Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Ye Yao,Yian Zhu,Yao Jia,Xianchen Shi,Lixiang Zhang,Dong Zhong,Junhua Duan

DOI: https://doi.org/10.3390/math12010020

IF: 2.4

2023-12-22

Mathematics

Abstract:With the development of the Internet, the types and quantities of malware have grown rapidly, and how to identify unknown malware is becoming a new challenge. The traditional malware detection method based on fixed features is becoming more and more difficult. In order to improve detection accuracy and efficiency for mobile terminals, this paper proposed a malware detection method for mobile terminals based on application programming interface (API) call sequence, which was characterized by the API call sequence and used a series of feature preprocessing techniques to remove redundant processing of the API call sequence. Finally, the recurrent neural network method (RNN) was used to build the model and perform detection and verification. Furthermore, this paper constructed a malware detection model based on a two-way recurrent neural network and used the two-way long short-term memory network model (LSTM) to train the data set containing 5986 malware samples and 5065 benign software samples to obtain the final detection model and its parameters. Finally, the feature vector of the APK file to be detected was passed into the model and obtained the detection results. The experimental results indicated that the detection accuracy of this method can reach 93.68%.

mathematics

Aidong Xu,Lin Chen,Xiaoyun Kuang,Huahui Lv,Hang Yang,Yixin Jiang,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity-hpsc-ids49724.2020.00021

2020-01-01

Abstract:In recent years, malicious programs seriously threaten the security of information system. Because of its particularity, complexity and vulnerability, power information system is difficult to detect and kill by traditional anti-virus software. To solve the above problems, this paper proposes a malicious behavior detection method based on deep learning, which can identify malicious programs and attack types according to the activities of malicious programs and malicious software behaviors. In this paper, a hybrid deep learning structure based on convolutional neural network (CNN) and long-and-short term memory (LSTM) network is proposed. The call sequence of API is combined with other statistical features. The vector information obtained is input into LSTM unit through convolution, and the classification results are obtained through the above model. Compared with the existing methods, this method significantly improves the preparation rate and execution efficiency.

Jiayin Feng,Limin Shen,Zhen Chen,Yuying Wang,Hui Li

DOI: https://doi.org/10.1109/access.2020.3008081

IF: 3.9

2020-01-01

IEEE Access

Abstract:Because of the characteristic of openness and flexibility, Android has become the most popular mobile platform. However, it has also become the most targeted system by mobile malware. It is necessary for the users to have a fast and reliable detection method. In this paper, a two-layer method is proposed to detect malware in Android APPs. The first layer is permission, intent and component information based static malware detection model. It combines the static features with fully connected neural network to detect the malware and test its effectiveness through experiment, the detection rate of the first layer is 95.22%. Then the result (benign APPs from the first layer) is input into the second layer. In the second layer, a new method CACNN which cascades CNN and AutoEncoder, is used to detect malware through network traffic features of APPs. The detection rate of the second layer is 99.3% in binary classification (2-classifier). Moreover, the new two-layer model can also detect malware by its category (4-classifier) and malicious family (40-classifier). The detection rates are 98.2% and 71.48% respectively. The experimental results show that our two-layer method not only can achieve semi-supervise learning, but also can effectively improve the detection rate of malicious Android APPs.

Hadis Ghanei,Farnoush Manavi,Ali Hamzeh

DOI: https://doi.org/10.1007/s11416-021-00386-y

2021-05-08

Journal of Computer Virology and Hacking Techniques

Abstract:With the increasing availability of internet access, the number of malware is growing dramatically. So, defence against malware is an important issue in the security of computers and networks. Hence, malware detection systems are important. The most common method for malware detection is a signature-based technique. Nowadays, malware attempt to deceive all kinds of anti-malware, using obfuscation mechanisms and polymorphic behaviours, thus this method is not able to detect such malware and is not very effective. One way to deal with these types of malware is through dynamic malware analysis that requires executing the malware and monitoring its behaviour. In this paper, a novel dynamic malware detection method is presented which utilizes hardware events during file execution such as hardware port status, CPU internal status, main memory status, etc., as features of the classification model. Then, two Deep Neural Network (DNN) based algorithms, Convolutional Neural Network (CNN) and Long Short-Term Memory (LSTM), are used to construct the machine learning model. Finally, the voting network is used between the outputs of CNNs and the LSTM network, and the label of the suspicious sample is determined. The results show that the combination of hardware events as feature inputs, with LSTM and voting network can be effective in detecting new malware.

Xi Xiao,Shaofeng Zhang,Francesco Mercaldo,Guangwu Hu,Arun Kumar Sangaiah

DOI: https://doi.org/10.1007/s11042-017-5104-0

IF: 2.577

2017-01-01

Multimedia Tools and Applications

Abstract:As Android-based mobile devices become increasingly popular, malware detection on Android is very crucial nowadays. In this paper, a novel detection method based on deep learning is proposed to distinguish malware from trusted applications. Considering there is some semantic information in system call sequences as the natural language, we treat one system call sequence as a sentence in the language and construct a classifier based on the Long Short-Term Memory (LSTM) language model. In the classifier, at first two LSTM models are trained respectively by the system call sequences from malware and those from benign applications. Then according to these models, two similarity scores are computed. Finally, the classifier determines whether the application under analysis is malicious or trusted by the greater score. Thorough experiments show that our approach can achieve high efficiency and reach high recall of 96.6% with low false positive rate of 9.3%, which is better than the other methods.

Liming Lin,Siyang Huang,Jiayu Li,Jia Yao,Wending Chen,Ye Yao

DOI: https://doi.org/10.1109/AICIT59054.2023.10277787

2023-09-15

Abstract:In recent years, the number of new malware samples has shown a trend of rapid growth. The increasing number of malware has resulted in a huge number of signature databases that the host needs to save, which is difficult to maintain. In view of the above situation, this article builds a distributed cloud platform based on Hadoop, and uses the related technology of the cloud platform to deal with the rapid growth of the number of malware. At the same time, the use of the distributed cloud platform greatly improves the detection efficiency. In order to solve the problem of low detection accuracy of unknown software, a malware detection method based on API call sequence is proposed. First use AndroGuard to extract all the function call graphs under the package of the main class in the APK file. Then, through the analysis of the function call graph, the API call sequence of all the entry nodes is obtained; further, the sequence is sorted according to the address information of the first node of each sequence. Splice the sorted sequences in order, and the resulting sequence is the time-series-based API call sequence. After dimensionality reduction through AutoEncoder, machine learning algorithm SVM is used for malware detection. Experimental results show that the accuracy of the SVM detection model based on the API call sequence is higher than that of the SVM detection model based on other features and other machine learning detection models based on the API call sequence, and can detect Android malware more effectively.

Computer Science

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Jiayin Feng,Limin Shen,Zhen Chen,Yu Lei,Hui Li

DOI: https://doi.org/10.1016/j.aej.2024.11.068

IF: 6.626

2025-01-01

Alexandria Engineering Journal

Abstract:The malicious infestations of Android malware caused huge economic losses to users over the past few years. Machine learning-based malware detection enhances the accuracy and partially mitigates these security threats. However, when the static or dynamic features cannot effectively represent software behavior, the accuracy of the model will be reduced. For this issue, a multi-features hybrid malware detection and category classification method HGDetector is proposed, this approach provides a more comprehensive representation of software behavior. HGDetector first extracts the software static function call graph and constructs the network behavior function call graph, then applies the dynamic network traffic features of the software to build the node interaction graph and edge-node graph; Subsequently, these features were fused and converted into a vector representation employing graph embedding method; Finally, combined with the proposed HGDetector, different classifiers were used to test the accuracy of malware detection and category classification. The experimental results demonstrate that the fusion of hybrid features can enhance malware detection accuracy by approximately 4 % when network traffic features effectively capture APP's behavior. Conversely, in cases where network traffic features alone are insufficient to represent software's network behavior, the application of hybrid features can improve malware detection accuracy by 21 %-26 %.

Chan Woo Kim

DOI: https://doi.org/10.48550/arXiv.1802.05412

2018-05-20

Abstract:As computing systems become increasingly advanced and as users increasingly engage themselves in technology, security has never been a greater concern. In malware detection, static analysis, the method of analyzing potentially malicious files, has been the prominent approach. This approach, however, quickly falls short as malicious programs become more advanced and adopt the capabilities of obfuscating its binaries to execute the same malicious functions, making static analysis extremely difficult for newer variants. The approach assessed in this paper is a novel dynamic malware analysis method, which may generalize better than static analysis to newer variants. Inspired by recent successes in Natural Language Processing (NLP), widely used document classification techniques were assessed in detecting malware by doing such analysis on system calls, which contain useful information about the operation of a program as requests that the program makes of the kernel. Features considered are extracted from system call traces of benign and malicious programs, and the task to classify these traces is treated as a binary document classification task of system call traces. The system call traces were processed to remove the parameters to only leave the system call function names. The features were grouped into various n-grams and weighted with Term Frequency-Inverse Document Frequency. This paper shows that Linear Support Vector Machines (SVM) optimized by Stochastic Gradient Descent and the traditional Coordinate Descent on the Wolfe Dual form of the SVM are effective in this approach, achieving a highest of 96% accuracy with 95% recall score. Additional contributions include the identification of significant system call sequences that could be avenues for further research.

Cryptography and Security,Computation and Language

Yichi Zhang,Jianmin Pang,Rongcai Zhao,Zhichang Guo

DOI: https://doi.org/10.1109/ICICISYS.2010.5658423

2010-01-01

Abstract:With the rapidly development of virus technology, the number of malicious code has continued to increase. So it is imperative to optimize the traditional manual analysis method by automatic maliciousness decision system. Motivated by the inference technique for detecting viruses, and a recent successful classification method, we explore Radux - an automatic software maliciousness decision system. It rests on artificial neural network based on behavior hidden in malicious code. Decompile technique is applied to characterize behavioral and structural properties of binary code, which creates more abstract descriptions of malware. Experiment shows that this system can decision software maliciousness efficiently. ©2010 IEEE.

Che Jing,Zhang Ying

DOI: https://doi.org/10.3969/j.issn.1009-6833.2012.10.022

2012-01-01

Abstract:First,the conception of malicious behavior characteristics signatures from the database session behavior is defined.Then,the risk factor to describe the dangers of the malicious behavior of a short sequence is proposed.Last,the risk rand is introduced to divide the software into malicious software and normal software.And a prototype system is developed in MySQL.The experimental results show that the malicious behavior detection correct rate of about 82% with this method which has a high detection correct rate and a low false alarm rate and false negative rate.

Dongzhi Cao,Xinglan Zhang,Zhenhu Ning,Jianfeng Zhao,Fei Xue,Yongli Yang

DOI: https://doi.org/10.1145/3297156.3297246

2018-01-01

Abstract:With the rapid development of the Internet, people have variety in their life style. While the Internet is developing rapidly, some malware has also been generated, and the number of malicious codes grows exponentially, which seriously affects the security of the Internet. In the prevention of malicious code, the accurate classification of malicious code is the most critical components. At present, researchers mainly focus on static detection and dynamic detection to study malicious code variant detection schemes. In the study of malicious code classification, this paper first analyzes the limitations of static detection and dynamic detection, then employs convolution neural networks to classify and identify malicious code, and finally implements an efficient malicious code detection system based on convolutional neural networks. Our malware detection model realizes the idea of automatic detection of malicious code variants. Experimental results demonstrated that the proposed malicious code detection system is efficient.

Mathew Ashik,A. Jyothish,S. Anandaram,P. Vinod,Francesco Mercaldo,Fabio Martinelli,Antonella Santone

DOI: https://doi.org/10.3390/electronics10141694

IF: 2.9

2021-07-15

Electronics

Abstract:Malware is one of the most significant threats in today’s computing world since the number of websites distributing malware is increasing at a rapid rate. Malware analysis and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. This software exploits the system’s vulnerabilities to steal valuable information without the user’s knowledge, and stealthily send it to remote servers controlled by attackers. Traditionally, anti-malware products use signatures for detecting known malware. However, the signature-based method does not scale in detecting obfuscated and packed malware. Considering that the cause of a problem is often best understood by studying the structural aspects of a program like the mnemonics, instruction opcode, API Call, etc. In this paper, we investigate the relevance of the features of unpacked malicious and benign executables like mnemonics, instruction opcodes, and API to identify a feature that classifies the executable. Prominent features are extracted using Minimum Redundancy and Maximum Relevance (mRMR) and Analysis of Variance (ANOVA). Experiments were conducted on four datasets using machine learning and deep learning approaches such as Support Vector Machine (SVM), Naïve Bayes, J48, Random Forest (RF), and XGBoost. In addition, we also evaluate the performance of the collection of deep neural networks like Deep Dense network, One-Dimensional Convolutional Neural Network (1D-CNN), and CNN-LSTM in classifying unknown samples, and we observed promising results using APIs and system calls. On combining APIs/system calls with static features, a marginal performance improvement was attained comparing models trained only on dynamic features. Moreover, to improve accuracy, we implemented our solution using distinct deep learning methods and demonstrated a fine-tuned deep neural network that resulted in an F1-score of 99.1% and 98.48% on Dataset-2 and Dataset-3, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xi Xiao,Zhenlong Wang,Qing Li,Shutao Xia,Yong Jiang

DOI: https://doi.org/10.1049/iet-ifs.2015.0211

2016-01-01

IET Information Security

Abstract:Android has become the most prevalent mobile system, but in the meanwhile malware on this platform is widespread. System call sequences are studied to detect malware. However, malware detection with these approaches relies on common system-call-subsequences. It is not so efficient because it is difficult to decide the appropriate length of the common subsequences. To address this issue, the authors propose a new approach, back-propagation neural network on Markov chains from system call sequences (BMSCS). It treats one system call sequence as a homogeneous stationary Markov chain and applies back-propagation neural network (BPNN) to detect malware by comparing transition probabilities in the chain. Since transition probabilities from one system call to another in malware are significantly different from those in benign applications, BMSCS can efficiently detect malware by capturing the anomaly in state transitions with the help of BPNN. The authors evaluate the performance of BMSCS by experiments with real application samples. The experiment results show that the F-score of BMSCS achieves up to 0.982773, which is higher than the other methods in the literature.

Lin Liu,Wang Ren,Feng Xie,Shengwei Yi,Junkai Yi,Peng Jia

DOI: https://doi.org/10.1155/2021/9964224

IF: 1.968

2021-08-19

Security and Communication Networks

Abstract:The malicious APK (Android Application Package) makers use some techniques such as code obfuscation and code encryption to avoid existing detection methods, which poses new challenges for accurate virus detection and makes it more and more difficult to detect the malicious code. A report indicates that a new malicious app for Android is created every 10 seconds. To combat this serious malware activity, a scalable malware detection approach is needed, which can effectively and efficiently identify the malware apps. Common static detection methods often rely on Hash matching and analysis of viruses, which cannot quickly detect new malicious Android applications and their variants. In this paper, a malicious Android application detection method is proposed, which is implemented by the deep network fusion model. The hybrid model only needs to use the sample training model to achieve high accuracy in the identification of the malicious applications, which is more suitable for the detection of the new malicious Android applications than the existing methods. This method extracts the static features in the core code of the Android application by decompiling APK files, then performs code vectorization processing, and uses the deep learning network for classification and discrimination. Our experiments with a data set containing 10,170 apps show that the decisions from the hybrid model can increase the malware detection rate significantly on a real device, which verifies the superiority of this method in the detection of malicious codes.

computer science, information systems,telecommunications

Zhang Xiaojun,Li Yingcai,Zhang Fuqiang,Zhang Qian,Han Li

DOI: https://doi.org/10.1145/3469213.3471388

2021-05-28

Abstract:With the continuous development of network technology, global informatization has become a reality. While the openness and interconnection of IP network protocols bring convenience to data communication, it also provides space for network intruders to enter the void. In particular, the terminal system design is fragile, the software running on the terminal is becoming more and more complicated, and its various components are interdependent, and vulnerabilities are prone to occur in the process of development and maintenance. 0day vulnerabilities emerge endlessly, and static protection methods have exposed deficiencies.

Xi Xiao,Xianni Xiao,Yong Jiang,Xuejiao Liu,Runguo Ye

DOI: https://doi.org/10.1002/ett.3016

IF: 3.6

2016-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

Sifan Wu,Xi Xiao

2019-01-01

Abstract:The explosive amount of Android malware have threatened the security of legitimate users. In Recent years, with the development of the neural network, more and more research is focusing on detecting malware based on the neural network. Where, most of these techniques are depending on the complex feature engineering process and have a resource and time expensive classification neural network. In this paper, we propose a novel lightweight convolution neural network model, ConvDroid, with the system call sequences as features. Different from the existing n-gram models utilizing system call sequences, we construct a two-layer convolution neural network to learn the global information of sequences instead of limited windows. Furthermore, we assess ConvDroid for accuracy, efficiency using a dataset consisting of 3567 malicious applications and 3536 benign ones. Our experiments show that ConvDroid achieves an accuracy of more than 98% with a low time cost. We further demonstrate ConvDroid’s superiority against state-of-the-art approaches.