Xiaoheng Deng,Zhe Wang,Xinjun Pei,Kaiping Xue

DOI: https://doi.org/10.1109/tnse.2023.3292855

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:With the rapid development of the Internet of Things (IoT) and cloud applications, cloud service providers have rented out access to servers to IoT devices for computing and storage purposes, providing users with a variety of services and functionality. The prevalence of malware attacks against IoT devices has led to serious and critical concerns with respect to cyber security. In response to this growing threat, many IoT security providers are adopting cloud-based, centralized malware detection systems. However, this may cause back-and-forth communication, which violates the real-time requirement of malware detection. The ever-growing edge computing has resulted in the development of new and more efficient data processing. By exploiting the proximity benefits and the computation capacity of edge computing, we propose a hierarchical IoT malware detection framework (namely TransMalDE) to migrate user computation-intensive malware detection tasks to neighboring edge computing nodes, which improves the efficiency of malware detection. Moreover, considering the rigidity of the current network infrastructure and the complexity of AI-enabled malware detection tasks, we construct a Transformer-based detection model to capture the latent behavioral patterns of evolving malware attacks. Experimental results show that our TransMalDE consistently outperforms the existing state-of-the-art systems in malware detection on four benchmark datasets.

Huanran Wang,Weizhe Zhang,Hui He,Peng Liu,Daniel Xiapu Luo,Yang Liu,Jiawei Jiang,Yan Li,Xing Zhang,Wenmao Liu,Runzi Zhang,Xing Lan

DOI: https://doi.org/10.1109/jiot.2021.3063840

IF: 10.6

2021-10-15

IEEE Internet of Things Journal

Abstract:Recent years have witnessed lots of attacks targeted at the widespread Internet of Things (IoT) devices and malicious activities conducted by compromised IoT devices. After some notorious IoT malware released their source code, many new variants emerge, which are usually more powerful and stealthy. Although numerous existing studies have analyzed some exposed families, there is a lack of systematic study to make full use of them, which can be a fundamental step for provenance, triage, labeling, lineage analysis, and authorship attribution. The key challenge of conducting an IoT malware evolutionary study is how to collect sufficient and accurate information about malware and identify the relationships among them. In this article, we take the first step to investigate the IoT malware evolution by leveraging the information from two sources that complement each other. First, we crawl online articles about IoT malware and employ natural language processing techniques to extract the features of malware samples and their relationships with other malware family, which allow us to form the basic lineage graph. Second, we collect real malware samples through our widely deployed honeypots and design a new classifier to group them into families and identify lineage relationships among them. Such results are used to enhance the basic lineage graph. Eventually, we construct the final lineage graph for 72 IoT malware families by correlating the information from the aforementioned sources, which can help the research community better understand and fight IoT malware now and in the future. Our study has been incorporated into the threat awareness system of NSFOCUS company.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yantian Luo,Xu Chen,Ning Ge,Wei Feng,Jianhua Lu

DOI: https://doi.org/10.1109/ICC45855.2022.9838882

2022-01-01

Abstract:Due to the heterogeneity of Internet of Things (IoT) devices and the diversity of IoT communication protocols, it is challenging to defend against malicious traffic from IoT devices. In this paper, a novel malicious traffic detection method is proposed based on the deep learning method. Specifically, a Transformer-based encoder is designed to automatically select key features of IoT traffic for the detection task, which avoids the cumbersome feature screening process that has been widely used in traditional machine learning methods. To address the complexity of the feature space and improve the efficiency of model training, we exploit the correlation between the characteristics of malicious traffic and the device type of IoT bots to further improve the detection accuracy by introducing a device classification auxiliary loss in the training phase. Experimental results show that our method outperforms the state-of-the-art machine learning-based methods in terms of accuracy, precision, recall and f1-score on real IoT traffic traces. In addition, the benefit of device type information on detection efficiency is verified.

Tzu-Ling Wan,Tao Ban,Shin-Ming Cheng,Yen-Ting Lee,Bo Sun,Ryoichi Isawa,Takeshi Takahashi,Daisuke Inoue

DOI: https://doi.org/10.1109/ojcs.2020.3033974

2020-01-01

IEEE Open Journal of the Computer Society

Abstract:Simple implementation and autonomous operation features make the Internet-of-Things (IoT) vulnerable to malware attacks. Static analysis of IoT malware executable files is a feasible approach to understanding the behavior of IoT malware for mitigation and prevention. However, current analytic approaches based on opcodes or call graphs typically do not work well with diversity in central processing unit (CPU) architectures and are often resource intensive. In this paper, we propose an efficient method for leveraging machine learning methods to detect and classify IoT malware programs. We show that reliable and efficient detection and classification can be achieved by exploring the essential discriminating information stored in the byte sequences at the entry points of executable programs. We demonstrate the performance of the proposed method using a large-scale dataset consisting of 111K benignware and 111K malware programs from seven CPU architectures. The proposed method achieves near optimal generalization performance for malware detection (99.96 accuracy) and for malware family classification (98.47 accuracy). Moreover, when CPU architecture information is considered in learning, the proposed method combined with support vector machine classifiers can yield even higher generalization performance using fewer bytes from the executable files. The findings in this paper are promising for implementing light-weight malware protection on IoT devices with limited resources.

Chia-Yi Wu,Tao Ban,Shin-Ming Cheng,Takeshi Takahashi,Daisuke Inoue

DOI: https://doi.org/10.1016/j.cose.2022.103060

2022-12-14

Abstract:Various malware and cyberattacks have arisen along with the proliferation of IoT devices. The evolving malware targeting IoT devices calls forth effective and efficient solutions to protect vulnerable IoT devices from being compromised. In this paper, we investigate the feasibility of a state-of-the-art graph embedding method, graph2vec , for performing family classification for IoT malware, with promising results reported. To further improve the generalization performance of the classifiers based on graph2vec -extracted features, we propose two new mechanisms to improve the quality of feature representation. First, we unify user-defined function calls by reinterpreting the opcode sequences therein to better capture the semantics of the function-call relationship in malware binaries. Then, we integrate literal information into the graph2vec embedding of the function call graph to achieve better discriminant ability. To prove the effectiveness of the proposed scheme, we carried out performance comparison on a large-scale dataset containing more than 108K malware binaries collected from seven CPU architectures. The accuracy rates obtained by five widely adopted classifiers on malware family classification are improved by 2%, on average, by adopting the two proposed mechanisms. Specifically, when combined with the proposed approach, the support vector machine classifier obtained an accuracy rate of 98.88% on malware family classification, outperforming known function-call-graph (FCG)-based methods and previous work on static malware analysis.

computer science, information systems

Feng Pi,Shengwei Tian,Xinjun Pei,Peng Chen,Xin Wang,Xiaowei Wang

DOI: https://doi.org/10.3233/jifs-233556

2023-10-04

Journal of Intelligent & Fuzzy Systems

Abstract:With the development of the Internet of Things (IoT), mobile devices are playing an increasingly important role in our daily lives. There are various malware threats present in these mobile devices, which can steal users' personal information. Some malware exploits Inter-Component Communication (ICC) to execute malicious activities for unauthorized data access and system control, enabling communication between different components within an app and between different apps. In this paper, we propose an Adaptive Transformer-based malware framework (named AdaTrans) that combines sensitive Application Programming Interface (API)- and ICC-related features. The framework first extracts sensitive function call subgraphs (SFCS) to reflect the caller-callee relationships, and then utilizes ICC interactions to reveal hidden communication patterns in malicious activities. Moreover, we propose a novel adaptive Transformer model to detect malicious behaviors. We evaluate our framework on real-world datasets and demonstrate that AdaTrans consistently outperforms other existing state-of-the-art systems.

Faiza Habib,Syed Hamad Shirazi,Khursheed Aurangzeb,Asfandyar Khan,Bharat Bhushan,Musaed Alhussein

DOI: https://doi.org/10.1109/access.2024.3383831

IF: 3.9

2024-04-09

IEEE Access

Abstract:Today Internet of Things (IoT) has become a key part of the modern world as it enables web-based IoT devices to collect, transfer, and analyze the data of individuals, companies, and industries. IoT provides numerous services and applications via a massive number of interconnected devices and has become an innovative attack vector for cyber-attacks and threats such as malware attacks that are currently regarded as serious dangers to the security of IoT devices and systems. Such threats are sufficient to infiltrate individual private information that inflicts harm to both the financial standing and reputation in an organization. In literature, researchers have used multiple machine learning and deep learning models to tackle this security threat, however, still accurate classification and detection of metamorphic malware in IoT devices remains a challenge. In this article, we used a deep learning model to accurately detect metamorphic malware in IoT devices. We have employed six models including (VGG16, InceptionV3, CNN, ResNet50, MobileNet, and Efficient NetB0 on Malimg publicly available malware image dataset. The Internet of Things (IoT) would benefit from having a method that could identify metamorphic malware. It isn't possible to rely on detection techniques that are fixed or signature-based. Throughout this research, a straightforward technique for carrying out dynamic analysis to comprehend the behavior of code is suggested. To determine if executable are malicious, it is necessary to first measure the behavior of executable and then utilize this information to make that determination. Additionally, the purpose of this study is to create a classifier that makes utilization of deep learning techniques to analyze complicated behavior reports. The obtained results depict that the proposed model achieves a promising accuracy of 99% and F1-score of 97% employed on the standard Malimg dataset as compared to other existing machine and deep learning models.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ayat T. Salim,Ban Mohammed Khammas

DOI: https://doi.org/10.31987/ijict.6.3.233

2023-12-31

Abstract:Internet of Things (IoT) equipment is rapidly being used in a variety of businesses and for a variety of reasons (for example, sensing and collecting data from the environment in both public and military settings). Because of their expanding involvement in a wide range of applications and their rising computational and processing capabilities, they are a viable attack target for malware tailored to infect specific IoT devices. This study investigates the potential of detecting IoT malware using different deep learning techniques: the classic feedforward neural network (FNN), convolutional neural networks (CNN), long short-term memory (LSTM), and recurrent neural networks (RNN). The proposed method analyses the execution operation codes of IOT app sequences using modern NLP (natural language processing) methods. The current work utilized an IoT application dataset with 500 malware (collected from the IOTPOT dataset) and 500 goodware samples to train the proposed algorithms. The trained model is tested against 2971 fresh IoT malware and goodware samples. The samples were input into deep learning models, and performance metrics were obtained. The results demonstrate that the RNN model had the best accuracy (99.19%) in detecting fresh malware samples. On the other hand, the results were compared by the time required for training; the CNN model shows that it could achieve high accuracy (98.05%) with less training time. A comparison with various deep learning classifiers demonstrates that the RNN and CNN techniques produce the best results.

Ziming Zhao,Zhaoxuan Li,Jiongchi Yu,Fan Zhang,Xiaofei Xie,Haitao Xu,Binbin Chen

DOI: https://doi.org/10.1109/tmc.2023.3311012

IF: 6.075

2024-01-01

IEEE Transactions on Mobile Computing

Abstract:With the widespread use of Internet of Things (IoT) devices, malware detection has become a hot spot for both academic and industrial communities. Existing approaches can be roughly categorized into network-side and host-side. However, existing network-side methods are difficult to capture contextual semantics from cross-source traffic, and previous host-side methods could be adversary-perceived and expose risks for tampering. More importantly, a single perspective cannot comprehensively track the multi-stage lifecycle of IoT malware. In this paper, we present ${\sf CMD}$ , a co-analyzed IoT malware detection and forensics system by combining hardware and network domains. For the network part, ${\sf CMD}$ proposes a tailored capsule neural network to capture the contextual semantics from cross-source traffic. For the hardware part, ${\sf CMD}$ designs an entire file operation recovery process in a side-channel manner by leveraging the Serial Peripheral Interface (SPI) signals from on-chip traces. These traffic provenance and operating logs information could benefit the anti-virus countermeasures for security practitioners. By practical evaluation, we demonstrate that ${\sf CMD}$ realizes outstanding detection effects ( e.g., $\sim$ 99.88% F1-score) compared with seven state-of-the-art methods, and recovers 96.88% $\sim$ 99.75% operation commands even if against adaptive adversaries (that could kill processes or tamper with operation log files). A by-product benefit of such an external monitor is ${\sf CMD}$ introduces zero latency on the IoT device, and incurs negligible IoT CPU utilization. Also, since SPI focuses on file operations, the proposed hardware trace forensics does not have the data explosion problem like previous work, e.g., recovered logs of ${\sf CMD}$ only take up limited extra space overhead ( e.g., $\sim$ 0.2 MB per malware). Furthermore, we provide the model interpretability for the capsule network and develop a case study (Hajime) of the operation logs recovery.

Gergely Hevesi

2023-11-20

Abstract:Embedded devices are specialised devices designed for one or only a few purposes. They are often part of a larger system, through wired or wireless connection. Those embedded devices that are connected to other computers or embedded systems through the Internet are called Internet of Things (IoT for short) devices. With their widespread usage and their insufficient protection, these devices are increasingly becoming the target of malware attacks. Companies often cut corners to save manufacturing costs or misconfigure when producing these devices. This can be lack of software updates, ports left open or security defects by design. Although these devices may not be as powerful as a regular computer, their large number makes them suitable candidates for botnets. Other types of IoT devices can even cause health problems since there are even pacemakers connected to the Internet. This means, that without sufficient defence, even directed assaults are possible against people. The goal of this thesis project is to provide better security for these devices with the help of machine learning algorithms and reverse engineering tools. Specifically, I study the applicability of control-flow related data of executables for malware detection. I present a malware detection method with two phases. The first phase extracts control-flow related data using static binary analysis. The second phase classifies binary executables as either malicious or benign using a neural network model. I train the model using a dataset of malicious and benign ARM applications.

Artificial Intelligence,Cryptography and Security

Peifeng Liang,Lina Yang,Zenggang Xiong,Xuemin Zhang,Gang Liu

DOI: https://doi.org/10.1109/jiot.2024.3369034

IF: 10.6

2024-01-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) technology and systems have penetrated every aspect of our lives and generated enormous economic benefits. At the same time, research on the data security of IoT systems has been one of the key topics in IoT fields. Network attacks and intrusions have become the main threats to the data security of the IoTs, which have become the main obstacles to the development and application of the IoTs. In this article, we propose an intrusions and attack detection model to ensure the data security of IoT systems by using the Transformer model and multiwavelets learning. Based on the architecture of IoT systems, we first proposed a multi-level intrusion detection model to detect attack data in the cloud layer and edge terminal layer. In this detection model, a Transformer model and discrete wavelet transform (DWT) based approach is proposed to ensure the effectiveness and accuracy of the model. To extract and make full use of frequency information of traffic data in an IoT network, we embed DWT technique and multiwavelets learning into the Transformer model to propose a novel DWT-based Transformer architecture, which achieves outstanding performance in detecting intrusion actions. Simulating on IoT system in laboratory environment, the proposed security prediction model achieves pretty good performance in predicting intrusion actions.

computer science, information systems,telecommunications,engineering, electrical & electronic

Danish Vasan,Mamoun Alazab,Sitalakshmi Venkatraman,Junaid Akram,Zheng Qin

DOI: https://doi.org/10.1109/tc.2020.3015584

IF: 3.183

2020-01-01

IEEE Transactions on Computers

Abstract:The complexity, sophistication, and impact of malware evolve with industrial revolution and technology advancements. This article discusses and proposes a robust cross-architecture IoT malware threat hunting model based on advanced ensemble learning (MTHAEL). Our unique MTHAEL model using stacked ensemble of heterogeneous feature selection algorithms and state-of-the-art neural networks to learn different levels of semantic features demonstrates enhanced IoT malware detection than existing approaches. MTHAEL is the first of its kind that effectively optimizes recurrent neural network (RNN) and convolutional neural network (CNN) with high classification accuracy and consistently low computational overheads on different IoT architectures. Cross-architecture benchmarking is performed during the training with different architectures such as ARM, Intel80386, MIPS, and MIPS+Intel80386 individually. Two different hardware architectures were employed to analyze the architecture overhead, namely Raspberry Pi 4 (ARM-based architecture) and Core-i5 (Intel-based architecture). Our proposed MTHAEL is evaluated comprehensively with a large IoT cross-architecture dataset of 21,137 samples and has achieved 99.98 percent classification accuracy for ARM architecture samples, surpassing prior related works. Overall, MTHAEL has demonstrated practical suitability for cross-architecture IoT malware detection with low computational overheads requiring only 0.32 seconds to detect Any IoT malware.

Javier Carrillo-Mondejar,Juan Manuel Castelo Gomez,Carlos Núñez-Gómez,Jose Roldán Gómez,José Luis Martínez

DOI: https://doi.org/10.1155/2020/8810708

IF: 1.968

2020-10-26

Security and Communication Networks

Abstract:The weakness of the security measures implemented on IoT devices, added to the sensitivity of the data that they handle, has created an attractive environment for cybercriminals to carry out attacks. To do so, they develop malware to compromise devices and control them. The study of malware samples is a crucial task in order to gain information on how to protect these devices, but it is impossible to manually do this due to the immense number of existing samples. Moreover, in the IoT, coexist multiple hardware architectures, such as ARM, PowerPC, MIPS, Intel 8086, or x64-86, which enlarges even more the quantity of malicious software. In this article, a modular solution to automatically analyze IoT malware samples from these architectures is proposed. In addition, the proposal is subjected to evaluation, analyzing a testbed of 1500 malware samples, proving that it is an effective approach to rapidly examining malicious software compiled for any architecture.

computer science, information systems,telecommunications

Gao-Yu Lin,Po-Yuan Wang,Shin-Ming Cheng,Hahn-Ming Lee

DOI: https://doi.org/10.1145/3689427

2024-09-27

ACM Transactions on Embedded Computing Systems

Abstract:The rapid expansion of the Internet of Things (IoT) has significantly increased the prevalence of malware targeting IoT devices. Although machine learning models offer promising solutions for automatic malware detection, they are increasingly vulnerable to adversarial attacks. These attacks exploit the model’s feedback loop to iteratively refine malware, producing adversarial samples that evade detection. As such, enhancing the robustness of these models is of paramount importance. Our research introduces a novel approach to bolster malware detection by retaining additional semantic information within the execution order analysis of malware programs. The method significantly improves the resilience of detection models against adversarial samples and implements two adversarial attack methods to rigorously test our model’s robustness by generating authentic adversarial examples for validation. We highlight the critical impact of preserving semantic integrity in malware detection and present a solution to counteract the growing threat of adversarial attacks in IoT environments.

computer science, software engineering, hardware & architecture

Qi Li,Jiaxin Mi,Weishi Li,Junfeng Wang,Mingyu Cheng

DOI: https://doi.org/10.1109/jiot.2021.3075694

IF: 10.6

2021-12-01

IEEE Internet of Things Journal

Abstract:Malware has become one of the most serious security threats to the Internet of Things (IoT). Detection of malware variants can inhibit the spread of malicious code from the traditional network to the IoT, and can also inhibit the spread of malicious code within the IoT, which is of great significance to the security detection and defense of the IoT. Since the terminals and the operating systems of IoT are very different from the traditional network, when malicious code is transferred from the traditional network to the IoT platform, the characteristics of the variants may change significantly. As a result, malicious code variant detection methods for traditional platforms cannot be directly applied to the IoT. In this article, a malware variant detection method for the IoT is proposed. First, we propose a feature representation method based on RGB image for IoT to solve the problem of representation difficulty caused by platform difference, which pays more attention to the assembly code and developer information of the malware. The generated image has richer texture information, which can dig out the deep association between the IoT variants and the original malicious code. Moreover, this article improves the convolutional neural network model by combining the self-attention mechanism and spatial pyramid pooling to solve the problem of large differences in the size of IoT malware. Experimental results show that our method can be used in cross-platform to detect malware variants in the IoT effectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Jiawei Su,Danilo Vasconcellos Vargas,Sanjiva Prasad,Daniele Sgandurra,Yaokai Feng,Kouichi Sakurai

DOI: https://doi.org/10.48550/arXiv.1802.03714

2018-02-11

Abstract:The Internet of Things (IoT) is an extension of the traditional Internet, which allows a very large number of smart devices, such as home appliances, network cameras, sensors and controllers to connect to one another to share information and improve user experiences. Current IoT devices are typically micro-computers for domain-specific computations rather than traditional functionspecific embedded devices. Therefore, many existing attacks, targeted at traditional computers connected to the Internet, may also be directed at IoT devices. For example, DDoS attacks have become very common in IoT environments, as these environments currently lack basic security monitoring and protection mechanisms, as shown by the recent Mirai and Brickerbot IoT botnets. In this paper, we propose a novel light-weight approach for detecting DDos malware in IoT <a class="link-external link-http" href="http://environments.We" rel="external noopener nofollow">this http URL</a> firstly extract one-channel gray-scale images converted from binaries, and then utilize a lightweight convolutional neural network for classifying IoT malware families. The experimental results show that the proposed system can achieve 94.0% accuracy for the classification of goodware and DDoS malware, and 81.8% accuracy for the classification of goodware and two main malware families.

Cryptography and Security,Computer Vision and Pattern Recognition

Tongxin Shi,Roy A. McCann,Ying Huang,Wei Wang,Jun Kong

DOI: https://doi.org/10.3390/s24134122

IF: 3.9

2024-06-25

Sensors

Abstract:The increasing usage of interconnected devices within the Internet of Things (IoT) and Industrial IoT (IIoT) has significantly enhanced efficiency and utility in both personal and industrial settings but also heightened cybersecurity vulnerabilities, particularly through IoT malware. This paper explores the use of one-class classification, a method of unsupervised learning, which is especially suitable for unlabeled data, dynamic environments, and malware detection, which is a form of anomaly detection. We introduce the TF-IDF method for transforming nominal features into numerical formats that avoid information loss and manage dimensionality effectively, which is crucial for enhancing pattern recognition when combined with n-grams. Furthermore, we compare the performance of multi-class vs. one-class classification models, including Isolation Forest and deep autoencoder, that are trained with both benign and malicious NetFlow samples vs. trained exclusively on benign NetFlow samples. We achieve 100% recall with precision rates above 80% and 90% across various test datasets using one-class classification. These models show the adaptability of unsupervised learning, especially one-class classification, to the evolving malware threats in the IoT domain, offering insights into enhancing IoT security frameworks and suggesting directions for future research in this critical area.

engineering, electrical & electronic,instruments & instrumentation,chemistry, analytical

Tony Quertier,Benjamin Marais,Grégoire Barrué,Stéphane Morucci,Sévan Azé,Sébastien Salladin

2024-08-05

Abstract:Malware is a fast-growing threat to the modern computing world and existing lines of defense are not efficient enough to address this issue. This is mainly due to the fact that many prevention solutions rely on signature-based detection methods that can easily be circumvented by hackers. Therefore, there is a recurrent need for behavior-based analysis where a suspicious file is ran in a secured environment and its traces are collected to reports for analysis. Previous works have shown some success leveraging Neural Networks and API calls sequences extracted from these execution reports. Recently, Large Language Models and Generative AI have demonstrated impressive capabilities mainly in Natural Language Processing tasks and promising applications in the cybersecurity field for both attackers and defenders. In this paper, we design an Encoder-Only model, based on the Transformers architecture, to detect malicious files, digesting their API call sequences collected by an execution emulation solution. We are also limiting the size of the model architecture and the number of its parameters since it is often considered that Large Language Models may be overkill for specific tasks such as the one we are dealing with hereafter. In addition to achieving decent detection results, this approach has the advantage of reducing our carbon footprint by limiting training and inference times and facilitating technical operations with less hardware requirements. We also carry out some analysis of our results and highlight the limits and possible improvements when using Transformers to analyze malicious files.

Cryptography and Security,Machine Learning

Marwan Omar

DOI: https://doi.org/10.48550/arXiv.2301.12039

2023-01-28

Abstract:Due to its simple installation and connectivity, the Internet of Things (IoT) is susceptible to malware attacks. Being able to operate autonomously. As IoT devices have become more prevalent, they have become the most tempting targets for malware. Weak, guessable, or hard-coded passwords, and a lack of security measures contribute to these vulnerabilities along with insecure network connections and outdated update procedures. To understand IoT malware, current methods and analysis ,using static methods, are ineffective. The field of deep learning has made great strides in recent years due to their tremendous data mining, learning, and expression capabilities, cybersecurity has enjoyed tremendous growth in recent years. As a result, malware analysts will not have to spend as much time analyzing malware. In this paper, we propose a novel detection and analysis method that harnesses the power and simplicity of decision trees. The experiments are conducted using a real word dataset, MaleVis which is a publicly available dataset. Based on the results, we show that our proposed approach outperforms existing state-of-the-art solutions in that it achieves 97.23% precision and 95.89% recall in terms of detection and classification. A specificity of 96.58%, F1-score of 96.40%, an accuracy of 96.43.

Cryptography and Security,Machine Learning

Tun Li,Ya Luo,Xin Wan,Qian Li,Qilie Liu,Rong Wang,Chaolong Jia,Yunpeng Xiao

DOI: https://doi.org/10.1016/j.eswa.2023.123109

IF: 8.5

2024-01-16

Expert Systems with Applications

Abstract:The proliferation of malware in recent years has posed a significant threat to the security of computers and mobile devices . Detecting malware, especially on the Android platform, has become a growing concern for researchers and the software industry. This paper proposes a new method for detecting Android malware based on unbalanced heterogeneous graph embedding. First of all, most malware datasets contain an imbalance of malicious and benign samples, since some types of malware are scarce and difficult to collect. Thus, as a result of this problem, the classification algorithm is unable to analyze the minority samples through sufficient data, resulting in poor downstream classifier performance, in light of the fact that adversarial generation networks possess the characteristic of completing data, an algorithm for generating graph structure data is presented, in which nodes are generated to simulate the distribution of minority nodes within a network topology . Then, considering that heterogeneous information networks have the characteristics of retaining rich node semantic features and mining implicit relationships, heterogeneous graphs are used to construct models for different types of entities (i.e. Apps, APIs, permissions, intents, etc.) and different meta-paths. Finally, a new method is introduced to alleviate the over-smoothing phenomenon of node information in the propagation of deep network. In the deep GCN, we first sample the leader nodes of each layer node, and then add a residual connection and an identity map in order to determine the characteristics of the high-order leader. In this paper, a self-attention-based semantic fusion method is also applied to adaptively fuse embedded representations of software nodes under different meta-paths. The test results demonstrate that the proposed IHODroid model effectively detects malicious software. In the DREBIN dataset, which consists of 123,453 Android applications and 5,560 malicious samples, the IHODroid model achieves an accuracy of 0.9360 and an F1 score of 0.9360, outperforming other state-of-the-art baseline methods.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science