Pengbin Feng,Jianfeng Ma,Teng Li,Xindi Ma,Ning Xi,Di Lu

DOI: https://doi.org/10.1155/2021/5538841

2021-01-01

Abstract:With the widespread usage of Android smartphones in our daily lives, the Android platform has become an attractive target for malware authors. There is an urgent need for developing an automatic malware detection approach to prevent the spread of malware. The low code coverage and poor efficiency of the dynamic analysis limit the large-scale deployment of malware detection methods based on dynamic features. Therefore, researchers have proposed a plethora of detection approaches based on abundant static features to provide efficient malware detection. This paper explores the direction of Android malware detection based on graph representation learning. Without complex feature graph construction, we propose a new Android malware detection approach based on lightweight static analysis via the graph neural network (GNN). Instead of directly extracting Application Programming Interface (API) call information, we further analyze the source code of Android applications to extract high-level semantic information, which increases the barrier of evading detection. Particularly, we construct approximate call graphs from function invocation relationships within an Android application to represent this application and further extract intrafunction attributes, including required permission, security level, and Smali instructions’ semantic information via Word2Vec, to form the node attributes within graph structures. Then, we use the graph neural network to generate a vector representation of the application, and then malware detection is performed on this representation space. We conduct experiments on real-world application samples. The experimental results demonstrate that our approach implements high effective malware detection and outperforms state-of-the-art detection approaches.

Pengbin Feng,Jianfeng Ma,Teng Li,Xindi Ma,Ning Xi,Di Lu

DOI: https://doi.org/10.1109/nana51271.2020.00069

2020-01-01

Abstract:With the widespread usage of Android smart-phones in our daily lives, Android platform has become an attractive target for malware authors. There is an urgent need for developing automatic malware detection approach to prevent the spread of malware. Traditional signature-based detection methods cannot handle the rapid evolution of complex malware or the emerging of new types of malware. Due to the limitation on code coverage and poor efficiency of the dynamic analysis, in this paper, we propose a new Android malware detection approach based on static analysis via graph neural network. Instead of extracting Application Programming Interface (API) call information, we further analyze the source code of Android applications to extract high -level semantic information, which increases the barrier of evading detection. Particularly, we construct approximate call graph from function invocation relationships within an Android application to represent this application, and further extract intra-function attributes, including required permission, security level and statistical instructions information, to form the node attributes within graph structures. Then, we use graph neural network (GNN) to generate a vector representation of the application, and then malware classification is performed on this representation. We conduct experiments on real-world application samples. The experimental results demonstrate that our approach implements high effective malware detection and outperforms state-of-the-art detection approaches.

Ding Yuxin,Zhu Siyi,Xia Xiaoling

DOI: https://doi.org/10.1007/978-3-319-46681-1_9

2016-01-01

Abstract:With the rapid development of mobile Internet, mobile devices have been widely used in people__ daily life, which has made mobile platforms a prime target for malware attack. In this paper we study on Android malware detection method. We propose the method how to extract the structural features of android application from its function call graph, and then use the structure features to build classifier to classify malware. The experiment results show that structural features can effectively improve the performance of malware detection methods. © Springer International Publishing AG 2016.

Sibo Shi,Shengwei Tian,Bo Wang,Tiejun Zhou,Guanxin Chen

DOI: https://doi.org/10.1007/s10207-023-00679-x

2023-01-01

International Journal of Information Security

Abstract:Android is now one of the most popular operating systems in the world because of its open source character, so the threshold for hackers to make malware has also become lower, and more and more malware has started to threaten people’s lives. Graphs are used to represent the program’s syntactic and semantic structure, and can naturally represent malicious behavior, so we propose a malware detection method named SFCGDroid, which based on sensitive function call graph, so we propose a malware detection method named SFCGDroid, which based on sensitive function call graph. We first decompile the Android application to generate a function call graph (FCG), and extract the sensitive function call graph (SFCG) on the FCG. Secondly, we extract two class features (1) use the Skip-gram model to obtain function embeddings, and (2) treat the SFCG as a social network and extract the triads attribute of the sensitive API. The two types of features are combined as a feature representation of the SFCG and fed into a graph convolutional network (GCN) for malware detection. For experiments on 26,939 Android software datasets, SFCGDroid in this paper can achieve 98.22% accuracy and 98.20% F1 score.

Weina Niu,Rong Cao,Xiaosong Zhang,Kangyi Ding,Kaimeng Zhang,Ting Li

DOI: https://doi.org/10.3390/s20133645

2020-06-29

Abstract:Due to the openness of an Android system, many Internet of Things (IoT) devices are running the Android system and Android devices have become a common control terminal for IoT devices because of various sensors on them. With the popularity of IoT devices, malware on Android-based IoT devices is also increasing. People's lives and privacy security are threatened. To reduce such threat, many researchers have proposed new methods to detect Android malware. Currently, most malware detection products on the market are based on malware signatures, which have a fast detection speed and normally a low false alarm rate for known malware families. However, they cannot detect unknown malware and are easily evaded by malware that is confused or packaged. Many new solutions use syntactic features and machine learning techniques to classify Android malware. It has been known that analysis of the Function Call Graph (FCG) can capture behavioral features of malware well. This paper presents a new approach to classifying Android malware based on deep learning and OpCode-level FCG. The FCG is obtained through static analysis of Operation Code (OpCode), and the deep learning model we used is the Long Short-Term Memory (LSTM). We conducted experiments on a dataset with 1796 Android malware samples classified into two categories (obtained from Virusshare and AndroZoo) and 1000 benign Android apps. Our experimental results showed that our proposed approach with an accuracy of 97 % outperforms the state-of-the-art methods such as those proposed by Nikola et al. and Hou et al. (IJCAI-18) with the accuracy of 97 % and 91 % , respectively. The time consumption of our proposed approach is less than the other two methods.

Xiuting Ge,Ya Pan,Chunrong Fang,Yong Fan

DOI: https://doi.org/10.1109/qrs-c.2019.00027

2019-01-01

Abstract:With the rapid development of the mobile Internet, Android has been the most popular mobile operating system. Due to the open nature of Android, c countless malicious applications are hidden in a large number of benign applications, which pose great threats to users. Most previous malware detection approaches mainly rely on features such as permissions, API calls, and opcode sequences. However, these approaches fail to capture structural semantics of applications. In this paper, we propose AMDroid that leverages function call graphs (FCGs) representing the behaviors of applications and applies graph kernels to automatically learn the structural semantics of applications from FCGs. We evaluate AMDroid on the Genome Project, and the experimental results show that AMDroid is effective to detect Android malware with 97.49% detection accuracy.

Haojie Wu,Nurbol Luktarhan,Gaoqi Tian,Yangyang Song

DOI: https://doi.org/10.3390/s23104729

2023-05-13

Abstract:The smartphone has become an indispensable tool in our daily lives, and the Android operating system is widely installed on our smartphones. This makes Android smartphones a prime target for malware. In order to address threats posed by malware, many researchers have proposed different malware detection approaches, including using a function call graph (FCG). Although an FCG can capture the complete call-callee semantic relationship of a function, it will be represented as a huge graph structure. The presence of many nonsensical nodes affects the detection efficiency. At the same time, the characteristics of the graph neural networks (GNNs) make the important node features in the FCG tend toward similar nonsensical node features during the propagation process. In our work, we propose an Android malware detection approach to enhance node feature differences in an FCG. Firstly, we propose an API-based node feature by which we can visually analyze the behavioral properties of different functions in the app and determine whether their behavior is benign or malicious. Then, we extract the FCG and the features of each function from the decompiled APK file. Next, we calculate the API coefficient inspired by the idea of the TF-IDF algorithm and extract the sensitive function called subgraph (S-FCSG) based on API coefficient ranking. Finally, before feeding the S-FCSG and node features into the GCN model, we add the self-loop for each node of the S-FCSG. A 1-D convolutional neural network and fully connected layers are used for further feature extraction and classification, respectively. The experimental result shows that our approach enhances the node feature differences in an FCG, and the detection accuracy is greater than that of models using other features, suggesting that malware detection based on a graph structure and GNNs has a lot of space for future study.

Shanxi Li,Qingguo Zhou,Wei

DOI: https://doi.org/10.3837/tiis.2021.09.010

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:Malware is a severe threat to the computing system and there's a long history of the battle between malware detection and anti-detection. Most traditional detection methods are based on static analysis with signature matching and dynamic analysis methods that are focused on sensitive behaviors. However, the usual detections have only limited effect when meeting the development of malware, so that the manual update for feature sets is essential. Besides, most of these methods match target samples with the usual feature database, which ignored the characteristics of the sample itself. In this paper, we propose a new malware detection method that could combine the features of a single sample and the general features of malware. Firstly, a structure of Directed Cyclic Graph (DCG) is adopted to extract features from samples. Then the sensitivity of each API call is computed with Markov Chain. Afterward, the graph is merged with the chain to get the final features. Finally, the detectors based on machine learning or deep learning are devised for identification. To evaluate the effect and robustness of our approach, several experiments were adopted. The results showed that the proposed method had a good performance in most tests, and the approach also had stability with the development and growth of malware.

Yuxin Ding,Xiaoling Xia,Sheng Chen,Ye Li

DOI: https://doi.org/10.1016/j.cose.2017.10.007

IF: 5.105

2018-01-01

Computers & Security

Abstract:Graph-based malware detection methods must build a behavior graph for each known malware, and they are difficult to apply in practice. To solve this issue, we study how to build a common behavior graph for each malware family. We represent malware behaviors as dependency graphs. To find the dependency relations between system calls, we use a dynamic taint analysis technique to mark the system call parameters with taint tags, and we then build the system call dependency graph by tracing the propagation of the taint data. Based on the dependency graphs of malware samples, we propose an algorithm to extract the common behavior graph, which is used to represent the behavioral features of a malware family. Finally, a graph matching algorithm that is based on the maximum weight subgraph is used to detect malicious code. The experimental results show that the proposed method has a high detection rate and a low false positive rate and can detect malware variants.

Yakang Li,Yikun Hu,Yizhuo Wang,Yituo He,Haining Lu,Dawu Gu

DOI: https://doi.org/10.1109/saner56733.2023.00065

2023-01-01

Abstract:The rapid growth of Android malware calls for anti-malware systems to detect malware automatically. Detecting malware effectively is a non-trivial problem due to the high overlap in behaviors between malware and benign apps. Most existing automated Android malware detection methods use statistic features extracted from apps or graphs generated from method calls to identify malware. However, the methods that only use statistic features lead to false positives due to ignoring program semantics. Existing graph-based approaches suffer scalability problems due to the heavy-weight program analysis and timeconsuming graph matching. In addition, graph-based approaches could be evaded by modifying dependencies among method calls. As a result, crafted malicious apps resemble the benign ones. In this paper, we propose a novel deep learning-based detection system, named RGDroid, which is capable of detecting malware under graph structural attacks. It combines API information extracted from Android document and learns behavior features from function call graph by graph neural network. Specifically, to defend against graph adversarial attacks, RGDroid reduces the connectivity of different functional parts to mitigate the effect of structural modifications on the final graph embedding. To comprehensively evaluate the robustness of RGDroid, we implement four influential graph adversarial attacks to simulate current capabilities and knowledge of Android malware attackers. The attack success rate (ASR) of two state-of-the-art detection systems (i.e., MaMaDroid, MalScan) is above 70.0% while the ASR of RGDroid under the four graph attacks is below 6.1%.

Zhuo Ma,Haoran Ge,Yang Liu,Meng Zhao,Jianfeng Ma

DOI: https://doi.org/10.1109/ACCESS.2019.2896003

IF: 3.9

2019-01-01

IEEE Access

Abstract:Android malware severely threaten system and user security in terms of privilege escalation, remote control, tariff theft, and privacy leakage. Therefore, it is of great importance and necessity to detect Android malware. In this paper, we present a combination method for Android malware detection based on the machine learning algorithm. First, we construct the control flow graph of the application to obtain API information. Based on the API information, we innovatively construct Boolean, frequency, and time-series data sets. Based on these three data sets, three detection models for Android malware detection regarding API calls, API frequency, and API sequence aspects are constructed. Ultimately, an ensemble model is constructed for conformity. We tested and compared the accuracy and stability of our detection models through a large number of experiments. The experiments were conducted on 10010 benign applications and 10683 malicious applications. The results show that our detection model achieves 98.98% detection precision and has high accuracy and stability. All of the results are consistent with the theoretical analysis in this paper.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

lingfei wu,ming xu,jian xu,ning zheng,haiping zhang

DOI: https://doi.org/10.1109/ANTHOLOGY.2013.6784887

2013-01-01

Abstract:Code obfuscation plays a significant role in metamorphic malware. Moreover, identifying a metamorphic malware variant is a challenge task, because its obfuscation engine can easily generate various variants with different forms while maintaining the same functionality to escape detection. This paper presents a novel approach to recognize metamorphic malware based on programs' function-call graphs. Graph-coloring and cosine similarity techniques are used to measure the similarity of two programs on the basis of function-call graph. Experimental results have shown that the proposed method can accurately detect the metamorphic malware variants.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Yu Liu,Liqiang Zhang,Xiangdong Huang

DOI: https://doi.org/10.1007/s11277-018-5982-0

IF: 2.017

2018-01-01

Wireless Personal Communications

Abstract:In this paper, we proposed a G features based Android malware detecting scheme with information of Function Call Graph . The experimental results showed that our G features based detecting scheme obtained a high detecting performance in up-to-date malware testing dataset. Besides, the collapsing issue induced by the high-dimension vectors of traditional Function Call Graph detection can also be avoided with our methods.

Rui Zhu,Chenglin Li,Di Niu,Hongwen Zhang,Husam Kinawi

DOI: https://doi.org/10.48550/arXiv.1806.04847

2018-12-11

Abstract:With the growth of mobile devices and applications, the number of malicious software, or malware, is rapidly increasing in recent years, which calls for the development of advanced and effective malware detection approaches. Traditional methods such as signature-based ones cannot defend users from an increasing number of new types of malware or rapid malware behavior changes. In this paper, we propose a new Android malware detection approach based on deep learning and static analysis. Instead of using Application Programming Interfaces (APIs) only, we further analyze the source code of Android applications and create their higher-level graphical semantics, which makes it harder for attackers to evade detection. In particular, we use a call graph from method invocations in an Android application to represent the application, and further analyze method attributes to form a structured Program Representation Graph (PRG) with node attributes. Then, we use a graph convolutional network (GCN) to yield a graph representation of the application by embedding the entire graph into a dense vector, and classify whether it is a malware or not. To efficiently train such a graph convolutional network, we propose a batch training scheme that allows multiple heterogeneous graphs to be input as a batch. To the best of our knowledge, this is the first work to use graph representation learning for malware detection. We conduct extensive experiments from real-world sample collections and demonstrate that our developed system outperforms multiple other existing malware detection techniques.

Cryptography and Security

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

YANG Fan,ZHANG Huanguo,FU Jianming,SHEN Zhidong

DOI: https://doi.org/10.14188/j.1671-8836.2013.05.004

2013-01-01

Abstract:To overcome the disadvantages of traditional malware detection with high false negative rate and low running efficiency,we abstract function call graphs from candidate malware by static analysis.Graph edit distance is taken as the evaluation criteria of the malware similarity,and therefore the malware classification and identification is transformed into the problem of searching the nearest neighbors in the existing malware graph database.To improve the detection speed,we introduce the assembly instruction sets of functions and the multi-way vantage point tree as high-dimensional indexing algorithm.Experiments show that our method has good performance in both accuracy and efficiency of malware detection.

Shanhu Shang,Ning Zheng,Jian Xu,Ming Xu,Haiping Zhang

DOI: https://doi.org/10.1109/malware.2010.5665787

2010-01-01

Abstract:Currently, signature-based malware scanning is still the dominant approach to identify malware samples in the wild due to its low false positive rate. However, this approach concentrates on programs' specific instructions, and lacks insight into high level semantics; it is enduring challenges from advanced code obfuscation techniques such as polymorphism and metamorphism. To overcome this shortcoming, this paper extracts a program's function-call graph as its signature. The paper presents a method to compute similarity between two binaries on basis of their function-call graph similarity. The proposed method relies on static analysis of a program, it first disassembles the program into assemble code, and then it uses a novel algorithm to construct the function-call graph from the assembly instructions. After that, it proposes a simple but effective graph matching method to compute similarity between two binaries. A prototype is implemented and evaluated on several well-known malware families and benign programs.