Open Access

ARTICLE

Dynamic Malware Detection Method Based on API Multiple Subsequences

Jinhuo Liang, Jinan Shen^*, Pengfei Wang, Fang Liang, Xuejian Deng

College of Intelligent Systems Science and Engineering, Hubei Minzu University, Enshi, 445000, China

* Corresponding Author: Jinan Shen. Email:

Computers, Materials & Continua 2026, 87(1), 76 https://doi.org/10.32604/cmc.2025.073076

Received 10 September 2025; Accepted 10 December 2025; Issue published 10 February 2026

Abstract

The method for malware detection based on Application Programming Interface (API) call sequences, as a primary research focus within dynamic detection technologies, currently lacks attention to subsequences of API calls, the variety of API call types, and the length of sequences. This oversight leads to overly complex call sequences. To address this issue, a dynamic malware detection approach based on multiple subsequences is proposed. Initially, APIs are remapped and encoded, with the introduction of percentile lengths to process sequences. Subsequently, a combination of One-Dimensional Convolutional Neural Network (1D-CNN) and Bidirectional Long Short-Term Memory (Bi-LSTM) networks, along with an attention mechanism, is employed to extract features from subsequences of varying lengths for feature fusion and classification. Experiments conducted on two widely used public API-based datasets, namely MalBehavD-V1 and Alibaba Cloud, demonstrate that the proposed method reduces the number of API call types by approximately 20% compared to representative deep learning–based API sequence detection methods, while achieving a peak accuracy of 98.70%. Additionally, experimental results indicate that sequence length at the 95th percentile represents the optimal solution that balances classification performance and computational efficiency.

---

Keywords

---