MalDMTP: A Multi-tier Pooling Method for Malware Detection based on Graph Classification

With the development and adoption of cloud platforms in various fields, malware attacks have become a serious threat to the Internet cloud ecosystem. However, the pooling process of existing graph classification techniques for malware variant detection uses only a serial and single strategy, resulting in localized malicious behaviors of malware that may be overlooked. In this paper, we propose MalDMTP, a malware detection framework based on multilevel graph classification learning, which implements the graph pooling process for malware classification in parallel and performs graph instance-based discrimination. In particular, MalDMTP first constructs an API call graph based on results obtained from dynamic execution of malware. Then it combines multiple graph neural network learning strategies through multi-level pooling to learn the global importance of nodes in the pooled graph and extract node representations from multiple perspectives for heterogeneous graphs. After that, MalDMTP is aggregated into graph representations by the graph-level pooling function GMT based on a multi-head attention mechanism, which goes through a classifier in order to obtain malware prediction labels. Experimental results show that the proposed MalDMTP can achieve 96.53% accuracy on the Alibaba cloud malware dataset, which improves 1.9% 7.6% over the previous single-graph pooling methods on the graph classification task of malware detection.