AI-Powered Behavior-Based Malware Detection Using Advanced Temporal and Process-State Features: A Robust Explainable Framework.

Abstract

Malware detection remains a critical challenge in modern cybersecurity due to the rapid evolution of attack techniques and the proliferation of adversarial threats. This study introduces a robust, explainable framework for malware detection that leverages advanced temporal and process-state features. Using VirusTotal, a large dataset of practical metrics, including system, memory, and process metrics, was created. Gated Recurrent Units (GRU) and Long Short-Term Memory (LSTM) architectures were implemented and frequently tested to model this sequential behavioral data. GRU outperformed the others regarding robustness and performance, with 99.92% accuracy on original data and 92.61% on adversarial data after retraining with adversarial examples. It also highlights the importance of interpretability by incorporating SHAP (Shapley Additive exPlanations) and LIME (Local Interpretable Model-agnostic Explanations) to provide global and local feature importances. It found that key system characteristics such as maj_flt (major faults) and time (user CPU time) were essential for classification, which indicates that behavioral patterns may be more important than static implementation in malware detection. Furthermore, the adversarial robustness testing phase highlighted resilience against such feature perturbations, proving the model's adaptability towards realistic attack scenarios. This framework sets a new benchmark in behavior-based malware detection, offering a reliable and interpretable solution for modern cybersecurity challenges.