Dynamic API call sequence visualisation for malware classification

Abstract

Due to the development of automated malware generation and obfuscation, traditional malware detection methods based on signature matching have limited effectiveness. Thus, a novel approach using visualisation and deep learning technology can play an important role in malware detection and classification. In this study, the authors extract sequences of API calls using dynamic analysis and then use colour mapping rules to create feature images representing malware behaviour. Finally, they train a convolutional neural network to classify different feature images with 9 malware families, and 1000 variants in each family. Experimental results show the effectiveness of the authors method. The classification TPR, precision, recall and F1 are all >99%, while the FPR is <;0.1%.