EarlyMalDetect: A Novel Approach for Early Windows Malware Detection Based on Sequences of API Calls

TL;DR

EarlyMalDetect is a new method that uses transformer and deep learning models to identify Windows malware early by analyzing initial API call sequences, enabling preemptive detection before malicious actions occur.

Contribution

It introduces a transformer-based approach for early malware detection using API call sequences, improving prediction accuracy and enabling preemptive security measures.

Findings

High effectiveness in predicting malware behaviors

Capable of early detection before malicious payload execution

Potential to prevent zero-day threats

Abstract

In this work, we propose EarlyMalDetect, a novel approach for early Windows malware detection based on sequences of API calls. Our approach leverages generative transformer models and attention-guided deep recurrent neural networks to accurately identify and detect patterns of malicious behaviors in the early stage of malware execution. By analyzing the sequences of API calls invoked during execution, the proposed approach can classify executable files (programs) as malware or benign by predicting their behaviors based on a few shots (initial API calls) invoked during execution. EarlyMalDetect can predict and reveal what a malware program is going to perform on the target system before it occurs, which can help to stop it before executing its malicious payload and infecting the system. Specifically, EarlyMalDetect relies on a fine-tuned transformer model based on API calls which has the potential to predict the next API call functions to be used by a malware or benign executable program. Our extensive experimental evaluations show that the proposed approach is highly effective in predicting malware behaviors and can be used as a preventive measure against zero-day threats in Windows systems.