TY  - EJOU
AU  - Yoon, Seong-Su 
AU  - Shin, Dong-Hyuk 
AU  - Euom, Ieck-Chae 

TI  - Structure-Aware Malicious Behavior Detection through 2D Spatio-Temporal Modeling of Process Hierarchies
T2  - Computer Modeling in Engineering \& Sciences

PY  - 2025
VL  - 145
IS  - 2
SN  - 1526-1506

AB  - With the continuous expansion of digital infrastructures, malicious behaviors in host systems have become increasingly sophisticated, often spanning multiple processes and employing obfuscation techniques to evade detection. Audit logs, such as Sysmon, offer valuable insights; however, existing approaches typically flatten event sequences or rely on generic graph models, thereby discarding the natural parent-child process hierarchy that is critical for analyzing multiprocess attacks. This paper proposes a structure-aware threat detection framework that transforms audit logs into a unified two-dimensional (2D) spatio-temporal representation, where process hierarchy is modeled as the spatial axis and event chronology as the temporal axis. In addition, entropy-based features are incorporated to robustly capture obfuscated and non-linguistic strings, overcoming the limitations of semantic embeddings. The model’s performance was evaluated on publicly available datasets, achieving competitive results with an accuracy exceeding 95% and an F1-score of at least 0.94. The proposed approach provides a promising and reproducible solution for detecting attacks with unknown indicators of compromise (IoCs) by analyzing the relationships and behaviors of processes recorded in large-scale audit logs.
KW  - System security; anomaly detection; host-based log analysis; hierarchical process structure; machine learning; deep learning; malicious behavior

DO  - 10.32604/cmes.2025.071577