Tagging Malware Intentions by Using Attention-Based Sequence-to-Sequence Neural Network

Malware detection has noticeably increased in computer security community. However, little is known about a malware's intentions. In this study, we propose a novel idea to adopt sequence-to-sequence (seq2seq) neural network architecture to analyze a sequence of Windows API invocation calls recording a malware at runtime, and generate tags to describe its malicious behavior. To the best of our knowledge, this is the first research effort which incorporate a malware's intentions in malware analysis and in security domain. It is important to note that we design three embedding modules for transforming Windows API's parameter values, registry, a file name and URL, into low-dimension vectors to preserve the semantics. Also, we apply the attention mechanism [10] to capture the relationship between a tag and certain API invocation calls when predicting tags. This will be helpful for security analysts to understand malicious intentions with easy-to-understand description. Results demonstrated that seq2seq model could mostly find possible malicious actions.