Taiwan Academic Cybersecurity Center

Hackers often exploit zero-day vulnerabilities, especially Windows operating system vulnerabilities, to develop malicious software. For cybersecurity analysts, analyzing malicious software poses a significant burden. To alleviate this burden, our team presents APILI, an innovative approach to behavior-based malware analysis that utilizes deep learning to identify API calls corresponding to discovered malware techniques in dynamic execution traces. APILI defines multiple attentions between API calls, resources, and techniques, incorporating the MITRE ATT&CK framework, adversary tactics, techniques, and procedures, through a neural network. We employ fine-tuned BERT for arguments/resources embedding, SVD for technique representation, and several design enhancements, including layer structure and noise addition, to improve locating performance. To the best of our knowledge, this is the first attempt to locate low-level API calls corresponding to high-level malicious behaviors (i.e., techniques). Our evaluation demonstrates that APILI outperforms other traditional and machine learning techniques in both technique discovery and API locating. These results indicate the promising performance of APILI, allowing it to reduce the analysis workload.

*This work has been accepted by IEEE Transactions on Information Forensics and Security (13/145 ranked by JCI [Computer Science, Theory& Methods]).

DOI Bookmark: 10.1109/TIFS.2023.3330337