Application Program Interface (API) calls are widely used in dynamic Windows malware analysis to characterize the run-time behavior of malware. Researchers have proposed various approaches to mine semantic information from API calls to improve the performance of malware analysis. However, with increasingly sophisticated malware, the exploration of new semantic dimensions for API calls is never-ending. In this paper, we find that the official Windows API documentation is an unexplored information source in malware detection. Therefore, we propose a novel documentation-augmented Windows malware detection framework DawnGNN using the pre-trained semantic enhanced mechanism and graph neural network. First, it converts the API sequences into API graphs for further contextual information extraction. Next, we crawl API documentation from the official website and employ the pre-trained Bidirectional Encoder Representations from Transformers (BERT) model to encode functionality descriptions as API embeddings. Finally, it feeds the API graphs with API node attributes into the Graph Attention Network (GAT) classifier to perform Windows malware detection. Moreover, we verify the effectiveness of DawnGNN on three public datasets. Experimental results demonstrate the effectiveness of DawnGNN. Semantic information from the official API documentation is promising in the Windows malware detection domain.

中文翻译：

---

DawnGNN：使用图神经网络增强 Windows 恶意软件检测的文档

应用程序接口 (API) 调用广泛用于动态 Windows 恶意软件分析，以表征恶意软件的运行时行为。研究人员提出了各种方法来从 API 调用中挖掘语义信息，以提高恶意软件分析的性能。然而，随着恶意软件日益复杂，对 API 调用新语义维度的探索永无止境。在本文中，我们发现官方 Windows API 文档是恶意软件检测中未经探索的信息源。因此，我们提出了一种新颖的文档增强 Windows 恶意软件检测框架 DawnGNN，使用预训练的语义增强机制和图神经网络。首先，它将 API 序列转换为 API 图，以进一步提取上下文信息。接下来，我们从官网爬取 API 文档，并使用预先训练的来自 Transformers 的双向编码器表示（BERT）模型将功能描述编码为 API 嵌入。最后，它将具有 API 节点属性的 API 图输入图注意网络 (GAT) 分类器以执行 Windows 恶意软件检测。此外，我们在三个公共数据集上验证了 DawnGNN 的有效性。实验结果证明了DawnGNN的有效性。官方 API 文档中的语义信息在 Windows 恶意软件检测领域很有前景。