Denoising Network of Dynamic Features for Enhanced Malware Classification

Malware classification based on dynamic feature analysis works by running malware in controlled and isolated environments to observe how it behaves. This technology widely uses the sequence of run-time API calls to classify. Malware often adopts evasion techniques such as obfuscation, encryption, and code injection to obfuscate classification results by introducing noise into the API sequence. The existing methods lack explicit means of filtering noise components in the data, which affects the accuracy of malware detection. To address this issue, we propose DenoMC, a malware classification method with an explicit denoising module. Firstly, we employ dynamic analysis and embedding techniques to encode the API sequence. Then, we introduce a soft thresholding mechanism in the residual network to achieve active filtering of noise components in API sequences. Finally, a BiLSTM model is adopted to enhance the temporal correlation among sequence of API calls and improve classification performance. Experiments conducted on real datasets demonstrate that DenoMC significantly improves malware classification accuracy compared to other state-of-art models. In addition, we validate the effectiveness of each module in DenoMC through extensive ablation studies.