In dynamic Windows malware detection, deep learning models are extensively deployed to analyze API sequences. Methods based on API sequences play a crucial role in malware prevention. However, due to the continuous updates of APIs and the changes in API sequence calls leading to the constant evolution of malware variants, the detection capability of API sequence-based malware detection models significantly diminishes over time. We observe that the API sequences of malware samples before and after evolution usually have similar malicious semantics. Specifically, compared to the original samples, evolved malware samples often use the API sequences of the pre-evolution samples to achieve similar malicious behaviors. For instance, they access similar sensitive system resources and extend new malicious functions based on the original functionalities. In this paper, we propose a frame(MME), a framework that can enhance existing API sequence-based malware detectors and mitigate the adverse effects of malware evolution. To help detection models capture the similar semantics of these post-evolution API sequences, our framework represents API sequences using API knowledge graphs and system resource encodings and applies contrastive learning to enhance the model's encoder. Results indicate that, compared to Regular Text-CNN, our framework can significantly reduce the false positive rate by 13.10% and improve the F1-Score by 8.47% on five years of data, achieving the best experimental results. Additionally, evaluations show that our framework can save on the human costs required for model maintenance. We only need 1% of the budget per month to reduce the false positive rate by 11.16% and improve the F1-Score by 6.44%.

翻译：在动态Windows恶意软件检测中，深度学习模型被广泛部署以分析API序列。基于API序列的方法在恶意软件防护中发挥着关键作用。然而，由于API的持续更新以及API序列调用的变化导致恶意软件变体不断演化，基于API序列的恶意软件检测模型的检测能力会随时间显著下降。我们观察到，演化前后的恶意软件样本的API序列通常具有相似的恶意语义。具体而言，相较于原始样本，演化后的恶意软件样本常利用演化前样本的API序列来实现相似的恶意行为。例如，它们访问相似的敏感系统资源，并在原有功能基础上扩展新的恶意功能。本文提出一个框架（MME），该框架能够增强现有的基于API序列的恶意软件检测器，并缓解恶意软件演化的不利影响。为帮助检测模型捕捉这些演化后API序列的相似语义，我们的框架利用API知识图谱和系统资源编码来表示API序列，并应用对比学习来增强模型的编码器。实验结果表明，与常规Text-CNN相比，我们的框架在五年数据上能够显著降低13.10%的误报率，并将F1分数提升8.47%，取得了最佳实验结果。此外，评估表明我们的框架能够节省模型维护所需的人力成本。我们仅需每月1%的预算即可降低11.16%的误报率，并将F1分数提高6.44%。