CruParamer: Learning on Parameter-Augmented API Sequences for Malware Detection

Learning on execution behaviour, i.e., sequences of API calls, is proven to be effective in malware detection. In this paper, we present CruParamer, a deep neural network based malware detection approach for Windows platform that performs learning on sequences of parameter-augmented APIs. It first employs rule-based and clustering-based classification to assess the sensitivity of a parameter to malicious behaviour, and further labels the API following the run-time parameters with varying degrees of sensitivities. Then, it encodes the APIs by concatenating the native embedding and the sensitive embedding of labelled APIs, for characterizing the relationship between successive labelled APIs and their correspondence in terms of security semantics. Finally, it feeds the sequences of API embedding into the deep neural network for training a binary classifier to detect malware. In addition to presenting the design, we have implemented CruParamer and evaluated it on two datasets. The results demonstrate that CruParamer outperforms naïve models when taking raw APIs as input, proving the effectiveness of CruParamer. Moreover, we have evaluated the impact of mimicry and adversarial attacks on our model, and the results verify the robustness of CruParamer.