Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls

Muhammad Hibatullah Channa; Kamran Khowaja; Imtiaz Ali Brohi; Najma Imtiaz Ali Brohi; Ahmed Waliullah Kazi; Raja Rina Raja Ikram

doi:10.35377/saucis...1758739

Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls

Abstract

In today’s digital age, malware constantly evolves and becomes more sophisticated. Traditional malware identification techniques are not designed to address the threats posed by evolving next-generation malware. The threats include, but are not limited to, system damage, data theft, privacy breach, financial loss or disruption of operations. Deep learning techniques can be used to detect and classify this new generation of malware. Geometric deep learning (GDL) methods leverage graph neural networks (GNNs) and are recognized for their enhanced representation learning and superior generalization capabilities compared to conventional Deep learning (DL) approaches. Experiments in this study assess the effectiveness of GDL algorithms for malware identification. Convolutional Neural Network - Long Short-Term Memory (CNN-LSTM) networks are contrasted with three GNN models: Graph Convolutional Network (GCN), Graph Attention Network (GAT), and GraphSAGE Network (GraphSAGE). The findings demonstrate that two out of three GDL models, GCN and GraphSAGE, except for GAT, outperform with a significant gain under various conditions that are proven in experiments. The research demonstrates the superior performance of GDL techniques over traditional DL for effective next-generation malware identification.

Keywords

References

DataProt Team, “A not-so-common cold: Malware statistics in 2026,” DataProt, Apr. 10, 2023. [Online]. Available: https://blog.dataprot.net/malware-statistics. Accessed: Jan. 03, 2026.
N. House, “Malware statistics 2026: 55+ facts on threats & trends,” StationX, May 2026. [Online]. Available: https://app.stationx.net/articles/malware-statistics. Accessed: Jan. 03, 2026.
AV-TEST Institute, “AV-TEST Award 2022: Tested and award-winning security,” AV-TEST, 2023. [Online]. Available: https://www.av-test.org/en/news/av-test-award-2022-tested-and-award-winning-security/. Accessed: Jan. 03, 2026.
AV-TEST Institute, “Malware statistics & trends report,” AV-TEST. [Online]. Available: https://www.av-test.org/en/statistics/malware/. Accessed: Jan. 03, 2026.
S. Morgan, “Cybercrime to cost the world $10.5 trillion annually by 2025,” Cybersecurity Ventures, Nov. 13, 2020. [Online]. Available: https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/. Accessed: Jan. 03, 2026.
J. Tang, “Fusion of static and dynamic features for malware detection: A graph neural network approach to behavioral representation and classification,” Appl. Comput. Eng., vol. 176, no. 1, pp. 16–22, Jul. 2025, doi: 10.54254/2755-2721/2025.24689.
H. Shokouhinejad, R. Razavi-Far, G. Higgins, and A. A. Ghorbani, “Explainable ensemble learning for graph-based malware detection,” arXiv preprint arXiv:2508.09801, Aug. 2025.
Y. Imamverdiyev, E. Baghirov, and I. J. Chukwu, “Detecting obfuscated malware infections on Windows using ensemble learning techniques,” Informatics Autom., vol. 24, no. 1, pp. 99–124, 2025, doi: 10.15622/IA.24.1.5.

A. Souri and R. Hosseini, “A state-of-the-art survey of malware detection approaches using data mining techniques,” Hum.-Centric Comput. Inf. Sci., vol. 8, Art. no. 3, Dec. 2018, doi: 10.1186/S13673-018-0125-X.
Ö. Aslan and R. Samet, “Investigation of possibilities to detect malware using existing tools,” in Proc. IEEE/ACS 14th Int. Conf. Comput. Syst. Appl. (AICCSA), Oct. 2017, pp. 1277–1284, doi: 10.1109/AICCSA.2017.24.
M. G. Schultz, E. Eskin, F. Zadok, and S. J. Stolfo, “Data mining methods for detection of new malicious executables,” in Proc. IEEE Symp. Secur. Privacy, May 2001, pp. 38–49.
D. Venugopal and G. Hu, “Efficient signature based malware detection on mobile devices,” Mobile Inf. Syst., vol. 4, no. 1, pp. 33–49, 2008, doi: 10.1155/2008/712353.
S. K. Cha, I. Moraru, J. Jang, J. Truelove, D. Brumley, and D. G. Andersen, “SplitScreen: Enabling efficient, distributed malware detection,” in Proc. 7th USENIX Symp. Netw. Syst. Design Implement. (NSDI), Apr. 2010.
U. Baldangombo, N. Jambaljav, and S.-J. Horng, “A static malware detection system using data mining methods,” Int. J. Artif. Intell. Appl., vol. 4, no. 4, pp. 113–126, Jul. 2013, doi: 10.5121/ijaia.2013.4411.
A. Malhotra and K. Bajaj, “A hybrid pattern-based text mining approach for malware detection using DBScan,” CSI Trans. ICT, vol. 4, no. 2–4, pp. 141–149, Dec. 2016, doi: 10.1007/S40012-016-0095-Y.
O. Savenko, I. Hurman, and S. Lysenko, “Dynamic signature-based malware detection technique based on API call tracing,” in Proc. CEUR Workshop, vol. 2393, 2019.
I. Firdausi, C. Lim, A. Erwin, and A. S. Nugroho, “Analysis of machine learning techniques used in behavior-based malware detection,” in Proc. 2nd Int. Conf. Adv. Comput., Control Telecommun. Technol. (ACT), Dec. 2010, pp. 201–203, doi: 10.1109/ACT.2010.33.
A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, “‘Andromaly’: A behavioral malware detection framework for Android devices,” J. Intell. Inf. Syst., vol. 38, no. 1, pp. 161–190, Feb. 2012, doi: 10.1007/S10844-010-0148-X.
K. Sethi, S. K. Chaudhary, B. K. Tripathy, and P. Bera, “A novel malware analysis for malware detection and classification using machine learning algorithms,” in Proc. 10th Int. Conf. Secur. Inf. Netw. (SIN), Oct. 2017, pp. 107–116, doi: 10.1145/3136825.3136883.
S. Sharma, C. R. Krishna, and S. K. Sahay, “Detection of advanced malware by machine learning techniques,” in Advances in Intelligent Systems and Computing, vol. 742. Singapore: Springer, 2019, pp. 333–342, doi: 10.1007/978-981-13-0589-4_31.
D. Vasan, M. Alazab, S. Wassan, B. Safaei, and Q. Zheng, “Image-based malware classification using ensemble of CNN architectures (IMCEC),” Comput. Secur., vol. 92, Art. no. 101748, May 2020, doi: 10.1016/J.COSE.2020.101748.
G. Xiao, J. Li, Y. Chen, and K. Li, “MalFCS: An effective malware classification framework with automated feature extraction based on deep convolutional neural networks,” J. Parallel Distrib. Comput., vol. 141, pp. 49–58, Jul. 2020, doi: 10.1016/J.JPDC.2020.03.012.
B. Yuan, J. Wang, D. Liu, W. Guo, P. Wu, and X. Bao, “Byte-level malware classification based on Markov images and deep learning,” Comput. Secur., vol. 92, Art. no. 101740, May 2020, doi: 10.1016/J.COSE.2020.101740.
M. J. Awan et al., “Image-based malware classification using VGG19 network and spatial convolutional attention,” Electronics, vol. 10, no. 19, Art. no. 2444, Oct. 2021, doi: 10.3390/ELECTRONICS10192444.
M. S. Akhtar and T. Feng, “Detection of malware by deep learning as CNN-LSTM machine learning techniques in real time,” Symmetry, vol. 14, no. 11, Art. no. 2308, Nov. 2022, doi: 10.3390/SYM14112308.
M. Zhao, X. Zhang, W. Zhu, and S. Zhu, “Malware detection method based on LSTM-SVM model,” J. East China Univ. Sci. Technol., vol. 48, no. 5, pp. 677–684, Oct. 2022, doi: 10.14135/J.CNKI.1006-3080.20210517005.
L. Shen et al., “Self-attention based convolutional-LSTM for Android malware detection using network traffic grayscale image,” Appl. Intell., vol. 53, no. 1, pp. 683–705, Jan. 2023, doi: 10.1007/S10489-022-03523-2.
O. A. Alzubi, J. A. Alzubi, T. M. Alzubi, and A. Singh, “Quantum mayfly optimization with encoder-decoder driven LSTM networks for malware detection and classification model,” Mobile Netw. Appl., vol. 28, no. 2, pp. 795–807, Apr. 2023, doi: 10.1007/S11036-023-02105-
F. O. Catak, A. F. Yazı, O. Elezaj, and J. Ahmed, “Deep learning based sequential model for malware analysis using Windows exe API calls,” PeerJ Comput. Sci., vol. 6, Art. no. e285, Jul. 2020, doi: 10.7717/PEERJ-CS.285.
W. Ren, X. Xiao, J. Xu, H. Chen, Y. Zhang, and J. Zhang, “Trojan virus detection and classification based on graph convolutional neural network algorithm,” J. Ind. Eng. Appl. Sci., vol. 3, no. 2, pp. 1–5, Jul. 2025, doi: 10.70393/6a69656173.323735.
Y. Zhao et al., “An Android malware detection method using frequent graph convolutional neural networks,” Electronics, vol. 14, no. 6, Art. no. 1151, Mar. 2025, doi: 10.3390/ELECTRONICS14061151.
T. Bilot, N. El Madhoun, K. Al Agha, and A. Zouaoui, “A survey on malware detection with graph representation learning,” J. ACM, vol. 71, no. 2, Art. no. 10, Mar. 2024.
D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck, “DREBIN: Effective and explainable detection of Android malware in your pocket,” in Proc. Netw. Distrib. Syst. Secur. Symp. (NDSS), Feb. 2014. [Online]. Available: http://dx.doi.org/
H. Wang, H. Li, L. Li, Y. Guo, and G. Xu, “RmvDroid: Towards a reliable Android malware dataset with app metadata,” in Proc. 16th Int. Conf. Mining Softw. Repositories (MSR), May 2019, pp. 404–408, doi: 10.1109/MSR.2019.00067.
A. Guerra-Manzanares, H. Bahsi, and S. Nõmm, “KronoDroid: Time-based hybrid-featured dataset for effective Android malware detection and characterization,” Comput. Secur., vol. 110, Art. no. 102399, Nov. 2021, doi: 10.1016/J.COSE.2021.102399.
S. Freitas, R. Duggal, and D. H. Chau, “MalNet: A large-scale image database of malicious software,” in Proc. 31st ACM Int. Conf. Inf. Knowl. Manage. (CIKM), Oct. 2022, pp. 3948–3952, doi: 10.1145/3511808.3557533.
D. A. Noever and S. E. M. Noever, “Virus-MNIST: A benchmark malware dataset,” arXiv preprint arXiv:2103.00602, Feb. 2021.
F. O. Catak and A. F. Yazı, “A benchmark API call dataset for Windows PE malware classification,” arXiv preprint arXiv:1905.01999, May 2019.
A. Oliveira, “Malware analysis datasets: API call sequences,” Kaggle, Oct. 2019.
P. Veličković, G. Cucurull, A. Casanova, A. Romero, P. Liò, and Y. Bengio, “Graph attention networks,” in Proc. Int. Conf. Learn. Represent. (ICLR), Feb. 2018.
J. Hou, H. Xia, H. Lu, and A. Nayak, “A graph neural network approach for caching performance optimization in NDN networks,” IEEE Access, vol. 10, pp. 112657–112668, 2022, doi: 10.1109/ACCESS.2022.3217236.

Details

Primary Language

English

Subjects

Data Security and Protection

Journal Section

Research Article

Authors

Muhammad Hibatullah Channa
0009-0003-8853-3484
Pakistan

Kamran Khowaja
0000-0002-0624-2428
Pakistan

Imtiaz Ali Brohi
0000-0001-9515-6996
Malaysia

Najma Imtiaz Ali Brohi ^*
0000-0002-9069-8523
Malaysia

Ahmed Waliullah Kazi
0009-0006-7210-5962
Pakistan

Raja Rina Raja Ikram This is me
0000-0002-9845-5155
Malaysia

Early Pub Date

June 1, 2026

Publication Date

June 17, 2026

Submission Date

August 7, 2025

Acceptance Date

February 10, 2026

Published in Issue

Year 2026 Volume: 9 Number: 2

DOI

https://doi.org/10.35377/saucis...1758739

IZ

https://izlik.org/JA22AS23GU

Cite

RIS / Bibtex

APA

Channa, M. H., Khowaja, K., Brohi, I. A., Brohi, N. I. A., Kazi, A. W., & Raja Ikram, R. R. (2026). Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls. Sakarya University Journal of Computer and Information Sciences, 9(2), 465-480. https://doi.org/10.35377/saucis...1758739

AMA

1.Channa MH, Khowaja K, Brohi IA, Brohi NIA, Kazi AW, Raja Ikram RR. Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls. SAUCIS. 2026;9(2):465-480. doi:10.35377/saucis.1758739

Chicago

Channa, Muhammad Hibatullah, Kamran Khowaja, Imtiaz Ali Brohi, Najma Imtiaz Ali Brohi, Ahmed Waliullah Kazi, and Raja Rina Raja Ikram. 2026. “Malware Identification Using Spatial-Temporal Properties of Behavioural Graphs Extracted from API Calls”. Sakarya University Journal of Computer and Information Sciences 9 (2): 465-80. https://doi.org/10.35377/saucis. 1758739.

EndNote

Channa MH, Khowaja K, Brohi IA, Brohi NIA, Kazi AW, Raja Ikram RR (June 1, 2026) Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls. Sakarya University Journal of Computer and Information Sciences 9 2 465–480.

IEEE

[1]M. H. Channa, K. Khowaja, I. A. Brohi, N. I. A. Brohi, A. W. Kazi, and R. R. Raja Ikram, “Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls”, SAUCIS, vol. 9, no. 2, pp. 465–480, June 2026, doi: 10.35377/saucis...1758739.

ISNAD

Channa, Muhammad Hibatullah - Khowaja, Kamran - Brohi, Imtiaz Ali - Brohi, Najma Imtiaz Ali - Kazi, Ahmed Waliullah - Raja Ikram, Raja Rina. “Malware Identification Using Spatial-Temporal Properties of Behavioural Graphs Extracted from API Calls”. Sakarya University Journal of Computer and Information Sciences 9/2 (June 1, 2026): 465-480. https://doi.org/10.35377/saucis. 1758739.

JAMA

1.Channa MH, Khowaja K, Brohi IA, Brohi NIA, Kazi AW, Raja Ikram RR. Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls. SAUCIS. 2026;9:465–480.

MLA

Channa, Muhammad Hibatullah, et al. “Malware Identification Using Spatial-Temporal Properties of Behavioural Graphs Extracted from API Calls”. Sakarya University Journal of Computer and Information Sciences, vol. 9, no. 2, June 2026, pp. 465-80, doi:10.35377/saucis. 1758739.

Vancouver

1.Muhammad Hibatullah Channa, Kamran Khowaja, Imtiaz Ali Brohi, Najma Imtiaz Ali Brohi, Ahmed Waliullah Kazi, Raja Rina Raja Ikram. Malware Identification using Spatial-temporal Properties of Behavioural Graphs Extracted from API Calls. SAUCIS. 2026 Jun. 1;9(2):465-80. doi:10.35377/saucis. 1758739