Spatial-Temporal Attention Network for Malware Detection Using Micro-architecture Features

Malware detection is an imperative topic in computer security, since an evolutional malware will cause serious damage to computer system and user privacy information security. In recent years, some researchers began to utilize low-level hardware micro-architecture features to detect malware, because these micro-architecture features are difficult for malware evasion. However, these methods always adopt a long sample length and can hardly identify non-signature malware. This situation will inevitably affect the detection efficiency and effectiveness. To solve the above problems, we first select system call instruction as a trigger point to extract low-level features for avoiding blindly collecting unrelated data continuously. Specifically, we use the General-Purpose Registers (GPRs) as features for malware detection. Each register has specific functions and changes of its content contain the action information which thus can be used to detect illegal behaviours. To improve detection efficiency, we then propose a resampling method to well present the spatial and temporal properties of GPRs. Finally, a novel deep learning model is designed to highlight correlations among GPRs for accurate malware detection. Experimental results achieved 99% of Accuracy and zero False Positive rate (FPr) using only a short sample length and can also identify non-signature malware.