由於網路與資訊技術的進步，隨之而來的資安威脅不容小覷。不論是在一般個人電腦、系統伺服器、物聯網設備或是移動式裝置上，惡意程式不僅越來越隱密而難以偵測，也變種快速。靜態分析在不執行程式的情況下，獲取雜湊值、關鍵字串等靜態特徵，比對已知的特徵資料庫，因為比對速度快，所以常被運用在端點防毒軟體中，但無法偵測未知的惡意程式，也容易因加密、加殼、混淆等因素而誤判，而動態分析於沙箱虛擬環境執行程式，可以實際觀察程式執行時的行為，包含API呼叫、登錄機碼變更、網路連線資訊、新增檔案等動態行為特徵，能更真實顯現程式行為，但同時也因為實際執行，消耗更多時間、運算資源和成本，造成端點防毒軟體實際應用上的困難。為解決以上的困境，本研究使用動態分析方法獲取程式執行時的API呼叫序列，提出一個惡意程式偵測模型，藉由深度強化學習進行早期預測，僅利用前4%的API呼叫序列就可以達到96%的準確度，解決動態分析原本需要等待程式在沙箱環境中執行數分鐘的問題，大幅縮短耗費的時間，增加動態分析在端點防護的可行性，並且可以應用在端點偵測與回應機制(EDR)中。

Due to the advancement of the internet and information technology, there is a growing concern regarding cybersecurity threats. Regardless of whether it is on personal computers, servers, IoT devices, or mobile devices, malware poses a challenge in detection due to its increasing sophistication and new variants.
Static analysis, which involves obtaining static features such as hash values and keyword strings without executing the program, is commonly employed in endpoint antivirus software due to its fast matching speed against known feature databases. However, static analysis falls short in detecting unknown malware and is susceptible to misjudgments due to factors like encryption, packing, and obfuscation.
On the other hand, dynamic analysis executes programs in a sandbox virtual environment, allowing the observation of real-time behaviors such as API calls, registry key changes, network connection information, and file additions. This approach provides more realistic insights into program behavior. However, dynamic analysis, being resource-intensive and time-consuming, poses challenges in practical applications of endpoint antivirus software.
To address these challenges, this study employs dynamic analysis to capture the API call sequences during program execution. We propose a malware detection model that utilizes deep reinforcement learning for early prediction. Achieve 96% accuracy by using only the initial 4% of API call sequences. This addresses the issue of dynamic analysis requiring minutes for program execution in a sandbox environment, significantly reducing the time required and enhancing the feasibility of dynamic analysis in endpoint protection. Moreover, it can be applied to Endpoint Detection and Response (EDR) platforms.

1. Alosefer, Y. (2012). Analysing web-based malware behaviour through client honeypots. [Unpublished doctoral dissertation]. Cardiff University https://orca.cardiff.ac.uk/id/eprint/29469
2. Aslan, O., & Samet, R. (2017). Investigation of Possibilities to Detect Malware Using Existing Tools. The Institute of Electrical and Electronics Engineers, Inc. (IEEE), https://doi.org/10.1109/AICCSA.2017.24
3. Aslan, O. & Samet, R. (2020). A Comprehensive Review on Malware Detection Approaches. IEEE Access, 8, 6249-6271, https://doi.org/10.1109/ACCESS.2019.2963724
4. Bilar, D. (2007). Opcodes as predictor for malware. International Journal of Electronic Security and Digital Forensics, 1(2), 156–168. https://doi.org/10.1504/IJESDF.2007.016865
5. Das, S., Liu, Y., Zhang, W., & Chandramohan, M. (2016). Semantics-Based Online Malware Detection: Towards Efficient Real-Time Protection Against Malware. IEEE Transactions on Information Forensics and Security, 11(2), 289–302. https://doi.org/10.1109/TIFS.2015.2491300
6. FortiGuard Labs, Fortinet. (2023). 1H 2023 Global Threat Landscape Report. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/threat-report-1h-2023.pdf
7. Huang W. & Stokes J. W. (2016). MtNet: a multi-task neural network for dynamic malware classification [Conference session]. International conference on detection of intrusions and malware, and vulnerability assessment, 399–418. Springer. https://doi.org/10.1007/978-3-319-40667-1_20
8. HaddadPajouh, H., Dehghantanha, A., Khayami, R., & Choo, K.-K. R. (2018). A deep Recurrent Neural Network based approach for Internet of Things malware threat hunting. Future Generation Computer Systems, 85, 88–96. https://doi.org/10.1016/j.future.2018.03.007
9. Idika, N., & Mathur, A. P. (2007). A survey of malware detection techniques. Purdue University, 48(2), 32-46.
10. Jeon, J., Baek, S., Jeong, B., & Jeong, Y. S. (2023). Early prediction of ransomware API calls behaviour based on GRU-TCN in healthcare IoT. Connection Science, 35(1), 2233716. https://doi.org/10.1080/09540091.2023.2233716
11. Khodamoradi, P., Fazlali, M., Mardukhi, F., & Nosrati, M. (2015). Heuristic metamorphic malware detection based on statistics of assembly instructions using classification algorithms. The Institute of Electrical and Electronics Engineers, Inc. (IEEE) https://doi.org/10.1109/CADS.2015.7377792
12. Kawaguchi, N., & Omote, K. (2015). Malware Function Classification Using APIs in Initial Behavior. The Institute of Electrical and Electronics Engineers, Inc. (IEEE) https:// doi.org/10.1109/AsiaJCIS.2015.15
13. Ki, Y., Kim, E., & Kim, H. K. (2015a). A Novel Approach to Detect Malware Based on API Call Sequence Analysis. International Journal of Distributed Sensor Networks, 2015, 1–9. https://doi.org/10.1155/2015/659101
14. Ki, Y., Kim, E., & Kim, H. K. (2015b). APIMDS (API-based malware detection system) Ocslab.hksecurity.net. https://ocslab.hksecurity.net/apimds-dataset
15. Lin, C.-T., & Jou, C.-P. (1999). Controlling Chaos by GA-Based Reinforcement Learning Neural Network. IEEE Transactions on Neural Networks, 10(4), 846. https://doi.org/10.1109/72.774236
16. Li, Y. (2017). Deep Reinforcement Learning: An Overview. arXiv. https://doi.org/10.48550/arXiv.1701.07274
17. Mylonas, A., & Gritzalis, D. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. Computers & Security, 31(6), 802–803. https://doi.org/10.1016/j.cose.2012.05.004
18. Mikolov, T., Chen, K., Corrado, G., & Dean, J. (2013). Efficient Estimation of Word Representations in Vector Space. arXiv. https://doi.org/10.48550/arXiv.1301.3781
19. Mnih, V., Kavukcuoglu, K., Silver, D., Rusu, A. A., Veness, J., Bellemare, M. G., …, Hassabis, D. (2015). Human-level control through deep reinforcement learning. Nature, 518(7540), 529–533. https://doi.org/10.1038/nature14236
20. Martinez, C., Perrin, G., Ramasso, E., & Rombaut, M. (2018). A Deep Reinforcement Learning Approach for Early Classification of Time Series. The Institute of Electrical and Electronics Engineers, Inc. (IEEE). https://doi.org/ 10.23919/EUSIPCO.2018.8553544
21. Nguyen, H.-T., Ngo, Q.-D., & Le, V.-H. (2020). A novel graph-based approach for IoT botnet detection. International Journal of Information Security, 19(5), 567–577. https://doi.org/10.1007/s10207-019-00475-6
22. Rhode, M., Burnap, P., & Jones, K. (2018). Early-stage malware prediction using recurrent neural networks. Computers & Security, 77, 578–594. https://doi.org/10.1016/j.cose.2018.05.010
23. Shahzad, F., & Farooq, M. (2012). ELF-Miner: using structural knowledge and data mining methods to detect new (Linux) malicious executables. Knowledge & Information Systems, 30(3), 589–612. https://doi.org/10.1007/s10115-011-0393-5
24. Singh, J., & Singh, J. (2021). A survey on machine learning-based malware detection in executable files. Journal of Systems Architecture, 112, 101861. https://doi.org/10.1016/j.sysarc.2020.101861
25. Uppal, D., Sinha, R., Mehra, V., & Jain, V. (2014). Malware detection and classification based on extraction of API sequences. International conference on advances in computing, communications and informatics (ICACCI), 2337-2342. IEEE. https://doi.org/ 10.1109/ICACCI.2014.6968547
26. Wagener, G., State, R., & Dulaunoy, A. (2008). Malware behavior analysis. Journal in computer virology, 4, 279-287. https://doi.org/10.1007/s11416-007-0074-9
27. Zhao, Z., Wang, J., & Bai, J. (2014). Malware detection method based on the control‐flow construct feature of software. IET Information Security (Wiley-Blackwell), 8(1), 18–24. https://doi.org/10.1049/iet-ifs.2012.0289