Open Access

ARTICLE

Structure-Aware Malicious Behavior Detection through 2D Spatio-Temporal Modeling of Process Hierarchies

Seong-Su Yoon, Dong-Hyuk Shin, Ieck-Chae Euom^*

System Security Research Center, Chonnam National University, Gwangju, 61186, Republic of Korea

* Corresponding Author: Ieck-Chae Euom. Email:

(This article belongs to the Special Issue: Cutting-Edge Security and Privacy Solutions for Next-Generation Intelligent Mobile Internet Technologies and Applications)

Computer Modeling in Engineering & Sciences 2025, 145(2), 2683-2706. https://doi.org/10.32604/cmes.2025.071577

Received 07 August 2025; Accepted 17 October 2025; Issue published 26 November 2025

Abstract

With the continuous expansion of digital infrastructures, malicious behaviors in host systems have become increasingly sophisticated, often spanning multiple processes and employing obfuscation techniques to evade detection. Audit logs, such as Sysmon, offer valuable insights; however, existing approaches typically flatten event sequences or rely on generic graph models, thereby discarding the natural parent-child process hierarchy that is critical for analyzing multiprocess attacks. This paper proposes a structure-aware threat detection framework that transforms audit logs into a unified two-dimensional (2D) spatio-temporal representation, where process hierarchy is modeled as the spatial axis and event chronology as the temporal axis. In addition, entropy-based features are incorporated to robustly capture obfuscated and non-linguistic strings, overcoming the limitations of semantic embeddings. The model’s performance was evaluated on publicly available datasets, achieving competitive results with an accuracy exceeding 95% and an F1-score of at least 0.94. The proposed approach provides a promising and reproducible solution for detecting attacks with unknown indicators of compromise (IoCs) by analyzing the relationships and behaviors of processes recorded in large-scale audit logs.

---

Keywords

---