN_224 GBV_ILN_230 GBV_ILN_370 GBV_ILN_602 GBV_ILN_702 GBV_ILN_2001 GBV_ILN_2003 GBV_ILN_2004 GBV_ILN_2005 GBV_ILN_2007 GBV_ILN_2008 GBV_ILN_2009 GBV_ILN_2010 GBV_ILN_2011 GBV_ILN_2014 GBV_ILN_2015 GBV_ILN_2020 GBV_ILN_2021 GBV_ILN_2025 GBV_ILN_2026 GBV_ILN_2027 GBV_ILN_2034 GBV_ILN_2044 GBV_ILN_2048 GBV_ILN_2049 GBV_ILN_2050 GBV_ILN_2055 GBV_ILN_2056 GBV_ILN_2059 GBV_ILN_2061 GBV_ILN_2064 GBV_ILN_2088 GBV_ILN_2106 GBV_ILN_2110 GBV_ILN_2111 GBV_ILN_2112 GBV_ILN_2122 GBV_ILN_2129 GBV_ILN_2143 GBV_ILN_2152 GBV_ILN_2153 GBV_ILN_2190 GBV_ILN_2232 GBV_ILN_2336 GBV_ILN_2470 GBV_ILN_2507 GBV_ILN_4035 GBV_ILN_4037 GBV_ILN_4112 GBV_ILN_4125 GBV_ILN_4242 GBV_ILN_4249 GBV_ILN_4251 GBV_ILN_4305 GBV_ILN_4306 GBV_ILN_4307 GBV_ILN_4313 GBV_ILN_4322 GBV_ILN_4323 GBV_ILN_4324 GBV_ILN_4325 GBV_ILN_4326 GBV_ILN_4333 GBV_ILN_4334 GBV_ILN_4338 GBV_ILN_4393 GBV_ILN_4700 54.38 Computersicherheit VZ AR 136
allfieldsSound	10.1016/j.cose.2023.103518 doi (DE-627)ELV065765907 (ELSEVIER)S0167-4048(23)00428-5 DE-627 ger DE-627 rda eng 004 VZ 54.38 bkl Chen, Tieming verfasserin aut CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters 2023 nicht spezifiziert zzz rdacontent Computermedien c rdamedia Online-Ressource cr rdacarrier Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %). Malware detection API sequence Cyber threat intelligence Deep learning Zeng, Huan verfasserin aut Lv, Mingqi verfasserin (orcid)0000-0003-4810-7491 aut Zhu, Tiantian verfasserin (orcid)0000-0002-8657-662X aut Enthalten in Computers & security Amsterdam [u.a.] : Elsevier Science, 1982 136 Online-Ressource (DE-627)320415864 (DE-600)2001917-8 (DE-576)094531331 nnns volume:136 GBV_USEFLAG_U GBV_ELV SYSFLAG_U GBV_ILN_20 GBV_ILN_22 GBV_ILN_23 GBV_ILN_24 GBV_ILN_31 GBV_ILN_32 GBV_ILN_40 GBV_ILN_60 GBV_ILN_62 GBV_ILN_65 GBV_ILN_69 GBV_ILN_70 GBV_ILN_73 GBV_ILN_74 GBV_ILN_90 GBV_ILN_95 GBV_ILN_100 GBV_ILN_101 GBV_ILN_105 GBV_ILN_110 GBV_ILN_150 GBV_ILN_151 GBV_ILN_187 GBV_ILN_213 GBV_ILN_224 GBV_ILN_230 GBV_ILN_370 GBV_ILN_602 GBV_ILN_702 GBV_ILN_2001 GBV_ILN_2003 GBV_ILN_2004 GBV_ILN_2005 GBV_ILN_2007 GBV_ILN_2008 GBV_ILN_2009 GBV_ILN_2010 GBV_ILN_2011 GBV_ILN_2014 GBV_ILN_2015 GBV_ILN_2020 GBV_ILN_2021 GBV_ILN_2025 GBV_ILN_2026 GBV_ILN_2027 GBV_ILN_2034 GBV_ILN_2044 GBV_ILN_2048 GBV_ILN_2049 GBV_ILN_2050 GBV_ILN_2055 GBV_ILN_2056 GBV_ILN_2059 GBV_ILN_2061 GBV_ILN_2064 GBV_ILN_2088 GBV_ILN_2106 GBV_ILN_2110 GBV_ILN_2111 GBV_ILN_2112 GBV_ILN_2122 GBV_ILN_2129 GBV_ILN_2143 GBV_ILN_2152 GBV_ILN_2153 GBV_ILN_2190 GBV_ILN_2232 GBV_ILN_2336 GBV_ILN_2470 GBV_ILN_2507 GBV_ILN_4035 GBV_ILN_4037 GBV_ILN_4112 GBV_ILN_4125 GBV_ILN_4242 GBV_ILN_4249 GBV_ILN_4251 GBV_ILN_4305 GBV_ILN_4306 GBV_ILN_4307 GBV_ILN_4313 GBV_ILN_4322 GBV_ILN_4323 GBV_ILN_4324 GBV_ILN_4325 GBV_ILN_4326 GBV_ILN_4333 GBV_ILN_4334 GBV_ILN_4338 GBV_ILN_4393 GBV_ILN_4700 54.38 Computersicherheit VZ AR 136
language	English
source	Enthalten in Computers & security 136 volume:136
sourceStr	Enthalten in Computers & security 136 volume:136
format_phy_str_mv	Article
bklname	Computersicherheit
institution	findex.gbv.de
topic_facet	Malware detection API sequence Cyber threat intelligence Deep learning
dewey-raw	004
isfreeaccess_bool	false
container_title	Computers & security
authorswithroles_txt_mv	Chen, Tieming @@aut@@ Zeng, Huan @@aut@@ Lv, Mingqi @@aut@@ Zhu, Tiantian @@aut@@
publishDateDaySort_date	2023-01-01T00:00:00Z
hierarchy_top_id	320415864
dewey-sort	14
id	ELV065765907
language_de	englisch
fullrecord	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01000caa a22002652 4500</leader><controlfield tag="001">ELV065765907</controlfield><controlfield tag="003">DE-627</controlfield><controlfield tag="005">20240111093138.0</controlfield><controlfield tag="007">cr uuu---uuuuu</controlfield><controlfield tag="008">231123s2023 xx \|\|\|\|\|o 00\| \|\|eng c</controlfield><datafield tag="024" ind1="7" ind2=" "><subfield code="a">10.1016/j.cose.2023.103518</subfield><subfield code="2">doi</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-627)ELV065765907</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(ELSEVIER)S0167-4048(23)00428-5</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-627</subfield><subfield code="b">ger</subfield><subfield code="c">DE-627</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1=" " ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="082" ind1="0" ind2="4"><subfield code="a">004</subfield><subfield code="q">VZ</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">54.38</subfield><subfield code="2">bkl</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Chen, Tieming</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2023</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">nicht spezifiziert</subfield><subfield code="b">zzz</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">Computermedien</subfield><subfield code="b">c</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">Online-Ressource</subfield><subfield code="b">cr</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="520" ind1=" " ind2=" "><subfield code="a">Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Malware detection</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">API sequence</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Cyber threat intelligence</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Deep learning</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Zeng, Huan</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Lv, Mingqi</subfield><subfield code="e">verfasserin</subfield><subfield code="0">(orcid)0000-0003-4810-7491</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Zhu, Tiantian</subfield><subfield code="e">verfasserin</subfield><subfield code="0">(orcid)0000-0002-8657-662X</subfield><subfield code="4">aut</subfield></datafield><datafield tag="773" ind1="0" ind2="8"><subfield code="i">Enthalten in</subfield><subfield code="t">Computers & security</subfield><subfield code="d">Amsterdam [u.a.] : Elsevier Science, 1982</subfield><subfield code="g">136</subfield><subfield code="h">Online-Ressource</subfield><subfield code="w">(DE-627)320415864</subfield><subfield code="w">(DE-600)2001917-8</subfield><subfield code="w">(DE-576)094531331</subfield><subfield code="7">nnns</subfield></datafield><datafield tag="773" ind1="1" ind2="8"><subfield code="g">volume:136</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_USEFLAG_U</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ELV</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SYSFLAG_U</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_20</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_22</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_23</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_24</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_31</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_32</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_40</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_60</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_62</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_65</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_69</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_70</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_73</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_74</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_90</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_95</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_100</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_101</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_105</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_110</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_150</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_151</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_187</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_213</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_224</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_230</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_370</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_602</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_702</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2001</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2003</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2004</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2005</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2007</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2008</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2009</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2010</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2011</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2014</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2015</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2020</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2021</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2025</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2026</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2027</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2034</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2044</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2048</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2049</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2050</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2055</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2056</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2059</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2061</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2064</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2088</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2106</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2110</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2111</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2112</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2122</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2129</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2143</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2152</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2153</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2190</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2232</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2336</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2470</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2507</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4035</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4037</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4112</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4125</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4242</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4249</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4251</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4305</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4306</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4307</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4313</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4322</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4323</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4324</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4325</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4326</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4333</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4334</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4338</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4393</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4700</subfield></datafield><datafield tag="936" ind1="b" ind2="k"><subfield code="a">54.38</subfield><subfield code="j">Computersicherheit</subfield><subfield code="q">VZ</subfield></datafield><datafield tag="951" ind1=" " ind2=" "><subfield code="a">AR</subfield></datafield><datafield tag="952" ind1=" " ind2=" "><subfield code="d">136</subfield></datafield></record></collection>
author	Chen, Tieming
spellingShingle	Chen, Tieming ddc 004 bkl 54.38 misc Malware detection misc API sequence misc Cyber threat intelligence misc Deep learning CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters
authorStr	Chen, Tieming
ppnlink_with_tag_str_mv	@@773@@(DE-627)320415864
format	electronic Article
dewey-ones	004 - Data processing & computer science
delete_txt_mv	keep
author_role	aut aut aut aut
collection	elsevier
remote_str	true
illustrated	Not Illustrated
topic_title	004 VZ 54.38 bkl CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters Malware detection API sequence Cyber threat intelligence Deep learning
topic	ddc 004 bkl 54.38 misc Malware detection misc API sequence misc Cyber threat intelligence misc Deep learning
topic_unstemmed	ddc 004 bkl 54.38 misc Malware detection misc API sequence misc Cyber threat intelligence misc Deep learning
topic_browse	ddc 004 bkl 54.38 misc Malware detection misc API sequence misc Cyber threat intelligence misc Deep learning
format_facet	Elektronische Aufsätze Aufsätze Elektronische Ressource
format_main_str_mv	Text Zeitschrift/Artikel
carriertype_str_mv	cr
hierarchy_parent_title	Computers & security
hierarchy_parent_id	320415864
dewey-tens	000 - Computer science, knowledge & systems
hierarchy_top_title	Computers & security
isfreeaccess_txt	false
familylinks_str_mv	(DE-627)320415864 (DE-600)2001917-8 (DE-576)094531331
title	CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters
ctrlnum	(DE-627)ELV065765907 (ELSEVIER)S0167-4048(23)00428-5
title_full	CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters
author_sort	Chen, Tieming
journal	Computers & security
journalStr	Computers & security
lang_code	eng
isOA_bool	false
dewey-hundreds	000 - Computer science, information & general works
recordtype	marc
publishDateSort	2023
contenttype_str_mv	zzz
author_browse	Chen, Tieming Zeng, Huan Lv, Mingqi Zhu, Tiantian
container_volume	136
class	004 VZ 54.38 bkl
format_se	Elektronische Aufsätze
author-letter	Chen, Tieming
doi_str_mv	10.1016/j.cose.2023.103518
normlink	(ORCID)0000-0003-4810-7491 (ORCID)0000-0002-8657-662X
normlink_prefix_str_mv	(orcid)0000-0003-4810-7491 (orcid)0000-0002-8657-662X
dewey-full	004
author2-role	verfasserin
title_sort	ctimd: cyber threat intelligence enhanced malware detection using api call sequences with parameters
title_auth	CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters
abstract	Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).
abstractGer	Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).
abstract_unstemmed	Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).
collection_details	GBV_USEFLAG_U GBV_ELV SYSFLAG_U GBV_ILN_20 GBV_ILN_22 GBV_ILN_23 GBV_ILN_24 GBV_ILN_31 GBV_ILN_32 GBV_ILN_40 GBV_ILN_60 GBV_ILN_62 GBV_ILN_65 GBV_ILN_69 GBV_ILN_70 GBV_ILN_73 GBV_ILN_74 GBV_ILN_90 GBV_ILN_95 GBV_ILN_100 GBV_ILN_101 GBV_ILN_105 GBV_ILN_110 GBV_ILN_150 GBV_ILN_151 GBV_ILN_187 GBV_ILN_213 GBV_ILN_224 GBV_ILN_230 GBV_ILN_370 GBV_ILN_602 GBV_ILN_702 GBV_ILN_2001 GBV_ILN_2003 GBV_ILN_2004 GBV_ILN_2005 GBV_ILN_2007 GBV_ILN_2008 GBV_ILN_2009 GBV_ILN_2010 GBV_ILN_2011 GBV_ILN_2014 GBV_ILN_2015 GBV_ILN_2020 GBV_ILN_2021 GBV_ILN_2025 GBV_ILN_2026 GBV_ILN_2027 GBV_ILN_2034 GBV_ILN_2044 GBV_ILN_2048 GBV_ILN_2049 GBV_ILN_2050 GBV_ILN_2055 GBV_ILN_2056 GBV_ILN_2059 GBV_ILN_2061 GBV_ILN_2064 GBV_ILN_2088 GBV_ILN_2106 GBV_ILN_2110 GBV_ILN_2111 GBV_ILN_2112 GBV_ILN_2122 GBV_ILN_2129 GBV_ILN_2143 GBV_ILN_2152 GBV_ILN_2153 GBV_ILN_2190 GBV_ILN_2232 GBV_ILN_2336 GBV_ILN_2470 GBV_ILN_2507 GBV_ILN_4035 GBV_ILN_4037 GBV_ILN_4112 GBV_ILN_4125 GBV_ILN_4242 GBV_ILN_4249 GBV_ILN_4251 GBV_ILN_4305 GBV_ILN_4306 GBV_ILN_4307 GBV_ILN_4313 GBV_ILN_4322 GBV_ILN_4323 GBV_ILN_4324 GBV_ILN_4325 GBV_ILN_4326 GBV_ILN_4333 GBV_ILN_4334 GBV_ILN_4338 GBV_ILN_4393 GBV_ILN_4700
title_short	CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters
remote_bool	true
author2	Zeng, Huan Lv, Mingqi Zhu, Tiantian
author2Str	Zeng, Huan Lv, Mingqi Zhu, Tiantian
ppnlink	320415864
mediatype_str_mv	c
isOA_txt	false
hochschulschrift_bool	false
doi_str	10.1016/j.cose.2023.103518
up_date	2024-07-07T00:10:39.090Z
_version_	1803876868126932992
fullrecord_marcxml	<?xml version="1.0" encoding="UTF-8"?><collection xmlns="http://www.loc.gov/MARC21/slim"><record><leader>01000caa a22002652 4500</leader><controlfield tag="001">ELV065765907</controlfield><controlfield tag="003">DE-627</controlfield><controlfield tag="005">20240111093138.0</controlfield><controlfield tag="007">cr uuu---uuuuu</controlfield><controlfield tag="008">231123s2023 xx \|\|\|\|\|o 00\| \|\|eng c</controlfield><datafield tag="024" ind1="7" ind2=" "><subfield code="a">10.1016/j.cose.2023.103518</subfield><subfield code="2">doi</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(DE-627)ELV065765907</subfield></datafield><datafield tag="035" ind1=" " ind2=" "><subfield code="a">(ELSEVIER)S0167-4048(23)00428-5</subfield></datafield><datafield tag="040" ind1=" " ind2=" "><subfield code="a">DE-627</subfield><subfield code="b">ger</subfield><subfield code="c">DE-627</subfield><subfield code="e">rda</subfield></datafield><datafield tag="041" ind1=" " ind2=" "><subfield code="a">eng</subfield></datafield><datafield tag="082" ind1="0" ind2="4"><subfield code="a">004</subfield><subfield code="q">VZ</subfield></datafield><datafield tag="084" ind1=" " ind2=" "><subfield code="a">54.38</subfield><subfield code="2">bkl</subfield></datafield><datafield tag="100" ind1="1" ind2=" "><subfield code="a">Chen, Tieming</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="245" ind1="1" ind2="0"><subfield code="a">CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters</subfield></datafield><datafield tag="264" ind1=" " ind2="1"><subfield code="c">2023</subfield></datafield><datafield tag="336" ind1=" " ind2=" "><subfield code="a">nicht spezifiziert</subfield><subfield code="b">zzz</subfield><subfield code="2">rdacontent</subfield></datafield><datafield tag="337" ind1=" " ind2=" "><subfield code="a">Computermedien</subfield><subfield code="b">c</subfield><subfield code="2">rdamedia</subfield></datafield><datafield tag="338" ind1=" " ind2=" "><subfield code="a">Online-Ressource</subfield><subfield code="b">cr</subfield><subfield code="2">rdacarrier</subfield></datafield><datafield tag="520" ind1=" " ind2=" "><subfield code="a">Dynamic malware analysis that monitors the sequences of API calls of the program in a sandbox has been proven to be effective against code obfuscation and unknown malware. However, most existing works ignore the run-time parameters by only considering the API names, or lack an effective way to capture the correlations between parameter values and malicious activities. In this paper, we propose CTIMD, a deep learning based dynamic malware detection method, which integrates the threat knowledge from CTIs (Cyber Threat Intelligences) into the learning on API call sequences with run-time parameters. It first extracts IOCs (Indicators of Compromise) from CTIs and uses IOCs to assist the identification of the security-sensitive levels of API calls. Then, it embeds API calls and the associated security-sensitive levels into a unified feature space. Finally, it feeds the feature vector sequences into deep neural networks to train the malware detection model. We conducted experiments on two datasets. The experiment results show that CTIMD significantly outperforms existing methods depending on raw API call sequences (F1-score is improved by 4.0 %∼41.3 %), and also has advantage over existing state-of-the-art methods that consider both API calls and run-time parameters (F1-score is improved by 1.2 %∼6.5 %).</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Malware detection</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">API sequence</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Cyber threat intelligence</subfield></datafield><datafield tag="650" ind1=" " ind2="4"><subfield code="a">Deep learning</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Zeng, Huan</subfield><subfield code="e">verfasserin</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Lv, Mingqi</subfield><subfield code="e">verfasserin</subfield><subfield code="0">(orcid)0000-0003-4810-7491</subfield><subfield code="4">aut</subfield></datafield><datafield tag="700" ind1="1" ind2=" "><subfield code="a">Zhu, Tiantian</subfield><subfield code="e">verfasserin</subfield><subfield code="0">(orcid)0000-0002-8657-662X</subfield><subfield code="4">aut</subfield></datafield><datafield tag="773" ind1="0" ind2="8"><subfield code="i">Enthalten in</subfield><subfield code="t">Computers & security</subfield><subfield code="d">Amsterdam [u.a.] : Elsevier Science, 1982</subfield><subfield code="g">136</subfield><subfield code="h">Online-Ressource</subfield><subfield code="w">(DE-627)320415864</subfield><subfield code="w">(DE-600)2001917-8</subfield><subfield code="w">(DE-576)094531331</subfield><subfield code="7">nnns</subfield></datafield><datafield tag="773" ind1="1" ind2="8"><subfield code="g">volume:136</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_USEFLAG_U</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ELV</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">SYSFLAG_U</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_20</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_22</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_23</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_24</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_31</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_32</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_40</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_60</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_62</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_65</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_69</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_70</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_73</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_74</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_90</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_95</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_100</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_101</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_105</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_110</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_150</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_151</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_187</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_213</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_224</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_230</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_370</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_602</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_702</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2001</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2003</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2004</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2005</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2007</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2008</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2009</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2010</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2011</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2014</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2015</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2020</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2021</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2025</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2026</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2027</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2034</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2044</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2048</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2049</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2050</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2055</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2056</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2059</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2061</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2064</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2088</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2106</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2110</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2111</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2112</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2122</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2129</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2143</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2152</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2153</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2190</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2232</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2336</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2470</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_2507</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4035</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4037</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4112</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4125</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4242</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4249</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4251</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4305</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4306</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4307</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4313</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4322</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4323</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4324</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4325</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4326</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4333</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4334</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4338</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4393</subfield></datafield><datafield tag="912" ind1=" " ind2=" "><subfield code="a">GBV_ILN_4700</subfield></datafield><datafield tag="936" ind1="b" ind2="k"><subfield code="a">54.38</subfield><subfield code="j">Computersicherheit</subfield><subfield code="q">VZ</subfield></datafield><datafield tag="951" ind1=" " ind2=" "><subfield code="a">AR</subfield></datafield><datafield tag="952" ind1=" " ind2=" "><subfield code="d">136</subfield></datafield></record></collection>
score	7.400923

Nicht das Richtige dabei?

Schreiben Sie uns!

CTIMD: Cyber threat intelligence enhanced malware detection using API call sequences with parameters

Nicht das Richtige dabei?

Zugang & Verfügbarkeit

Vorhandene Bände

Nicht das Richtige dabei?