A new approach for APT malware detection based on deep graph network for endpoint systems

A new approach for APT malware detection based on deep graph network for endpoint systems

연구 분야: Safety

학회: Applied Intelligence

The form of spreading malware through end-users and thereby escalating and stealing data in organizations is one of the attack techniques widely used by Advanced Persistent Threat (APT) attackers today. Therefore, the task of timely detecting and warning about APT malware on the workstation is an important and necessary issue because if this task is successful, it will prevent the whole APT attack campaign on the system. To accomplish this purpose, this study proposes a method of detecting APT malware on the workstation based on analyzing the behavior profile of malware using the deep learning graph network. Accordingly, the proposed method includes two main tasks: (i) building behavior profiles of malware: for this task, behavior profiles will be built based on the process of gathering and evaluating Event IDs from the kernel of the workstation. The result of this process of building behavior profiles is the set of processes and labels of each process performed by executable files. The label value is normal, malicious, suspicious, or unknown; (ii) detecting malware based on analyzing behavior profiles using graph network: for this task, based on behavior profiles built from the task (i), we are evaluate and analyze these behavior profiles by the Graph Isomorphism Network (GIN) deep learning graph network method. The results of this behavior profile classification will be used as a basis to conclude which behavior profiles were generated by the APT malware and which behavior profiles are normal. The method of detecting APT malware on workstation based on analyzing behavior profiles using the graph network is a novel method. According to our survey, up to now, this method has not been proposed and applied in any research. The experimental results in Section 4.3 of the paper have shown the remarkable efficiency of our proposed method. With such results, this proposal has not only scientific but also practical significance. The method of using graph networks to analyze and evaluate behavior profiles helps improve the efficiency of the process of analyzing and detecting APT malware on the workstation.