{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,22]],"date-time":"2026-02-22T05:03:39Z","timestamp":1771736619955,"version":"3.50.1"},"reference-count":42,"publisher":"PeerJ","license":[{"start":{"date-parts":[[2025,6,13]],"date-time":"2025-06-13T00:00:00Z","timestamp":1749772800000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2023YFB3105700"],"award-info":[{"award-number":["2023YFB3105700"]}]},{"name":"Qing Lan Project in Jiangsu universities","award":["XJTLU RDF-22-01-565020"],"award-info":[{"award-number":["XJTLU RDF-22-01-565020"]}]},{"name":"Pearl River Talents Plan"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"abstract":"<jats:p>As computers are widely used in people\u2019s work and daily lives, malware has become an increasing threat to network security. Although researchers have introduced traditional machine learning and deep learning methods to conduct extensive research on functions in malware detection, these methods have largely ignored the analysis of function parameters and functional dependencies. To address these limitations, we propose a new malware detection method. Specifically, we first design a parameter encoder to convert various types of function parameters into feature vectors, and then discretize various parameter features through clustering methods to enhance the representation of API encoding. Additionally, we design a deep neural network to capture functional dependencies, enabling the generation of robust semantic representations of function sequences. Experiments on a large-scale malware detection dataset demonstrate that our method outperforms other techniques, achieving 98.62% accuracy and a 98.40% F1-score. Furthermore, the results of ablation experiments show the important role of function parameters and functional dependencies in malware detection.<\/jats:p>","DOI":"10.7717\/peerj-cs.2946","type":"journal-article","created":{"date-parts":[[2025,6,13]],"date-time":"2025-06-13T08:40:36Z","timestamp":1749804036000},"page":"e2946","source":"Crossref","is-referenced-by-count":1,"title":["A malware detection method with function parameters encoding and function dependency modeling"],"prefix":"10.7717","volume":"11","author":[{"given":"Ronghao","family":"Hou","sequence":"first","affiliation":[{"name":"School for Cyberspace Security, Jinan University, Guangzhou, Guangdong, China"}]},{"given":"Dongjie","family":"Liu","sequence":"additional","affiliation":[{"name":"School for Cyberspace Security, Jinan University, Guangzhou, Guangdong, China"}]},{"given":"Xiaobo","family":"Jin","sequence":"additional","affiliation":[{"name":"Department of Electrical and Electronic Engineering, Xi\u2019an Jiaotong-Liverpool University, Suzhou, Jiangsu, China"}]},{"given":"Jian","family":"Weng","sequence":"additional","affiliation":[{"name":"School for Cyberspace Security, Jinan University, Guangzhou, Guangdong, China"}]},{"given":"Guanggang","family":"Geng","sequence":"additional","affiliation":[{"name":"School for Cyberspace Security, Jinan University, Guangzhou, Guangdong, China"}]}],"member":"4443","published-online":{"date-parts":[[2025,6,13]]},"reference":[{"issue":"1","key":"10.7717\/peerj-cs.2946\/ref-1","doi-asserted-by":"publisher","first-page":"123","DOI":"10.3390\/sym15010123","article-title":"Malware detection using deep learning and correlation-based feature selection","volume":"15","author":"Alomari","year":"2023","journal-title":"Symmetry"},{"issue":"1","key":"10.7717\/peerj-cs.2946\/ref-2","doi-asserted-by":"publisher","first-page":"38","DOI":"10.21608\/jocc.2022.218454","article-title":"Using machine learning to identify android malware relying on api calling sequences and permissions","volume":"1","author":"Amer","year":"2022","journal-title":"Journal of Computing and Communication"},{"issue":"7","key":"10.7717\/peerj-cs.2946\/ref-3","doi-asserted-by":"publisher","first-page":"101760","DOI":"10.1016\/j.cose.2020.101760","article-title":"A dynamic windows malware detection and prediction method based on contextual understanding of API call sequence","volume":"92","author":"Amer","year":"2020","journal-title":"Computers & Security"},{"key":"10.7717\/peerj-cs.2946\/ref-4","article-title":"Malware statistics[eb\/ol]","author":"AV TEST","year":"2023"},{"key":"10.7717\/peerj-cs.2946\/ref-5","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1803.01271","article-title":"An empirical evaluation of generic convolutional and recurrent networks for sequence modeling","author":"Bai","year":"2018"},{"key":"10.7717\/peerj-cs.2946\/ref-6","doi-asserted-by":"publisher","first-page":"102779","DOI":"10.1016\/j.cose.2022.102779","article-title":"Deep learning based cross architecture internet of things malware detection and classification","volume":"120","author":"Chaganti","year":"2022","journal-title":"Computers & Security"},{"issue":"1","key":"10.7717\/peerj-cs.2946\/ref-7","doi-asserted-by":"publisher","first-page":"788","DOI":"10.1109\/tifs.2022.3152360","article-title":"Cruparamer: learning on parameter-augmented API sequences for malware detection","volume":"17","author":"Chen","year":"2022","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"10.7717\/peerj-cs.2946\/ref-8","first-page":"161","article-title":"Understanding Linux malware","author":"Cozzi","year":"2018"},{"issue":"11","key":"10.7717\/peerj-cs.2946\/ref-9","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1007\/s11227-021-03743-2","article-title":"Considerations about learning word2vec","volume":"77","author":"Di Gennaro","year":"2021","journal-title":"The Journal of Supercomputing"},{"key":"10.7717\/peerj-cs.2946\/ref-10","article-title":"Enisa threat landscape 2023","author":"ENISA","year":"2023"},{"key":"10.7717\/peerj-cs.2946\/ref-11","doi-asserted-by":"publisher","first-page":"103788","DOI":"10.1016\/j.cose.2024.103788","article-title":"DawnGNN: documentation augmented windows malware detection using graph neural network","volume":"140","author":"Feng","year":"2024","journal-title":"Computers & Security"},{"issue":"3","key":"10.7717\/peerj-cs.2946\/ref-12","doi-asserted-by":"publisher","first-page":"344","DOI":"10.3390\/e23030344","article-title":"An efficient densenet-based deep learning model for malware detection","volume":"23","author":"Hemalatha","year":"2021","journal-title":"Entropy"},{"key":"10.7717\/peerj-cs.2946\/ref-13","first-page":"1056","article-title":"Dynamic malware analysis using cuckoo sandbox","author":"Jamalpur","year":"2018"},{"key":"10.7717\/peerj-cs.2946\/ref-14","article-title":"Malicious-code-dataset. GitHub","author":"kericwy1337","year":"2019"},{"key":"10.7717\/peerj-cs.2946\/ref-15","first-page":"1","article-title":"Enhancing malware classification with machine learning: a comparative analysis of API sequence-based techniques","author":"Kishore","year":"2024"},{"key":"10.7717\/peerj-cs.2946\/ref-16","doi-asserted-by":"publisher","first-page":"102872","DOI":"10.1016\/j.cose.2022.102872","article-title":"DMalNet: dynamic malware analysis based on API feature engineering and graph learning","volume":"122","author":"Li","year":"2022","journal-title":"Computers & Security"},{"key":"10.7717\/peerj-cs.2946\/ref-17","first-page":"1456","article-title":"A robust malware detection system using deep learning on API calls","author":"Liu","year":"2019"},{"issue":"6","key":"10.7717\/peerj-cs.2946\/ref-18","doi-asserted-by":"publisher","first-page":"103704","DOI":"10.1016\/j.jnca.2023.103704","article-title":"API-maldetect: automated malware detection framework for windows based on api calls and deep learning techniques","volume":"218","author":"Maniriho","year":"2023","journal-title":"Journal of Network and Computer Applications"},{"key":"10.7717\/peerj-cs.2946\/ref-19","article-title":"Microsoft Windows app development documentation","author":"Microsoft","year":"2024"},{"issue":"2","key":"10.7717\/peerj-cs.2946\/ref-20","doi-asserted-by":"publisher","first-page":"239","DOI":"10.3390\/app9020239","article-title":"Cross-method-based analysis and classification of malicious behavior by API calls extraction","volume":"9","author":"Ndibanje","year":"2019","journal-title":"Applied Sciences"},{"key":"10.7717\/peerj-cs.2946\/ref-21","doi-asserted-by":"publisher","first-page":"125","DOI":"10.16607\/j.cnki.1674-6708.2019.06.060","article-title":"The harm of computer malware and prevention methods","volume":"11","author":"Ni","year":"2019","journal-title":"Public Communication of Science & Technology"},{"issue":"3","key":"10.7717\/peerj-cs.2946\/ref-22","doi-asserted-by":"publisher","first-page":"76","DOI":"10.4018\/ijeis.2019070105","article-title":"Application programming interface (API) research: a review of the past to inform the future","volume":"15","author":"Ofoeda","year":"2019","journal-title":"International Journal of Enterprise Information Systems (IJEIS)"},{"issue":"08","key":"10.7717\/peerj-cs.2946\/ref-23","doi-asserted-by":"publisher","first-page":"22","DOI":"10.31695\/ijasre.2021.34050","article-title":"Comprehensive review of k-means clustering algorithms","volume":"12","author":"Oti","year":"2021","journal-title":"Criterion"},{"issue":"1","key":"10.7717\/peerj-cs.2946\/ref-24","doi-asserted-by":"publisher","first-page":"25","DOI":"10.5120\/ijca2018917395","article-title":"Text mining: use of TF-IDF to examine the relevance of words to documents","volume":"181","author":"Qaiser","year":"2018","journal-title":"International Journal of Computer Applications"},{"key":"10.7717\/peerj-cs.2946\/ref-25","first-page":"18","article-title":"Dynamic malware analysis of phishing emails","author":"Qbeitah","year":"2018"},{"issue":"2","key":"10.7717\/peerj-cs.2946\/ref-26","doi-asserted-by":"publisher","first-page":"181","DOI":"10.1007\/s11416-017-0304-8","article-title":"Multi-context features for detecting malicious programs","volume":"14","author":"Saleh","year":"2018","journal-title":"Journal of Computer Virology and Hacking Techniques"},{"key":"10.7717\/peerj-cs.2946\/ref-27","doi-asserted-by":"publisher","DOI":"10.48550\/arXiv.1702.08568","article-title":"eXpose: a character-level convolutional neural network with embeddings for detecting malicious URLs, file paths and registry keys","author":"Saxe","year":"2017"},{"key":"10.7717\/peerj-cs.2946\/ref-28","first-page":"1","article-title":"Windows malware detection using machine learning and TF-IDF enriched API calls information","author":"Sharma","year":"2022"},{"issue":"4","key":"10.7717\/peerj-cs.2946\/ref-29","doi-asserted-by":"publisher","first-page":"106030","DOI":"10.1016\/j.engappai.2023.106030","article-title":"A novel deep learning-based approach for malware detection","volume":"122","author":"Shaukat","year":"2023","journal-title":"Engineering Applications of Artificial Intelligence"},{"issue":"8","key":"10.7717\/peerj-cs.2946\/ref-30","doi-asserted-by":"publisher","first-page":"132306","DOI":"10.1016\/j.physd.2019.132306","article-title":"Fundamentals of recurrent neural network (RNN) and long short-term memory (LSTM) network","volume":"404","author":"Sherstinsky","year":"2020","journal-title":"Physica D: Nonlinear Phenomena"},{"issue":"3","key":"10.7717\/peerj-cs.2946\/ref-31","doi-asserted-by":"publisher","first-page":"270","DOI":"10.1080\/1206212x.2020.1732641","article-title":"Assessment of supervised machine learning algorithms using dynamic API calls for malware detection","volume":"44","author":"Singh","year":"2022","journal-title":"International Journal of Computers and Applications"},{"key":"10.7717\/peerj-cs.2946\/ref-32","article-title":"Machine learning based phishing e-mail detection","author":"Unnithan","year":"2018"},{"key":"10.7717\/peerj-cs.2946\/ref-33","doi-asserted-by":"publisher","first-page":"148853\u2013148860","DOI":"10.1109\/access.2019.2946482","article-title":"A novel solutions for malicious code detection and family clustering based on machine learning","volume":"7","author":"Yang","year":"2019","journal-title":"IEEE Access"},{"key":"10.7717\/peerj-cs.2946\/ref-34","doi-asserted-by":"publisher","first-page":"15196","DOI":"10.1109\/access.2019.2892066","article-title":"Phishing website detection based on multidimensional features driven by deep learning","volume":"7","author":"Yang","year":"2019","journal-title":"IEEE Access"},{"key":"10.7717\/peerj-cs.2946\/ref-35","first-page":"233","article-title":"A dirichlet multinomial mixture model-based approach for short text clustering","author":"Yin","year":"2014"},{"key":"10.7717\/peerj-cs.2946\/ref-36","volume-title":"Introduction to sequence learning models: RNN, LSTM, GRU","author":"Zargar","year":"2021"},{"key":"10.7717\/peerj-cs.2946\/ref-37","doi-asserted-by":"publisher","first-page":"176728\u2013176737","DOI":"10.1109\/access.2020.3026052","article-title":"Malicious code detection based on code semantic features","volume":"8","author":"Zhang","year":"2020","journal-title":"IEEE Access"},{"key":"10.7717\/peerj-cs.2946\/ref-38","doi-asserted-by":"publisher","first-page":"1210","DOI":"10.1609\/aaai.v34i01.5474","article-title":"Dynamic malware analysis with feature engineering and feature learning","volume":"34","author":"Zhang","year":"2020","journal-title":"Proceedings of the AAAI Conference on Artificial Intelligence"},{"issue":"2","key":"10.7717\/peerj-cs.2946\/ref-39","doi-asserted-by":"publisher","first-page":"103","DOI":"10.1145\/233269.233324","article-title":"Birch: an efficient data clustering method for very large databases","volume":"25","author":"Zhang","year":"1996","journal-title":"ACM Sigmod Record"},{"issue":"24","key":"10.7717\/peerj-cs.2946\/ref-40","doi-asserted-by":"publisher","first-page":"4992","DOI":"10.3390\/electronics12244992","article-title":"Dynamic malware detection using parameter-augmented semantic chain","volume":"12","author":"Zhao","year":"2023","journal-title":"Electronics"},{"key":"10.7717\/peerj-cs.2946\/ref-41","doi-asserted-by":"publisher","first-page":"125","DOI":"10.15913\/j.cnki.kjycx.2018.01.125","volume-title":"Introduction to the harm and prevention of computer malware","author":"Zheng","year":"2018"},{"issue":"2","key":"10.7717\/peerj-cs.2946\/ref-42","doi-asserted-by":"publisher","first-page":"2748","DOI":"10.1007\/s11227-023-05556-x","article-title":"A novel malware detection method based on API embedding and API parameters","volume":"80","author":"Zhou","year":"2024","journal-title":"The Journal of Supercomputing"}],"container-title":["PeerJ Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/peerj.com\/articles\/cs-2946.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/peerj.com\/articles\/cs-2946.xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/peerj.com\/articles\/cs-2946.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/peerj.com\/articles\/cs-2946.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,13]],"date-time":"2025-06-13T08:40:45Z","timestamp":1749804045000},"score":1,"resource":{"primary":{"URL":"https:\/\/peerj.com\/articles\/cs-2946"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,13]]},"references-count":42,"alternative-id":["10.7717\/peerj-cs.2946"],"URL":"https:\/\/doi.org\/10.7717\/peerj-cs.2946","archive":["CLOCKSS","LOCKSS","Portico"],"relation":{},"ISSN":["2376-5992"],"issn-type":[{"value":"2376-5992","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,6,13]]},"article-number":"e2946"}}