Feature graph construction with static features for malware detection

TL;DR

This paper introduces MFGraph, a feature graph-based malware detection method that leverages static features and graph neural networks to improve accuracy and robustness against concept drift, outperforming baseline models.

Contribution

The paper presents a novel feature graph construction and deep graph convolutional network approach for malware detection, addressing feature correlation and concept drift issues.

Findings

Achieves an AUC score of 0.98756 on EMBER dataset

Outperforms baseline models in malware detection accuracy

Shows minimal performance degradation over one year

Abstract

Malware can greatly compromise the integrity and trustworthiness of information and is in a constant state of evolution. Existing feature fusion-based detection methods generally overlook the correlation between features. And mere concatenation of features will reduce the model's characterization ability, lead to low detection accuracy. Moreover, these methods are susceptible to concept drift and significant degradation of the model. To address those challenges, we introduce a feature graph-based malware detection method, MFGraph, to characterize applications by learning feature-to-feature relationships to achieve improved detection accuracy while mitigating the impact of concept drift. In MFGraph, we construct a feature graph using static features extracted from binary PE files, then apply a deep graph convolutional network to learn the representation of the feature graph. Finally, we employ the representation vectors obtained from the output of a three-layer perceptron to differentiate between benign and malicious software. We evaluated our method on the EMBER dataset, and the experimental results demonstrate that it achieves an AUC score of 0.98756 on the malware detection task, outperforming other baseline models. Furthermore, the AUC score of MFGraph decreases by only 5.884% in one year, indicating that it is the least affected by concept drift.