A Dynamic Malware Detection Mechanism Based on Deep Learning

Static malware analysis cannot identify malware that uses encryption or shell technology. Traditional dynamic malware analysis has fingerprints, such as using hooks to monitor function calls, which can be recognised and tampered by malware. To address this issue, this paper proposes a dynamic malware detection mechanism based on the cloud environment. Malware is running at the guest level while malware monitoring is conducted at the hypervisor level, therefore malware execution and monitoring environments are isolated. The breakpoint injection technology is utilised to capture the kernel function calls so that malware behaviours, such as processes, file access, registries and system services, can be monitored and the log is generated. The log is processed to extract four dimensions of information which is utilised as the input for the deep learning network. The deep learning network, trained by a large number of samples, can recognise and output the malware types at an accuracy as high as 97.3%.