The widespread development of the malware industry is considered the main threat to our e-society. Therefore, malware analysis should also be enriched with smart heuristic tools that recognize malicious behaviors effectively. Although the generated API calling graph representation for malicious processes encodes worthwhile information about their malicious behavior, it is pragmatically inconvenient to generate a behavior graph for each process. Therefore, we experimented with creating generic behavioral graph models that describe malicious and non-malicious processes. These behavioral models relied on the fusion of statistical, contextual, and graph mining features that capture explicit and implicit relationships between API functions in the calling sequence. Our generated behavioral models proved the behavioral contrast between malicious and non-malicious calling sequences. According to that distinction, we built different relational perspective models that characterize processes’ behaviors. To prove our approach novelty, we experimented with our approach over Windows and Android platforms. Our experimentations demonstrated that our proposed system identified unseen malicious samples with high accuracy with low false-positive. In terms of detection accuracy, our model returns an average accuracy of 0.997 and 0.977 to the unseen Windows and Android malware testing samples, respectively. Moreover, we proposed a new indexing method for APIs based on their contextual similarities. We also suggested a new expressive, a visualized form that renders the API calling sequence. Consequently, we introduced a confidence metric to our model classification decision. Furthermore, we developed a behavioral heuristic that effectively identified malicious API call sequences that were deceptive or mimicry.

恶意软件行业的广泛发展被认为是我们电子社会的主要威胁。因此，恶意软件分析也应该通过有效识别恶意行为的智能启发式工具来丰富。尽管为恶意进程生成的 API 调用图表示编码了有关其恶意行为的有价值的信息，但为每个进程生成行为图在实用上是不方便的。因此，我们尝试创建描述恶意和非恶意进程的通用行为图模型。这些行为模型依赖于统计、上下文和图形挖掘功能的融合，这些功能可以捕获调用序列中 API 函数之间的显式和隐式关系。我们生成的行为模型证明了恶意和非恶意调用序列之间的行为对比。根据这种区别，我们建立了不同的关系视角模型来表征流程的行为。为了证明我们的方法新颖，我们在 Windows 和 Android 平台上试验了我们的方法。我们的实验表明，我们提出的系统以高精度和低误报识别了看不见的恶意样本。在检测准确度方面，我们的模型分别为未见过的 Windows 和 Android 恶意软件测试样本返回了 0.997 和 0.977 的平均准确度。此外，我们提出了一种基于 API 上下文相似性的新索引方法。我们还提出了一种新的表达方式，一种呈现 API 调用序列的可视化形式。最后，我们在模型分类决策中引入了置信度度量。此外，我们开发了一种行为启发式方法，可有效识别具有欺骗性或模仿性的恶意 API 调用序列。