Yao-Saint Yen,Hung-Min Sun

DOI: https://doi.org/10.20944/preprints201808.0034.v1

2018-01-01

Abstract:Using smartphone especially android platform has already got eighty percent market shares, due to aforementioned report, it becomes attacker’s primary goal. There is a growing number of private data onto smart phones and low safety defense measure, attackers can use multiple way to launch and to attack user’s smartphones.(e.g. Using different coding style to confuse the software of detecting malware). Existing android malware detection methods use multiple features, like safety sensor API, system call, control flow structure and data information flow, then using machine learning to check whether its malware or not. These feature provide app’s unique property and limitation, that is to say, from some perspectives it might suit for some specific attack, but wouldn’t suit for others. Nowadays most malware detection methods use only one aforementioned feature, and these methods mostly analysis to detect code, but facing the influence of malware’s code confusion and zero-day attack, aforementioned feature extraction method may cause wrong judge. So, it’s necessary to design an effective technique analysis to prevent malware. In this paper, we use the importance of word from apk, because of code confusion, some malware attackers only rename variables, if using general static analysis wouldn’t judge correctly, then use these importance value to go through our proposed method to generate picture, finally using convolutional neural network to see whether the apk file is malware or not.

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Lin Liu,Wang Ren,Feng Xie,Shengwei Yi,Junkai Yi,Peng Jia

DOI: https://doi.org/10.1155/2021/9964224

IF: 1.968

2021-08-19

Security and Communication Networks

Abstract:The malicious APK (Android Application Package) makers use some techniques such as code obfuscation and code encryption to avoid existing detection methods, which poses new challenges for accurate virus detection and makes it more and more difficult to detect the malicious code. A report indicates that a new malicious app for Android is created every 10 seconds. To combat this serious malware activity, a scalable malware detection approach is needed, which can effectively and efficiently identify the malware apps. Common static detection methods often rely on Hash matching and analysis of viruses, which cannot quickly detect new malicious Android applications and their variants. In this paper, a malicious Android application detection method is proposed, which is implemented by the deep network fusion model. The hybrid model only needs to use the sample training model to achieve high accuracy in the identification of the malicious applications, which is more suitable for the detection of the new malicious Android applications than the existing methods. This method extracts the static features in the core code of the Android application by decompiling APK files, then performs code vectorization processing, and uses the deep learning network for classification and discrimination. Our experiments with a data set containing 10,170 apps show that the decisions from the hybrid model can increase the malware detection rate significantly on a real device, which verifies the superiority of this method in the detection of malicious codes.

computer science, information systems,telecommunications

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Abdelmonim Naway,Yuancheng LI

DOI: https://doi.org/10.48550/arXiv.1812.10360

2018-12-26

Cryptography and Security

Abstract:Android is the predominant mobile operating system for the past few years. The prevalence of devices that can be powered by Android magnetized not merely application developers but also malware developers with criminal intention to design and spread malicious applications that can affect the normal work of Android phones and tablets, steal personal information and credential data, or even worse lock the phone and ask for ransom. Researchers persistently devise countermeasures strategies to fight back malware. One of these strategies applied in the past five years is the use of deep learning methods in Android malware detection. This necessitates a review to inspect the accomplished work in order to know where the endeavors have been established, identify unresolved problems, and motivate future research directions. In this work, an extensive survey of static analysis, dynamic analysis, and hybrid analysis that utilized deep learning methods are reviewed with an elaborated discussion on their key concepts, contributions, and limitations.

Rajesh Kumar,Zhang Xiaosong,Riaz Ullah Khan,Jay Kumar,Ijaz Ahad

DOI: https://doi.org/10.1145/3194452.3194465

2018-01-01

Abstract:The across the board reception of android devices and their ability to get to critical private and secret data have brought about these devices being focused by malware engineers. Existing android malware analysis techniques categorized into static and dynamic analysis. In this paper, we introduce two machine learning supported methodologies for static analysis of android malware. The First approach based on statically analysis, content is found through probability statistics which reduces the uncertainty of information. Feature extraction were proposed based on the analysis of existing dataset. Our both approaches were used to high-dimension data into low-dimensional data so as to reduce the dimension and the uncertainty of the extracted features. In training phase the complexity was reduced 16.7% of the original time and detect the unknown malware families were improved.

Yueqi Jin,Tengfei Yang,Yangyang Li,Haiyong Xie

DOI: https://doi.org/10.1007/978-981-15-8083-3_19

2020-01-01

Abstract:Android, the world’s most widely used mobile operating system, is the target of a large number of malwares. These malwares have brought great trouble to information security and users’ privacy, such as leaking personal information, secretly downloading programs to consume data, and secretly sending deduction SMS messages. With the increase of malwares, detection methods have been proposed constantly. Especially in recent years, the malware detection methods based on deep learning are popular. However, the detection methods based on static features have a low accuracy, and others based on dynamic features take a long time, all this limits its scope.

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smart:phones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malv -are detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android mahvare detection and can achieve a high level of 96% accuracy with real-world Android application sets.

Shangyu Gu,Shaoyin Cheng,Weiming Zhang

DOI: https://doi.org/10.1145/3404555.3404574

2020-01-01

Abstract:Recent years, Machine Learning has been widely used in malware analysis and achieved unprecedented success. However, deep learning models are found to be highly vulnerable to adversarial examples, which leads to the machine learning-based malware analysis methods vulnerable to malware makers. Exploring the attack algorithm can not only promote the generation of more effective malware analysis methods, but also can promote the development of the defense algorithm. Different machine learning models use different malware features as their classification basis, and accordingly there will be different attack methods against them. For malware visualization method, corresponding effective adversarial attack has not yet appeared. Most existing malware adversarial examples for malware visualization are generated at the feature level, and do not consider whether the generated adversarial examples can be executed and complete their original functions. In this paper, we explored how to modify an Android executable file without affecting its original functions and made it become an adversarial example. We proposed an executable adversarial examples attack strategy for machine learning-based malware visualization analysis. Experimental result shows that the executable adversarial examples we generated can be normally run on Android devices without affecting its original functions, and can confuse the malware family classifier with 93% success rate. We explored possible defense methods and hope to contribute to building a more robust malware classification method.

Farhan Ullah,Gautam Srivastava,Shamsher Ullah

DOI: https://doi.org/10.1186/s13677-022-00349-8

2022-11-04

Journal of Cloud Computing

Abstract:Android is the most widely used mobile platform, making it a prime target for malicious attacks. Therefore, it is imperative to effectively circumvent these attacks. Recently, machine learning has been a promising solution for malware detection, which relies on distinguishing features. While machine learning-based malware scanners have a large number of features, adversaries can avoid detection by using feature-related expertise. Therefore, one of the main tasks of the Android security industry is to consistently propose cutting-edge features that can detect suspicious activity. This study presents a novel feature representation approach for malware detection that combines API-Call Graphs (ACGs) with byte-level image representation. First, the reverse engineering procedure is used to obtain the Java programming codes and Dalvik Executable (DEX) file from Android Package Kit (APK). Second, to depict Android apps with high-level features, we develop ACGs by mining API-Calls and API sequences from Control Flow Graph (CFG). The ACGs can act as a digital fingerprint of the actions taken by Android apps. Next, the multi-head attention-based transfer learning method is used to extract trained features vector from ACGs. Third, the DEX file is converted to a malware image, and the texture features are extracted and highlighted using a combination of FAST (Features from Accelerated Segment Test) and BRIEF (Binary Robust Independent Elementary Features). Finally, the ACGs and texture features are combined for effective malware detection and classification. The proposed method uses a customized dataset prepared from the CIC-InvesAndMal2019 dataset and outperforms state-of-the-art methods with 99.27% accuracy.

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Jiaqi Guo,Zhaoyi Meng,Qian Zhang,Yan Xiong,Wenchao Huang

DOI: https://doi.org/10.1109/bigcom61073.2023.00021

2023-01-01

Abstract:With the increasing popularity of the Android platform, more and more malicious apps have been released, threatening the security of mobile users. As they have complex logic and diverse variations, each of the existing schemes can only detect a portion of them. In this paper, we present MVVDroid, an Android malware detection technique based on software visualization and multi-view learning. To capture the semantic information of Android apps comprehensively, we first visualize the apps from three views, including behavior view, operation view and bytecode view. Software visualization helps us to extract the apps’ multi-granularity structural information, which is distinctive for malware detection. We then fuse the comprehensive semantics at different levels to profile the maliciousness of the apps precisely based on multi-view learning. This paper, to the best of our knowledge, is the first work that combines multi-view learning with software visualization to achieve an effective Android malware detection. Experiments show that MVVDroid is more effective than other representative techniques, such as Drebin and a visualization-based method proposed by Sun et al. in 2021, with an accuracy of 97.78% and an F1-score of 97.14%. Furthermore, we compare the effectiveness of different combinations of views to validate the rationality of our view selection.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Junwei Tang,Wei Xu,Tao Peng,Sijie Zhou,Qiaosen Pi,Ruhan He,Xinrong Hu

DOI: https://doi.org/10.1016/j.jisa.2024.103721

IF: 4.96

2024-01-01

Journal of Information Security and Applications

Abstract:Mobile applications have been deeply integrated into the daily life of ordinary users. Android malware seriously threatens the privacy and property security of users. However, code obfuscation and other technologies have reduced the effectiveness of traditional static analysis methods, and more and more studies are extracting grayscale image features for malware detection. We propose a classification method for Android malware based on a novel mixed bytecode image and deep neural network combined with attention mechanism. Firstly, for the executable file of the target malware, read one character every 8 bits, fix the line and width, and output it as a vector. Each element in this vector is between 0 and 255, which is the range of values for grayscale images. Furthermore, the executable files are generated into grayscale images and Markov images, respectively. Then a new texture feature space is constructed by the fusion of grayscale and Markov images using the transfer probability, which is mapped to a two-dimensional space to obtain the mixed image feature. The constructed fusion feature space can more clearly characterize Android malware. What is more, the convolutional attention mechanism is added to ResNet to increase the depth of the network and improve the network effect. Finally, experiments are performed on Drebin and CICMalDroid 2020. Our experimental results show that our method can efficiently perform uniform representation of bytecode sequence files and extract and classify feature sequences. On the basis of mixed image features, the accuracy of malware detection can reach 98.67%, which outperforms the classification based on Markov images, grayscale images and other similar methods.

Nikola Milosevic,Junfan Huang

DOI: https://doi.org/10.48550/arXiv.1910.10660

2019-10-24

Abstract:In the past decade, the cyber-crime related to mobile devices has increased. Mobile devices, especially the ones running on Android operating system are particularly interesting to malware creators, as the users often keep the biggest amount of personal information on their mobile devices, such as their contacts, social media profiles, emails, and bank accounts. Both dynamic and static malware analysis is necessary to prevent and detect malware, as both techniques have their benefits and shortcomings. In this paper, we propose a deep learning technique that relies on LSTM and encoder-decoder neural network architectures for dynamic malware analysis based on CPU, memory and battery usage. The proposed system is able to detect and notify users about anomalies in system that is likely consequence of malware behaviour. The method was implemented as a part of OWASP Seraphimdroids anti-malware mechanism and notifies users about anomalies on their devices. The method proved to perform with an F1-score of 79.2%.

Cryptography and Security,Computers and Society,Machine Learning

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

Yuxin Ding,Xiao Zhang,Jieke Hu,Wenting Xu

DOI: https://doi.org/10.1007/s12652-020-02196-4

IF: 3.662

2020-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Traditional machine learning based malware detection methods often use decompiling techniques or dynamic monitoring techniques to extract the feature representation of malware. This procedure is time consuming and strongly depends on the skills of experts. In addition, malware can be packed or encrypted to evade the analysis of decompiling tools. To solve this issue, we propose a static detection method based on deep learning. We directly extract bytecode file from Android APK file, and convert the bytecode file into a two-dimensional bytecode matrix, then use the deep learning algorithm, convolution neural network (CNN), to train a detection model and apply it to classify malware. CNN can automatically learn features of bytecode file which can be used to recognize malware. The proposed detection model avoids the procedure for analyzing malware features and designing the feature representation of malware. The experimental results show the proposed method is effective to detect malware, especially malware encrypted using polymorphic techniques.

Zhaoyi Meng,Jiale Zhang,Jiaqi Guo,Wansen Wang,Wenchao Huang,Jie Cui,Hong Zhong,Yan Xiong

2024-10-09

Abstract:Deep learning has emerged as a promising technology for achieving Android malware detection. To further unleash its detection potentials, software visualization can be integrated for analyzing the details of app behaviors clearly. However, facing increasingly sophisticated malware, existing visualization-based methods, analyzing from one or randomly-selected few views, can only detect limited attack types. We propose and implement LensDroid, a novel technique that detects Android malware by visualizing app behaviors from multiple complementary views. Our goal is to harness the power of combining deep learning and software visualization to automatically capture and aggregate high-level features that are not inherently linked, thereby revealing hidden maliciousness of Android app behaviors. To thoroughly comprehend the details of apps, we visualize app behaviors from three related but distinct views of behavioral sensitivities, operational contexts and supported environments. We then extract high-order semantics based on the views accordingly. To exploit semantic complementarity of the views, we design a deep neural network based model for fusing the visualized features from local to global based on their contributions to downstream tasks. A comprehensive comparison with five baseline techniques is performed on datasets of more than 51K apps in three real-world typical scenarios, including overall threats, app evolution and zero-day malware. The experimental results show that the overall performance of LensDroid is better than the baseline techniques. We also validate the complementarity of the views and demonstrate that the multi-view fusion in LensDroid enhances Android malware detection.

Cryptography and Security,Software Engineering

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications