Lei Xue,Yajin Zhou,Ting Chen,Xiapu Luo,Guofei Gu

2017-01-01

Abstract:It's an essential step to understand malware's behaviors for developing effective solutions. Though a number of systems have been proposed to analyze Android malware, they have been limited by incomplete view of inspection on a single layer. What's worse, various new techniques (e.g., packing, anti-emulator, etc.) employed by the latest malware samples further make these systems ineffective. In this paper, we propose Malton, a novel on-device non-invasive analysis platform for the new Android runtime (i.e., the ART runtime). As a dynamic analysis tool, Malton runs on real mobile devices and provides a comprehensive view of malware's behaviors by conducting multi-layer monitoring and information flow tracking, as well as efficient path exploration. We have carefully evaluated Malton using real-world malware samples. The experimental results showed that Malton is more effective than existing tools, with the capability to analyze sophisticated malware samples and provide a comprehensive view of malicious behaviors of these samples

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Zhuoqun Fu,Mingxuan Liu,Yue Qin,Jia Zhang,Yuan Zou,Qilei Yin,Qi Li,Haixin Duan

DOI: https://doi.org/10.1145/3545948.3545983

2022-01-01

Abstract:Malicious activities on the Internet continue to grow in volume and damage, posing a serious risk to society. Malware with remote control capabilities is considered one of the most threatening malicious activities, as it can enable arbitrary types of cyber-attacks. As a countermeasure, many malware detection methods are proposed to identify malicious behaviours based on traffic characteristics. However, the emerging encryption and evasion techniques pose substantial barriers to the full exploitation of network information. This significantly impairs the effectiveness of existing malware detection methods relying on a singular type of characteristics. In this paper, we propose ST-Graph to resolve this issue. In addition to traditional stream attributes, ST-Graph explores spatial and temporal characteristics of network behaviours based on a graph representation learning algorithm and integrates all available information to boost the detection decision. To illustrate the effectiveness of ST-Graph, we evaluate it on two datasets. Experimental results demonstrate that ST-Graph outperforms state-of-the-art malware detection systems and also shows good performance in efficiency, generalizability, and robustness. Specifically, it achieves over 99% precision and recall, and its False Positive Rate is even two orders of magnitude lower than (nearly 0.02 times) that of baseline models. Meanwhile, the deployment of ST-Graph in two real network scenarios for around one year shows an outstanding efficiency with only 160 seconds time cost for 5-minute traffic in 1.7 Gbps bandwidth.

Yuxin Ding,Xiaoling Xia,Sheng Chen,Ye Li

DOI: https://doi.org/10.1016/j.cose.2017.10.007

IF: 5.105

2018-01-01

Computers & Security

Abstract:Graph-based malware detection methods must build a behavior graph for each known malware, and they are difficult to apply in practice. To solve this issue, we study how to build a common behavior graph for each malware family. We represent malware behaviors as dependency graphs. To find the dependency relations between system calls, we use a dynamic taint analysis technique to mark the system call parameters with taint tags, and we then build the system call dependency graph by tracing the propagation of the taint data. Based on the dependency graphs of malware samples, we propose an algorithm to extract the common behavior graph, which is used to represent the behavioral features of a malware family. Finally, a graph matching algorithm that is based on the maximum weight subgraph is used to detect malicious code. The experimental results show that the proposed method has a high detection rate and a low false positive rate and can detect malware variants.

Ruihai Ge,Yongzheng Zhang,Shuhao Li,Guoqiao Zhou,Guangze Zhao

DOI: https://doi.org/10.1145/3586102.3586106

2022-01-01

Abstract:The rapid growth of mobile malicious applications (apps) poses a serious threat to cyber security. The vast majority of malicious apps steal user data and launch remote attacks via network communications. Existing traffic-based malware detection methods exhibit unsatisfying resource consumption and user privacy leakage in the malware detection process. In this paper, we propose ZeroTraffic, a lightweight but effective detection approach by taking full advantage of zero-payload packets in the TCP protocol. The key insight of our research is that zero-payload packets can be used to reconstruct the behavior patterns of malicious traffic, which differs significantly from benign traffic in terms of communication periodicity and asymmetry of upstream and downstream data. Hence, we can leverage the statistical characteristics based on zero-payload packets to detect mobile malware. In ZeroTraffic, we first summarize and extract the source-oriented and destination-oriented statistical features to enhance the feature expression ability for lightweight data, and then train supervised learning algorithms to build a detector. Note that our model does not involve any user privacy information during its training and detection process. To evaluate the performance of the proposed model, we conduct experiments on a publicly available Andrubis dataset. Experimental results reveal that our method achieves 94.60% accuracy. Besides, our method is superior to a state-of-the-art method in terms of accuracy, precision, recall, and F1-score.

Rui Zhu,Chenglin Li,Di Niu,Hongwen Zhang,Husam Kinawi

DOI: https://doi.org/10.48550/arXiv.1806.04847

2018-12-11

Abstract:With the growth of mobile devices and applications, the number of malicious software, or malware, is rapidly increasing in recent years, which calls for the development of advanced and effective malware detection approaches. Traditional methods such as signature-based ones cannot defend users from an increasing number of new types of malware or rapid malware behavior changes. In this paper, we propose a new Android malware detection approach based on deep learning and static analysis. Instead of using Application Programming Interfaces (APIs) only, we further analyze the source code of Android applications and create their higher-level graphical semantics, which makes it harder for attackers to evade detection. In particular, we use a call graph from method invocations in an Android application to represent the application, and further analyze method attributes to form a structured Program Representation Graph (PRG) with node attributes. Then, we use a graph convolutional network (GCN) to yield a graph representation of the application by embedding the entire graph into a dense vector, and classify whether it is a malware or not. To efficiently train such a graph convolutional network, we propose a batch training scheme that allows multiple heterogeneous graphs to be input as a batch. To the best of our knowledge, this is the first work to use graph representation learning for malware detection. We conduct extensive experiments from real-world sample collections and demonstrate that our developed system outperforms multiple other existing malware detection techniques.

Cryptography and Security

Yao Du,Junfeng Wang,Qi Li

DOI: https://doi.org/10.1109/access.2017.2720160

IF: 3.9

2017-01-01

IEEE Access

Abstract:With the development of code obfuscation and application repackaging technologies, an increasing number of structural information-based methods have been proposed for malware detection. Although, many offer improved detection accuracy via a similarity comparison of specific graphs, they still face limitations in terms of computation time and the need for manual operation. In this paper, we present a new malware detection method that automatically divides a function call graph into community structures. The features of these community structures can then be used to detect malware. Our method reduces the computation time by improving the Girvan–Newman algorithm and using machine learning classification instead of a similarity comparison of subgraphs. To evaluate our method, 5040 malware samples and 8750 benign samples were collected as an experimental data set. The evaluation results show that the detection accuracy of our method is higher than that of three well-known anti-virus software and two previous control flow graph-based methods for many malware families. The runtime performance of our method exhibits a clear improvement over the GN algorithm for community structure generation.

Zongqu Zhao,Junfeng Wang,Chonggang Wang

DOI: https://doi.org/10.1002/sec.524

IF: 1.968

2012-02-28

Security and Communication Networks

Abstract:The traditional malware detection schemes based on specific signature give an unsatisfactory performance as disposing the previously unknown malware, so the general features of binary files should be explored to solve this problem. Recently, classification algorithms were employed successfully to choose the features in unknown malicious code, and most of the works use byte or operation code sequence n‐gram representation of the executables. However, these n‐gram representations are heavily dependent on the training data. In this paper, we present a graph‐based method to detect unknown malware. The function call graph of an executable, which includes the functions and the call relations between them, is selected as the representation of the executable in this method. The features are defined according to both the statistical information and the topology of the function call graph. They are extracted and processed through machine learning to classify unknown Portable Executable files. For the sake of fixed sum of the features, the graph‐based method can avoid so many features found in other methods. In our experiments, three types of malware datasets were tested, and as high as 96.8% accuracy can be achieved. Furthermore, it can achieve 92.1% accuracy when only 5% of the dataset is served as training set. Copyright © 2012 John Wiley & Sons, Ltd. To detect the unknown malware, the features of graph‐based method are predefined from function call graph of software, and then the rules are built with these features to classify an executable as the benign or the malware. The quantity and the contents of these features are independent of testing dataset, and this peculiarity enables our experiment results to nearly reflect the situation of unknown malware detection. The design can provide a high malware detection accuracy by using a small set of training set.

computer science, information systems,telecommunications

Lina Shen,Mengqi Fang,Jian Xu

DOI: https://doi.org/10.1016/j.cose.2024.103846

IF: 5.105

2024-04-16

Computers & Security

Abstract:As the most popular mobile platform, Android has become the major attack target of malware, and thus there is an urgent need to effectively thwart them. Recently, the graph-based technique has been a promising solution for malware detection, which highly depends on graph structures to capture behaviors separating the malware from the benign apps. However, existing graph-based malware detection approaches still suffer from high computation cost in constructing or updating a graph for APK under detection, high false negative and false positive. To cope with these issues, we propose a novel global heterogeneous graph-based Android malware detection approach, named GHGDroid. A global heterogeneous graph (GHG) with a good updatability is first built on large-scale Android applications to characterize complex relationships among APKs and sensitive APIs. And then, using the GHG, a multi-layer graph convolutional network based embedding method is proposed to learn APK embeddings for well capturing behaviors that can separate malware from benign. Finally, using APK embeddings as well their labels, a malware classifier is trained. Experiments on real-world Android applications show that GHGDroid achieves 99.17 % F1-score, which outperforms the state-of-the-art approaches. Moreover, GHGDroid spends about 8 s on detecting an APK, which shows that it has a good potential as a practical tool for the Android malware detection task.

computer science, information systems

Shen Wang,Zhengzhang Chen,Xiao Yu,Ding Li,Jingchao Ni,Lu-An Tang,Jiaping Gui,Zhichun Li,Haifeng Chen,Philip S. Yu

DOI: https://doi.org/10.24963/ijcai.2019/522

2019-08-01

Abstract:Information systems have widely been the target of malware attacks. Traditional signature-based malicious program detection algorithms can only detect known malware and are prone to evasion techniques such as binary obfuscation, while behavior-based approaches highly rely on the malware training samples and incur prohibitively high training cost. To address the limitations of existing techniques, we propose MatchGNet, a heterogeneous Graph Matching Network model to learn the graph representation and similarity metric simultaneously based on the invariant graph modeling of the program's execution behaviors. We conduct a systematic evaluation of our model and show that it is accurate in detecting malicious program behavior and can help detect malware attacks with less false positives. MatchGNet outperforms the state-of-the-art algorithms in malware detection by generating 50% less false positives while keeping zero false negatives.

Jiayin Feng,Limin Shen,Zhen Chen,Yu Lei,Hui Li

DOI: https://doi.org/10.1016/j.aej.2024.11.068

IF: 6.626

2025-01-01

Alexandria Engineering Journal

Abstract:The malicious infestations of Android malware caused huge economic losses to users over the past few years. Machine learning-based malware detection enhances the accuracy and partially mitigates these security threats. However, when the static or dynamic features cannot effectively represent software behavior, the accuracy of the model will be reduced. For this issue, a multi-features hybrid malware detection and category classification method HGDetector is proposed, this approach provides a more comprehensive representation of software behavior. HGDetector first extracts the software static function call graph and constructs the network behavior function call graph, then applies the dynamic network traffic features of the software to build the node interaction graph and edge-node graph; Subsequently, these features were fused and converted into a vector representation employing graph embedding method; Finally, combined with the proposed HGDetector, different classifiers were used to test the accuracy of malware detection and category classification. The experimental results demonstrate that the fusion of hybrid features can enhance malware detection accuracy by approximately 4 % when network traffic features effectively capture APP's behavior. Conversely, in cases where network traffic features alone are insufficient to represent software's network behavior, the application of hybrid features can improve malware detection accuracy by 21 %-26 %.

Li Shanxi,Zhou Qingguo,Zhou Rui,Lv Qingquan

DOI: https://doi.org/10.1007/s11227-021-04020-y

IF: 3.3

2021-01-01

The Journal of Supercomputing

Abstract:Malware has seriously threatened the safety of computer systems for a long time. Due to the rapid development of anti-detection technology, traditional detection methods based on static analysis and dynamic analysis have limited effects. With its better predictive performance, AI-based malware detection has been increasingly used to deal with malware in recent years. However, due to the diversity of malware, it is difficult to extract feature from malware, which make malware detection not conductive to the application of AI technology. To solve the problem, a malware classifier based on graph convolutional network is designed to adapt to the difference of malware characteristics. The specific method is to firstly extract the API call sequence from the malware code and generate a directed cycle graph, then use the Markov chain and principal component analysis method to extract the feature map of the graph, and design a classifier based on graph convolutional network, and finally analyze and compare the performance of the method. The results show that the method has better performance in most detection, and the highest accuracy is 98.32 % , compared with existing methods, our model is superior to other methods in terms of FPR and accuracy. It is also stable to deal with the development and growth of malware.

Huiwen Bai,Guangjie Liu,Weiwei Liu,Yingxue Quan,Shuhua Huang

DOI: https://doi.org/10.1155/2021/5599556

IF: 1.968

2021-04-23

Security and Communication Networks

Abstract:Mobile malware poses a great challenge to mobile devices and mobile communication. With the explosive growth of mobile networks, it is significant to detect mobile malware for mobile security. Since most mobile malware relies on the networks to coordinate operations, steal information, or launch attacks, evading network monitor is difficult for the mobile malware. In this paper, we present an N-gram, semantic-based neural modeling method to detect the network traffic generated by the mobile malware. In the proposed scheme, we segment the network traffic into flows and extract the application layer payload from each packet. Then, the generated flow payload data are converted into the text form as the input of the proposed model. Each flow text consists of several domains with 20 words. The proposed scheme models the domain representation using convolutional neural network with multiwidth kernels from each domain. Afterward, relationships of domains are adaptively encoded in flow representation using gated recurrent network and then the classification result is obtained from an attention layer. A series of experiments have been conducted to verify the effectiveness of our proposed scheme. In addition, to compare with the state-of-the-art methods, several comparative experiments also are conducted. The experiment results depict that our proposed scheme is better in terms of accuracy.

computer science, information systems,telecommunications

Chunyan Zhang,Qinglei Zhou,Yizhao Huang,Ke Tang,Hairen Gui,Fudong Liu

DOI: https://doi.org/10.1155/2022/7245403

2022-05-13

Wireless Communications and Mobile Computing

Abstract:Automatic malware detection was aimed at determining whether the application is malicious or not with automated systems. Android malware attacks have gained tremendous pace owing to the widespread use of mobile devices. Although significant progress has been made in antimalware techniques, these methods mainly rely on the program features, ignoring the importance of source code analysis. Furthermore, the dynamic analysis is low code coverage and poor efficiency. Hence, we propose an automatic Android malware detection approach, named HyGNN-Mal. It analyzes the Android applications at source code level by exploiting the sequence and structure information. Meanwhile, we combine the typical static features, permissions, and APIs. In HyGNN-Mal, we utilize a deep traversal tree neural network (Deep-TNN) to process the code structure information. Particularly, we add position information to code sequence information before putting in self-attention mechanism. The evaluations conducted on multiple public datasets indicate that our method can accurately identify and classify the malicious software, and their best accuracy is 99.62% and 99.2%, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Qiyuan Li,Bo Zhang,Donghai Tian,Xiaoqi Jia,Changzhen Hu

DOI: https://doi.org/10.1016/j.eswa.2024.124776

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:Malware detection is of great importance to computer security. Although the malware detection approaches have made great progress in recent years, these methods are still limited in regard to identifying the advanced malware that conceals their malicious activities. To address this problem, we present a novel malware detection solution, MDGraph, which is based on the memory dump and graph neural network. MDGraph first dynamically grabs a memory dump file for a target process. Then, it applies the recursive disassembling technique to extract the program functions composed of assembly instruction sequences and the invocation relationship between functions from the memory dump. Next, the program functions are vectorized using the doc2vec model. Based on the vectorized functions and their connections, MDGraph leverages a graph neural network model for malware detection. The evaluation shows our method can identify unpacked and packed malware effectively, and it is superior to the recent malware detection methods based on the memory dump.

Ruihai Ge,Yongzheng Zhang,Shuhao Li,GuoQiao Zhou

DOI: https://doi.org/10.1109/ijcnn55064.2022.9892476

2022-01-01

Abstract:The desperate increase of mobile malware has constituted a severe threat to user privacy, economic life, and cyberspace security. Existing anti-malware solutions have notice-able weaknesses due to the adoption of content analysisbased approaches. The main limitation of these approaches is that they rely on careful expert engineering and professional handcrafted input features. Some researchers have tried to solve this limitation by using deep learning models to automatically learn feature representations from raw traffic. In this paper, we explore a deep learning detection framework based on self-attention to discriminate between malicious and benign network traffic. As a major advantage with respect to the state-of-the-art methods, we point out that the attention mechanism can better learn the underlying features of malicious traffic in terms of flows and bytes. We design a dual-branch deep learning method that consists of a flow importance-discrimination branch and a byte importance-discrimination branch. The flow importance-discrimination branch calculates the attentions between flows to obtain the feature contributions of different flows, and the byte importance-discrimination branch builds the feature contributions of diverse bytes by considering the connections among all bytes of network payload. Both flow features and byte features are combined to enhance the representation ability of network traffic behaviors generated by mobile applications (apps). We evaluate proposed method using a publicly available dataset including 55,992 malicious traffic traces and 47,779 benign traffic traces. The experimental results demonstrate that our method is able to identify malicious apps with high accuracy, outperforming the baseline methods and the popular deep-learning models.

Huiling Shi,Wei Zhang,Lei Zhang,Kuichao Zhang,Hongyang Sun

DOI: https://doi.org/10.1109/NaNA60121.2023.00051

2023-08-01

Abstract:Detecting malicious attacks in normal network traffic is critical to network security. Traditional traffic identification methods often struggle to capture the complex communication patterns in network traffic, hindering their effectiveness. We introduce GraphMal, a framework utilizing Graph Neural Networks (GNNs) for the identification of malicious traffic. This approach effectively exploits network topology and traffic characteristics to improve performance. We first apply Pearson's correlation coefficient and random forest approaches to effectively reduce the dimensionality of the dataset. Then, the E-GraphSAGE algorithm is used to extract salient features from the traffic topology graph and construct a robust graph classifier. Additionally, the focal loss function is used to solve the data imbalance problem. Experiments conducted on the UNSW-NB15 dataset demonstrate GraphMal's remarkable performance in both binary and multi-class classification tasks, while improving the learning efficiency of GNNs.

Computer Science

Meihua Fan,Shudong Li,Weihong Han,Xiaobo Wu,Zhaoquan Gu,Zhihong Tian

DOI: https://doi.org/10.1145/3444370.3444545

2020-01-01

Abstract:Malware has always been one of the major threats to cyberspace security. Also, it has long been concerned by researchers of antivirus technology. However, malware gradually tends to be diversified and updated quickly, it is a big challenge to security personnel both in terms of number and attack means. In this paper, we propose a malware detection framework based on fine-grained malware behavior graph, which applies graph neural network to malware detection tasks. We design a fine-grained malicious behavior graph to represent the association of malware and its behavior associated entities. Then, aiming at learning the semantic information carried in the malicious behavior graph, we propose a weighted heterogeneous graph neural network named MalSage. We conducted a model evaluation of the proposed method on a malware dataset from VirusTotal. The results show that the proposed framework is more accurate than other algorithms in malware classification task.

Long Chen,Chunhe Xia,Shengwei Lei,Tianbo Wang

DOI: https://doi.org/10.1109/access.2021.3049819

IF: 3.9

2021-01-01

IEEE Access

Abstract:In recent years, the application of smartphones, Android operating systems and mobile applications have become more prevalent worldwide. To study the traceability, propagation, and detection of the threats, we perform research on all aspects of the end-to-end environment. With machine learning based on the mobile malware detection algorithms that integrate the dynamic and static research of the identification algorithm, application software samples are collected to study sentences. Through knowledge labeling and knowledge construction, the association relationship of knowledge is extracted to realize the research of knowledge map construction. Flooding is closely correlated with the complexity of the Android mobile version of the kernel and malicious programs. A static dynamic analysis of the mobile malicious program is carried out, and the social network social diagram is constructed to model the propagation of the mobile malicious program. We extended the approach of deriving common malware behavior through graph clustering. On this basis, Android behavior analysis is performed through our virtual machine execution engine. We extend the family characteristics to the concept of DNA race genes. By studying SMS/MMS, Bluetooth, 5G base station networks, metropolitan area networks, social networks, homogeneous communities, telecommunication networks, and application market ecosystem propagation scenarios, we discovered the law of propagation. In addition, we studied the construction of the mobile Internet big data knowledge graph. Quantitative data for the main family chronology of mobile malware are obtained. We conducted detailed research and comprehensive analysis of Android application package (APK) details and behavior, relationship, resource-centric, and syntactic aspects. Furthermore, we summarized the architecture of mobile malware security analysis. We also discuss encryption of malware traffic discrimination. These precise modeling and quantified research re-ults constitute the architecture of mobile malware analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic

Rui Wang,Jun Zheng,Zhiwei Shi,Yu'an Tan

DOI: https://doi.org/10.1109/icbctis55569.2022.00018

2022-01-01

Abstract:Nowadays, the popularity of intelligent terminals makes malwares more and more serious. Among the many features of application, the call graph can accurately express the behavior of the application. The rapid development of graph neural network in recent years provides a new solution for the malicious analysis of application using call graphs as features. However, there are still problems such as low accuracy. This paper established a large-scale data set containing more than 40,000 samples and selected the class call graph, which was extracted from the application, as the feature and used the graph embedding combined with the deep neural network to detect the malware. The experimental results show that the accuracy of the detection model proposed in this paper is 97.7%; the precision is 96.6%; the recall is 96.8%; the F1-score is 96.4%, which is better than the existing detection model based on Markov chain and graph embedding detection model.