{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,14]],"date-time":"2026-01-14T17:06:39Z","timestamp":1768410399392,"version":"3.49.0"},"reference-count":33,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2020,5,20]],"date-time":"2020-05-20T00:00:00Z","timestamp":1589932800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100010418","name":"Institute for Information and Communications Technology Promotion","doi-asserted-by":"publisher","award":["2016-0-00078"],"award-info":[{"award-number":["2016-0-00078"]}],"id":[{"id":"10.13039\/501100010418","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Sensors"],"abstract":"<jats:p>Every day, hundreds of thousands of malicious files are created to exploit zero-day vulnerabilities. Existing pattern-based antivirus solutions face difficulties in coping with such a large number of new malicious files. To solve this problem, artificial intelligence (AI)-based malicious file detection methods have been proposed. However, even if we can detect malicious files with high accuracy using deep learning, it is difficult to identify why files are malicious. In this study, we propose a malicious file feature extraction method based on attention mechanism. First, by adapting the attention mechanism, we can identify application program interface (API) system calls that are more important than others for determining whether a file is malicious. Second, we confirm that this approach yields an accuracy that is approximately 12% and 5% higher than a conventional AI-based detection model using convolutional neural networks and skip-connected long short-term memory-based detection model, respectively.<\/jats:p>","DOI":"10.3390\/s20102893","type":"journal-article","created":{"date-parts":[[2020,5,20]],"date-time":"2020-05-20T10:37:38Z","timestamp":1589971058000},"page":"2893","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":33,"title":["Attention-Based Automated Feature Extraction for Malware Analysis"],"prefix":"10.3390","volume":"20","author":[{"given":"Sunoh","family":"Choi","sequence":"first","affiliation":[{"name":"Department of Computer Engineering, Honam University, Gwangju 62399, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jangseong","family":"Bae","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Kangwon University, Kangwon-do 24341, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Changki","family":"Lee","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Engineering, Kangwon University, Kangwon-do 24341, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Youngsoo","family":"Kim","sequence":"additional","affiliation":[{"name":"Information Security Division, Electronics and Telecommunications Research Institute, Daejeon 34129, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jonghyun","family":"Kim","sequence":"additional","affiliation":[{"name":"Information Security Division, Electronics and Telecommunications Research Institute, Daejeon 34129, Korea"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,5,20]]},"reference":[{"key":"ref_1","unstructured":"(2020, April 17). AV-TEST. Available online: https:\/\/www.av-test.org."},{"key":"ref_2","unstructured":"(2020, April 17). Zero-Day. Available online: https:\/\/en.wikipedia.org\/wiki\/Zero-day_computing."},{"key":"ref_3","doi-asserted-by":"crossref","unstructured":"Gavrilu\u0163, D., Cimpoe\u015fu, M., Anton, D., and Ciortuz, L. (2009, January 12\u201314). Malware Detection using Machine Learning. Proceedings of the Internation Multiconference on Computer Science and Information Technology, Mragowo, Poland.","DOI":"10.1109\/IMCSIT.2009.5352759"},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Saxe, J., and Berlin, K. (2015, January 20\u201322). Deep Neural Network based Malware Detection using Two Dimensional Binary Program Features. Proceedings of the International Conference on Malicious and Unwanted Software (MALWARE), Fajardo, Puerto Rico.","DOI":"10.1109\/MALWARE.2015.7413680"},{"key":"ref_5","unstructured":"Gibert, D. (2016). Convolutional Neural Networks for Malware Classification. [Master\u2019s Thesis, Universitat de Barcelona]."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Dahl, G.E., Stokes, J.W., Deng, L., and Yu, D. (2013, January 26\u201331). Large-scale Malware Classification using Random Projections and Neural Networks. Proceedings of the International Conference on Acoustics, Speech and Signal Processing(ICASSP), Vancouver, BC, Canada.","DOI":"10.1109\/ICASSP.2013.6638293"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Pascanu, R., Stokes, J.W., Sanossian, H., Marinescu, M., and Thomas, A. (2015, January 19\u201324). Malware classification with recurrent networks. Proceedings of the International Conference on Acoustics, Speech and Signal Processing (ICASSP), Brisbane, Australia.","DOI":"10.1109\/ICASSP.2015.7178304"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Huang, W., and Stokes, J.W. (2016, January 7\u20138). MtNet: A Multi-task Neural Networks for Dynamic Malware Classification. Proceedings of the International Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA), San Sebastian, Spain.","DOI":"10.1007\/978-3-319-40667-1_20"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Ki, Y., Kim, E., and Kim, H.K. (2015). A Novel Approach to Detect Malware Based on API Call Sequence Analysis. Int. J. Distrib. Sens. Networks, 11.","DOI":"10.1155\/2015\/659101"},{"key":"ref_10","first-page":"1233","article-title":"Malware Detection Model with Skip-Connected LSTM RNN","volume":"45","author":"Bae","year":"2018","journal-title":"J. Korean Inst. Inf. Sci. Eng."},{"key":"ref_11","unstructured":"He, K., Zhang, X., Ren, S., and Sun, J. (July, January 26). Deep Residual Learning for Image Recognition. Proceedings of the the IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, USA."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Wang, Y., and Tian, F. (2016, January 1\u20135). Recurrent Residual Learning for Sequence Classification. Proceedings of the International Conference on Empirical Methods in Natural Language Processing (EMNLP), Austin, TX, USA.","DOI":"10.18653\/v1\/D16-1093"},{"key":"ref_13","unstructured":"(2020, May 09). Kaspersky. Available online: https:\/\/securelist.com\/mobile-malware-evolution-2018\/89689\/."},{"key":"ref_14","unstructured":"Schultz, M.G., Eskin, E., Zadok, F., and Stolfo, S.J. (2000, January 14\u201316). Data Mining Methods for Detection of New Malicious Executables. Proceedings of the IEEE International Symposium on Security and Privacy (SP), Oakland, CA, USA."},{"key":"ref_15","unstructured":"Weber, M., Schmid, M., Schatz, M., and Geyer, D. (2002, January 9\u201313). A Toolkit for Detecting and Analyzing Malicious Software. Proceedings of the IEEE International Conference on Computer Security Applications, Las Vegas, NV, USA."},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Abou-Assaleh, T., Cercone, N., Keselj, V., and Sweidan, R. (2004, January 28\u201330). N-gram based Detection of New Malicious Code. Proceedings of the IEEE International Conference on Computer Security and Applications, HongKong, China.","DOI":"10.1109\/CMPSAC.2004.1342667"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Moser, A., Kruegel, C., and Kirda, E. (2007, January 10\u201314). Limits of Static Analysis for Malware Detection. Proceedings of the 23rd IEEE International Conference on Computer Security and Applications, Miami Beach, FL, USA.","DOI":"10.1109\/ACSAC.2007.21"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Rush, A.M., Harvard, S.E.A.S., Chopra, S., and Weston, J. (2015, January 17\u201321). A Neural Attention Model for Sentence Summarization. Proceedings of the International Conference on Empirical Methods in Natural Language Processing, Lisbon, Protugal.","DOI":"10.18653\/v1\/D15-1044"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"\u0160rndi\u0107, N., and Laskov, P. (2016). Hidost: A Static Machine-Learning-based Detector of Malicious Files. Eurasip J. Inf. Secur., 22.","DOI":"10.1186\/s13635-016-0045-0"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Hendler, D., Kels, S., and Rubin, A. (2018, January 4\u20138). Detecting Malicious Powershell Commands using Deep Neural Networks. Proceedings of the 2018 on Asia Conference on Computer and Communications Security, Incheon, Korea.","DOI":"10.1145\/3196494.3196511"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Rusak, U.M.O.G., and Al-Dujaili, A. (2018). POSTER: AST-Based Deep Learning for Detecting Malicious Powershell. CoRR.","DOI":"10.1145\/3243734.3278496"},{"key":"ref_22","unstructured":"Objdump (2020, April 17). Diassembler. Available online: https:\/\/en.wikipedia.org\/wiki\/Objdump."},{"key":"ref_23","unstructured":"(2020, April 17). Wikipedia. n-gram. Available online: https:\/\/en.wikipedia.org\/wiki\/N-gram."},{"key":"ref_24","unstructured":"(2020, April 17). Cuckoo Sandbox. Available online: https:\/\/cuckoosandbox.org."},{"key":"ref_25","unstructured":"Bahdanau, D., Cho, K., and Bengio, Y. (2014). Neural Machine Translation by Jointly Learning to Align and Translate. arXiv."},{"key":"ref_26","unstructured":"(2020, April 17). Vanishing Gradient Problem. Available online: https:\/\/en.wikipedia.org\/wiki\/Vanishing_gradient_problem."},{"key":"ref_27","unstructured":"Colah\u2019s Blog (2020, April 17). Understanding LSTM Networks. Available online: http:\/\/colah.github.io\/posts\/2015-08-Understanding-LSTMs\/."},{"key":"ref_28","unstructured":"Bastien, F., Lamblin, P., Pascanu, R., Bergstra, J., Goodfellow, I., Bergeron, A., Bouchard, N., Warde-Farley, D., and Bengio, Y. (2012). Theano: New features and speed improvements. arXiv."},{"key":"ref_29","unstructured":"Hauri (2020, April 17). Antivirus Company. Available online: http:\/\/www.hauri.net."},{"key":"ref_30","unstructured":"Ahnlab (2020, May 02). V3 Internet Security. Available online: https:\/\/global.ahnlab.com\/site\/product\/productSubDetail.do?prodSeq=5805."},{"key":"ref_31","unstructured":"(2020, May 09). Microsoft Malware Classification Challenge. Available online: https:\/\/www.kaggle.com\/c\/malware-classification."},{"key":"ref_32","unstructured":"(2020, May 02). Cross Validation. Available online: https:\/\/machinelearningmastery.com\/k-fold-cross-validation\/."},{"key":"ref_33","unstructured":"(2020, April 17). KERAS. Available online: https:\/\/keras.io."}],"container-title":["Sensors"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/1424-8220\/20\/10\/2893\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T09:30:38Z","timestamp":1760175038000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/1424-8220\/20\/10\/2893"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,5,20]]},"references-count":33,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2020,5]]}},"alternative-id":["s20102893"],"URL":"https:\/\/doi.org\/10.3390\/s20102893","relation":{},"ISSN":["1424-8220"],"issn-type":[{"value":"1424-8220","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,5,20]]}}}