MG-DVD: A Real-time Framework for Malware Variant Detection Based on Dynamic Heterogeneous Graph Learning

TL;DR

MG-DVD is a real-time malware variant detection framework that models execution events as dynamic heterogeneous graphs, enabling effective and interpretable detection of evolving malware in large-scale environments.

Contribution

The paper introduces MG-DVD, a novel framework utilizing dynamic heterogeneous graph learning and meta-graphs for real-time malware variant detection, reducing retraining costs and improving interpretability.

Findings

Outperforms state-of-the-art methods in effectiveness.

Achieves real-time detection capabilities.

Demonstrates high efficiency on large-scale datasets.

Abstract

Detecting the newly emerging malware variants in real time is crucial for mitigating cyber risks and proactively blocking intrusions. In this paper, we propose MG-DVD, a novel detection framework based on dynamic heterogeneous graph learning, to detect malware variants in real time. Particularly, MG-DVD first models the fine-grained execution event streams of malware variants into dynamic heterogeneous graphs and investigates real-world meta-graphs between malware objects, which can effectively characterize more discriminative malicious evolutionary patterns between malware and their variants. Then, MG-DVD presents two dynamic walk-based heterogeneous graph learning methods to learn more comprehensive representations of malware variants, which significantly reduces the cost of the entire graph retraining. As a result, MG-DVD is equipped with the ability to detect malware variants in real time, and it presents better interpretability by introducing meaningful meta-graphs. Comprehensive experiments on large-scale samples prove that our proposed MG-DVD outperforms state-of-the-art methods in detecting malware variants in terms of effectiveness and efficiency.