# Malicious Software Detection and Classification utilizing   Temporal-Graphs of System-call Group Relations

**Authors:** Anna Mpanti, Stavros D. Nikolopoulos, Iosif Polenakis

arXiv: 1812.10748 · 2018-12-31

## TL;DR

This paper introduces a novel graph-based approach for malware detection and classification that incorporates the temporal evolution of system-call relations to improve accuracy and mutation tolerance.

## Contribution

The work's novelty lies in integrating temporal dynamics into graph representations of system-call relations for enhanced malware detection and classification.

## Key findings

- Temporal graphs improve detection accuracy.
- Graph-based models enhance mutation tolerance.
- Effective classification of malware families.

## Abstract

In this work we propose a graph-based model that, utilizing relations between groups of System-calls, distinguishes malicious from benign software samples and classifies the detected malicious samples to one of a set of known malware families. More precisely, given a System-call Dependency Graph (ScDG) that depicts the malware's behavior, we first transform it to a more abstract representation, utilizing the indexing of System-calls to a set of groups of similar functionality, constructing thus an abstract and mutation-tolerant graph that we call Group Relation Graph (GrG); then, we construct another graph representation, which we call Coverage Graph (CvG), that depicts the dominating relations between the nodes of a GrG graph. Based on the research so far in the field, we pointed out that behavior-based graph representations had not leveraged the aspect of the temporal evolution of the graph. Hence, the novelty of our work is that, preserving the initial representations of GrG and CvG graphs, we focus on augmenting the potentials of theses graphs by adding further features that enhance its abilities on detecting and further classifying to a known malware family an unknown malware sample. To that end, we construct periodical instances of the graph that represent its temporal evolution concerning its structural modifications, creating another graph representation that we call Temporal Graphs. In this paper, we present the theoretical background behind our approach, discuss the current technological status on malware detection and classification and demonstrate the overall architecture of our proposed detection and classification model alongside with its underlying main principles and its structural key-components.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1812.10748/full.md

## Figures

13 figures with captions in the complete paper: https://tomesphere.com/paper/1812.10748/full.md

## References

54 references — full list in the complete paper: https://tomesphere.com/paper/1812.10748/full.md

---
Source: https://tomesphere.com/paper/1812.10748