NF-GNN: Network Flow Graph Neural Networks for Malware Detection and Classification

Busch, Julian; Kocheturov, Anton; Tresp, Volker; Seidl, Thomas

doi:10.1145/3468791.3468814

Cited by 40 publications

(13 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The network activity generated by the program can also be monitored during its execution, and a network flow graph can be constructed with IP addresses and/or communication ports as nodes, and edges representing network flows. While some works solely rely on network traffic to detect malware activities [49,50], others enhance their detection capabilities by combining CFGs or FCGs with network data [32,33].…”

Section: Common Graphmentioning

confidence: 99%

A Survey on Malware Detection with Graph Representation Learning

Bilot¹,

Madhoun²,

Agha³

et al. 2023

Preprint

View full text Add to dashboard Cite

Malware detection has become a major concern due to the increasing number and complexity of malware. Traditional detection methods based on signatures and heuristics are used for malware detection, but unfortunately, they suffer from poor generalization to unknown attacks and can be easily circumvented using obfuscation techniques. In recent years, Machine Learning (ML) and notably Deep Learning (DL) achieved impressive results in malware detection by learning useful representations from data and have become a solution preferred over traditional methods. More recently, the application of such techniques on graph-structured data has achieved state-of-the-art performance in various domains and demonstrates promising results in learning more robust representations from malware. Yet, no literature review focusing on graph-based deep learning for malware detection exists. In this survey, we provide an in-depth literature review to summarize and unify existing works under the common approaches and architectures. We notably demonstrate that Graph Neural Networks (GNNs) reach competitive results in learning robust embeddings from malware represented as expressive graph structures, leading to an efficient detection by downstream classifiers. This paper also reviews adversarial attacks that are utilized to fool graph-based detection methods. Challenges and future research directions are discussed at the end of the paper. CCS Concepts: • General and reference → Surveys and overviews; • Security and privacy → Malware and its mitigation; • Computing methodologies → Learning latent representations; Neural networks; Spectral methods.

show abstract

Section: Common Graphmentioning

confidence: 99%

A Survey on Malware Detection with Graph Representation Learning

Bilot¹,

Madhoun²,

Agha³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Opcode-level graphs can also be treated like text features rather than graphical data. For example, in [5] dynamically-generated network flow graphs are used to create a new model that its authors call Network Flow Graph Neural Network (NF-GNN). This NF-GNN model relies on a novel edge feature-based GNN for classification.…”

Section: Graph Learning-based Classificationmentioning

confidence: 99%

A Comparison of Graph Neural Networks for Malware Classification

Malhotra¹,

Potika²,

Stamp³

2023

Preprint

View full text Add to dashboard Cite

Managing the threat posed by malware requires accurate detection and classification techniques. Traditional detection strategies, such as signature scanning, rely on manual analysis of malware to extract relevant features, which is labor intensive and requires expert knowledge. Function call graphs consist of a set of program functions and their inter-procedural calls, providing a rich source of information that can be leveraged to classify malware without the labor intensive feature extraction step of traditional techniques. In this research, we treat malware classification as a graph classification problem. Based on Local Degree Profile features, we train a wide range of Graph Neural Network (GNN) architectures to generate embeddings which we then classify. We find that our best GNN models outperform previous comparable research involving the wellknown MalNet-Tiny Android malware dataset. In addition, our GNN models do not suffer from the overfitting issues that commonly afflict non-GNN techniques, although GNN models require longer training times.

show abstract

“…GNN [17–20, 71, 72] is a practical approach to capturing malware's structural and complicated semantics features. Yan et al.…”

Section: Related Workmentioning

confidence: 99%

“…Busch et al. [72] extracted network flow graphs based on the network traffic data generated during the execution of the apps. They proposed to use GNN and its variants to learn the representations of the network flow graphs.…”

Section: Related Workmentioning

confidence: 99%

“…John et al [18] proposed to use GCN to classify whether the system call graphs constructed by the control-dependent file management and network access syscalls exhibit malicious behaviour. Busch et al [72] extracted network flow graphs based on the network traffic data generated during the execution of the apps. They proposed to use GNN and its variants to learn the representations of the network flow graphs.…”

Section: Deep Learning-based Malware Detectionmentioning

confidence: 99%

See 1 more Smart Citation

DeepCatra: Learning flow‐ and graph‐based behaviours for Android malware detection

Shi

Wang

et al. 2022

IET Information Security

View full text Add to dashboard Cite

As Android malware grows and evolves, deep learning has been introduced into malware detection, resulting in great effectiveness. Recent work is considering hybrid models and multi‐view learning. However, they use only simple features, limiting the accuracy of these approaches in practice. This study proposes DeepCatra, a multi‐view learning approach for Android malware detection, whose model consists of a bidirectional LSTM (BiLSTM) and a graph neural network (GNN) as subnets. The two subnets rely on features extracted from statically computed call traces leading to critical APIs derived from public vulnerabilities. For each Android app, DeepCatra first constructs its call graph and computes call traces reaching critical APIs. Then, temporal opcode features used by the BiLSTM subnet are extracted from the call traces, while flow graph features used by the GNN subnet are constructed from all call traces and inter‐component communications. We evaluate the effectiveness of DeepCatra by comparing it with several state‐of‐the‐art detection approaches. Experimental results on over 18,000 real‐world apps and prevalent malware show that DeepCatra achieves considerable improvement, for example, 2.7%–14.6% on the F1 measure, which demonstrates the feasibility of DeepCatra in practice.

show abstract

NF-GNN: Network Flow Graph Neural Networks for Malware Detection and Classification

Cited by 40 publications

References 27 publications

A Survey on Malware Detection with Graph Representation Learning

A Survey on Malware Detection with Graph Representation Learning

A Comparison of Graph Neural Networks for Malware Classification

DeepCatra: Learning flow‐ and graph‐based behaviours for Android malware detection

Contact Info

Product

Resources

About