Tun Li,Ya Luo,Xin Wan,Qian Li,Qilie Liu,Rong Wang,Chaolong Jia,Yunpeng Xiao

DOI: https://doi.org/10.1016/j.eswa.2023.123109

IF: 8.5

2024-01-16

Expert Systems with Applications

Abstract:The proliferation of malware in recent years has posed a significant threat to the security of computers and mobile devices . Detecting malware, especially on the Android platform, has become a growing concern for researchers and the software industry. This paper proposes a new method for detecting Android malware based on unbalanced heterogeneous graph embedding. First of all, most malware datasets contain an imbalance of malicious and benign samples, since some types of malware are scarce and difficult to collect. Thus, as a result of this problem, the classification algorithm is unable to analyze the minority samples through sufficient data, resulting in poor downstream classifier performance, in light of the fact that adversarial generation networks possess the characteristic of completing data, an algorithm for generating graph structure data is presented, in which nodes are generated to simulate the distribution of minority nodes within a network topology . Then, considering that heterogeneous information networks have the characteristics of retaining rich node semantic features and mining implicit relationships, heterogeneous graphs are used to construct models for different types of entities (i.e. Apps, APIs, permissions, intents, etc.) and different meta-paths. Finally, a new method is introduced to alleviate the over-smoothing phenomenon of node information in the propagation of deep network. In the deep GCN, we first sample the leader nodes of each layer node, and then add a residual connection and an identity map in order to determine the characteristics of the high-order leader. In this paper, a self-attention-based semantic fusion method is also applied to adaptively fuse embedded representations of software nodes under different meta-paths. The test results demonstrate that the proposed IHODroid model effectively detects malicious software. In the DREBIN dataset, which consists of 123,453 Android applications and 5,560 malicious samples, the IHODroid model achieves an accuracy of 0.9360 and an F1 score of 0.9360, outperforming other state-of-the-art baseline methods.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Lina Shen,Mengqi Fang,Jian Xu

DOI: https://doi.org/10.1016/j.cose.2024.103846

IF: 5.105

2024-04-16

Computers & Security

Abstract:As the most popular mobile platform, Android has become the major attack target of malware, and thus there is an urgent need to effectively thwart them. Recently, the graph-based technique has been a promising solution for malware detection, which highly depends on graph structures to capture behaviors separating the malware from the benign apps. However, existing graph-based malware detection approaches still suffer from high computation cost in constructing or updating a graph for APK under detection, high false negative and false positive. To cope with these issues, we propose a novel global heterogeneous graph-based Android malware detection approach, named GHGDroid. A global heterogeneous graph (GHG) with a good updatability is first built on large-scale Android applications to characterize complex relationships among APKs and sensitive APIs. And then, using the GHG, a multi-layer graph convolutional network based embedding method is proposed to learn APK embeddings for well capturing behaviors that can separate malware from benign. Finally, using APK embeddings as well their labels, a malware classifier is trained. Experiments on real-world Android applications show that GHGDroid achieves 99.17 % F1-score, which outperforms the state-of-the-art approaches. Moreover, GHGDroid spends about 8 s on detecting an APK, which shows that it has a good potential as a practical tool for the Android malware detection task.

computer science, information systems

Ziqi Liu,Chaochao Chen,Xinxing Yang,Jun Zhou,Xiaolong Li,Le Song

DOI: https://doi.org/10.1145/3269206.3272010

2018-01-01

Abstract:We present, GEM, the first heterogeneous graph neural network approach for detecting malicious accounts at Alipay, one of the world's leading mobile cashless payment platform. Our approach, inspired from a connected subgraph approach, adaptively learns discriminative embeddings from heterogeneous account-device graphs based on two fundamental weaknesses of attackers, i.e. device aggregation and activity aggregation. For the heterogeneous graph consists of various types of nodes, we propose an attention mechanism to learn the importance of different types of nodes, while using the sum operator for modeling the aggregation patterns of nodes in each type. Experiments show that our approaches consistently perform promising results compared with competitive methods over time.

Jiayin Feng,Limin Shen,Zhen Chen,Yu Lei,Hui Li

DOI: https://doi.org/10.1016/j.aej.2024.11.068

IF: 6.626

2025-01-01

Alexandria Engineering Journal

Abstract:The malicious infestations of Android malware caused huge economic losses to users over the past few years. Machine learning-based malware detection enhances the accuracy and partially mitigates these security threats. However, when the static or dynamic features cannot effectively represent software behavior, the accuracy of the model will be reduced. For this issue, a multi-features hybrid malware detection and category classification method HGDetector is proposed, this approach provides a more comprehensive representation of software behavior. HGDetector first extracts the software static function call graph and constructs the network behavior function call graph, then applies the dynamic network traffic features of the software to build the node interaction graph and edge-node graph; Subsequently, these features were fused and converted into a vector representation employing graph embedding method; Finally, combined with the proposed HGDetector, different classifiers were used to test the accuracy of malware detection and category classification. The experimental results demonstrate that the fusion of hybrid features can enhance malware detection accuracy by approximately 4 % when network traffic features effectively capture APP's behavior. Conversely, in cases where network traffic features alone are insufficient to represent software's network behavior, the application of hybrid features can improve malware detection accuracy by 21 %-26 %.

Rui Zhu,Chenglin Li,Di Niu,Hongwen Zhang,Husam Kinawi

DOI: https://doi.org/10.48550/arXiv.1806.04847

2018-12-11

Abstract:With the growth of mobile devices and applications, the number of malicious software, or malware, is rapidly increasing in recent years, which calls for the development of advanced and effective malware detection approaches. Traditional methods such as signature-based ones cannot defend users from an increasing number of new types of malware or rapid malware behavior changes. In this paper, we propose a new Android malware detection approach based on deep learning and static analysis. Instead of using Application Programming Interfaces (APIs) only, we further analyze the source code of Android applications and create their higher-level graphical semantics, which makes it harder for attackers to evade detection. In particular, we use a call graph from method invocations in an Android application to represent the application, and further analyze method attributes to form a structured Program Representation Graph (PRG) with node attributes. Then, we use a graph convolutional network (GCN) to yield a graph representation of the application by embedding the entire graph into a dense vector, and classify whether it is a malware or not. To efficiently train such a graph convolutional network, we propose a batch training scheme that allows multiple heterogeneous graphs to be input as a batch. To the best of our knowledge, this is the first work to use graph representation learning for malware detection. We conduct extensive experiments from real-world sample collections and demonstrate that our developed system outperforms multiple other existing malware detection techniques.

Cryptography and Security

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Chunyan Zhang,Qinglei Zhou,Yizhao Huang,Ke Tang,Hairen Gui,Fudong Liu

DOI: https://doi.org/10.1155/2022/7245403

2022-05-13

Wireless Communications and Mobile Computing

Abstract:Automatic malware detection was aimed at determining whether the application is malicious or not with automated systems. Android malware attacks have gained tremendous pace owing to the widespread use of mobile devices. Although significant progress has been made in antimalware techniques, these methods mainly rely on the program features, ignoring the importance of source code analysis. Furthermore, the dynamic analysis is low code coverage and poor efficiency. Hence, we propose an automatic Android malware detection approach, named HyGNN-Mal. It analyzes the Android applications at source code level by exploiting the sequence and structure information. Meanwhile, we combine the typical static features, permissions, and APIs. In HyGNN-Mal, we utilize a deep traversal tree neural network (Deep-TNN) to process the code structure information. Particularly, we add position information to code sequence information before putting in self-attention mechanism. The evaluations conducted on multiple public datasets indicate that our method can accurately identify and classify the malicious software, and their best accuracy is 99.62% and 99.2%, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ziwei Ma,Nurbor Luktarhan

DOI: https://doi.org/10.1371/journal.pone.0300975

IF: 3.7

2024-03-28

PLoS ONE

Abstract:Android malware is becoming more common, and its invasion of smart devices has brought immeasurable losses to people’s lives. Most existing Android malware detection methods extract Android features from the original application files without considering the high-order hidden information behind them, but these hidden information can reflect malicious behaviors. To solve this problem, this paper proposes Z2F, a detection framework based on multidimensional Android feature extraction and graph neural networks for Android applications. Z2F first extracts seven types of Android features from the original Android application and then embeds them into a heterogeneous graph. On this basis, we design 12 kinds of meta-structures to analyze different semantic spaces of heterogeneous graphs, mine high-order hidden semantic information, and adopt a multi-layer graph attention mechanism to iteratively embed and update information. In this paper, a total of 14429 Android applications were detected and 1039726 Android features were extracted, with a detection accuracy of 99.7%.

multidisciplinary sciences

Jintao Gu,Hongliang Zhu,Zewei Han,Xiangyu Li,Jianjin Zhao

DOI: https://doi.org/10.1016/j.cose.2024.103807

IF: 5.105

2024-03-21

Computers & Security

Abstract:Currently, the prevalence of Android malware remains substantial. Malicious programs increasingly use advanced obfuscation techniques, posing challenges for security professionals with enhanced disguises, a proliferation of variants, and escalating detection difficulty. Leveraging semantic features presents a promising avenue to address these challenges. Rich semantic information encapsulated within opcodes and API call graphs has been identified as crucial in distinguishing benign from malicious applications. Consequently, various Natural Language Processing (NLP) technologies, such as Word2vec, are employed to encode features of Dalvik opcode sequences, thereby yielding embedded representations. Given that malware developers often opt for semantically similar APIs to achieve comparable functionalities, it is posited that the opcode embeddings for such APIs should exhibit similar characteristics. However, simple NLP models that only extract statistical information are insufficient for understanding obfuscated malware's behavioral patterns, as they do not provide comprehensive semantic insights. To bridge this gap, we propose a novel, lightweight embedding model based on CodeBERT and TextCNN. This model aims for efficient and precise representation of opcode sequences. Consequently, we introduce GSEDroid, an Android malware detection framework that uses an API call graph with permission and opcode semantic features to characterize APKs. This approach converts the detection challenge into a graph classification task executed via a graph neural network algorithm. The efficacy of our method has been validated through comparative analyses with other techniques. Experimental results demonstrate that our GraphSage+SAGPooling model achieved an accuracy of 99.47% and an F1-score of 99.44%, underscoring its effectiveness in Android malware detection.

computer science, information systems

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Han Gao,Shaoyin Cheng,Weiming Zhang

DOI: https://doi.org/10.1016/j.cose.2021.102264

IF: 5.105

2021-01-01

Computers & Security

Abstract:The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The general idea is to map apps and Android APIs into a large heterogeneous graph, converting the original problem into a node classification task. We build the “App-API” and “API-API” edges based on the invocation relationship and the API usage patterns, respectively. The heterogeneous graph is then fed into the GCN model, iteratively generating node embeddings that incorporate topological structure and node features. Eventually, the unlabeled apps are classified by their final embeddings. To our knowledge, this paper is the first study to explore the application of graph neural network in the field of malware classification. We develop a prototype system named GDroid. Experiments show that GDroid can effectively detect 98.99% of Android malware with a low false positive rate of less than 1%, outperforming the existing approaches. It also achieves an average accuracy of almost 97% in the malware familial classification task with surpassing the baselines. Additionally, we cooperate with QI-ANXIN Technology Research Institute to evaluate its real-world impact, and GDroid also maintains satisfactory performance in real-world scenarios.

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Jingnan Zheng,Jiaohao Liu,An Zhang,Jun Zeng,Ziqi Yang,Zhenkai Liang,Tat-Seng Chua

DOI: https://doi.org/10.1145/3691620.3695008

2024-09-29

Abstract:Android malware attacks have posed a severe threat to mobile users, necessitating a significant demand for the automated detection system. Among the various tools employed in malware detection, graph representations (e.g., function call graphs) have played a pivotal role in characterizing the behaviors of Android apps. However, though achieving impressive performance in malware detection, current state-of-the-art graph-based malware detectors are vulnerable to adversarial examples. These adversarial examples are meticulously crafted by introducing specific perturbations to normal malicious inputs. To defend against adversarial attacks, existing defensive mechanisms are typically supplementary additions to detectors and exhibit significant limitations, often relying on prior knowledge of adversarial examples and failing to defend against unseen types of attacks effectively. In this paper, we propose MASKDROID, a powerful detector with a strong discriminative ability to identify malware and remarkable robustness against adversarial attacks. Specifically, we introduce a masking mechanism into the Graph Neural Network (GNN) based framework, forcing MASKDROID to recover the whole input graph using a small portion (e.g., 20%) of randomly selected <a class="link-external link-http" href="http://nodes.This" rel="external noopener nofollow">this http URL</a> strategy enables the model to understand the malicious semantics and learn more stable representations, enhancing its robustness against adversarial attacks. While capturing stable malicious semantics in the form of dependencies inside the graph structures, we further employ a contrastive module to encourage MASKDROID to learn more compact representations for both the benign and malicious classes to boost its discriminative power in detecting malware from benign apps and adversarial examples.

Cryptography and Security,Artificial Intelligence,Software Engineering

Minghui Cai,Yuan Jiang,Cuiying Gao,Heng Li,Wei Yuan

DOI: https://doi.org/10.1016/j.neucom.2020.10.054

IF: 6

2021-01-01

Neurocomputing

Abstract:<p>Analyzing the runtime behaviors of Android apps is crucial for malware detection. In this paper, we attempt to learn the behavior level features of an app from function calls. The challenges of this task are twofold. First, the absence of function attributes hinders the understanding of app behaviors. Second, the graphical representation of function calls cannot be directly processed by classical machine learning algorithms. In this paper, we develop two methods to overcome these challenges. Based on function embedding, we first propose the concept of enhanced function call graphs (E-FCGs) to characterize app runtime behaviors. We then develop a Graph Convolutional Network (GCN) based algorithm to obtain vector representations of E-FCGs. Extensive experiments show that the features learned by our method can achieve surprisingly high detection performance on a variety of classifiers (e.g., LR, DT, SVM, KNN, RF, MLP and CNN), significantly outperforming the traditional static features.</p>

computer science, artificial intelligence

Yiming Hei,Renyu Yang,Hao Peng,Lihong Wang,Xiaolin Xu,Jianwei Liu,Hong Liu,Jie Xu,Lichao Sun

DOI: https://doi.org/10.1109/tnnls.2021.3105617

IF: 14.255

2021-01-01

IEEE Transactions on Neural Networks and Learning Systems

Abstract:Android is undergoing unprecedented malicious threats daily, but the existing methods for malware detection often fail to cope with evolving camouflage in malware. To address this issue, we present Hawk, a new malware detection framework for evolutionary Android applications. We model Android entities and behavioral relationships as a heterogeneous information network (HIN), exploiting its rich semantic meta-structures for specifying implicit higher order relationships. An incremental learning model is created to handle the applications that manifest dynamically, without the need for reconstructing the whole HIN and the subsequent embedding model. The model can pinpoint rapidly the proximity between a new application and existing in-sample applications and aggregate their numerical embeddings under various semantics. Our experiments examine more than 80,860 malicious and 100,375 benign applications developed over a period of seven years, showing that Hawk achieves the highest detection accuracy against baselines and takes only 3.5 ms on average to detect an out-of-sample application, with the accelerated training time of 50x faster than the existing approach.

computer science, artificial intelligence, theory & methods,engineering, electrical & electronic, hardware & architecture

Xiaofeng Lu,Jinglun Zhao,Senhao Zhu,Pietro Lio

DOI: https://doi.org/10.1016/j.eswa.2024.123922

IF: 8.5

2024-04-13

Expert Systems with Applications

Abstract:Android malware seriously affects the use of Android applications, and a growing number of Android malware developers are using adversarial attacks to evade detection by deep learning models. This work proposes an Android malware detection model based on the Android function call graph (FCG) and the denoising graph convolutional network (GCN) that is resistant to adversarial attacks. Methods are also proposed to simplify the FCG to reduce its size, and to construct vertex feature vectors. Because attackers may employ adversarial attack methods, the proposed model uses the subgraph network (SGN) to detect the underlying structural features of the FCG to discover the degree of the obfuscation attack. A denoising graph neural network (GNN) is designed, and the 1-Lipschitz-based neural network denoising method is applied to graph convolution. Moreover, the degree of denoising is adjusted according to the degree of obfuscation, which enhances the robustness of the model. The GCN performs the feature vector extraction of the FCG, and a multilayer perceptron (MLP) is used as the classifier. The results of experiments show that the F1 value of the proposed Android malware detection method is higher than those of other malware detection models for different levels of obfuscation attacks, thus demonstrating its effectiveness against such attacks.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Yanfang Ye,Shifu Hou,Lingwei Chen,Jingwei Lei,Wenqiang Wan,Jiabin Wang,Qi Xiong,Fudong Shao

DOI: https://doi.org/10.48550/arXiv.1811.01027

2019-05-21

Abstract:The explosive growth and increasing sophistication of Android malware call for new defensive techniques that are capable of protecting mobile users against novel threats. In this paper, we first extract the runtime Application Programming Interface (API) call sequences from Android apps, and then analyze higher-level semantic relations within the ecosystem to comprehensively characterize the apps. To model different types of entities (i.e., app, API, IMEI, signature, affiliation) and the rich semantic relations among them, we then construct a structural heterogeneous information network (HIN) and present meta-path based approach to depict the relatedness over apps. To efficiently classify nodes (e.g., apps) in the constructed HIN, we propose the HinLearning method to first obtain in-sample node embeddings and then learn representations of out-of-sample nodes without rerunning/adjusting HIN embeddings at the first attempt. Afterwards, we design a deep neural network (DNN) classifier taking the learned HIN representations as inputs for Android malware detection. A comprehensive experimental study on the large-scale real sample collections from Tencent Security Lab is performed to compare various baselines. Promising experimental results demonstrate that our developed system AiDroid which integrates our proposed method outperforms others in real-time Android malware detection. AiDroid has already been incorporated into Tencent Mobile Security product that serves millions of users worldwide.

Cryptography and Security,Machine Learning

Xiang Ling,Lingfei Wu,Wei Deng,Zhenqing Qu,Jiangyu Zhang,Sheng Zhang,Tengfei Ma,Bin Wang,Chunming Wu,Shouling Ji

DOI: https://doi.org/10.1109/infocom48880.2022.9796786

2022-01-01

Abstract:With the ever-increasing malware threats, malware detection plays an indispensable role in protecting information systems. Although tremendous research efforts have been made, there are still two key challenges hindering them from being applied to accurately and robustly detect malwares. Firstly, most of them represent executables with shallow features, but ignore their semantic and structural information. Secondly, they are primarily based on representations that can be easily modified by attackers and thus cannot provide robustness against adversarial attacks. To tackle the challenges, we present MalGraph, which first represents executables with hierarchical graphs and then uses an end-to-end learning framework based on graph neural networks for malware detection. In particular, a hierarchical graph consists of a function call graph that captures the interaction semantics among different functions at the inter-function level and corresponding control-flow graphs for learning the structural semantics of each function at the intra-function level. We argue the abstraction and hierarchy nature of hierarchical graphs makes them not only easy to capture rich structural information of executables, but also be immune to adversarial attacks. Evaluations show that MalGraph not only outperforms state-of-the-art malware detection, but also exhibits stronger robustness against adversarial attacks by a large margin.

Diego Soi,Alessandro Sanna,Davide Maiorca,Giorgio Giacinto

DOI: https://doi.org/10.1016/j.jisa.2023.103691

IF: 4.96

2024-01-03

Journal of Information Security and Applications

Abstract:Nowadays, mobile devices are massively used in everyday activities. Thus, they contain sensitive data targeted by threat actors like bank accounts and personal information. Through the years, Machine Learning approaches have been proposed to identify malicious Android applications, but recent research highlights the need for better explanations for model decisions, as existing ones may not be related to the app's malicious functionalities. This paper proposes an explainable approach based on static analysis to detect Android malware. The novelty lies in the specific analysis conducted to select and extract the features (i.e., APIs taken from the DEX Call Graph) that immediately provide meaningful explanations of the model functionality, thus allowing a significant correlation of the malware behavior with its family. Moreover, since we contain the number and type of features, the distinct impacts of each one appear more evident. The attained results show that it is possible to reach comparable results (in terms of accuracy) to existing state-of-the-art models while providing easy-to-understand explanations, which may yield significant insights into the malicious functionalities of the samples.

computer science, information systems

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.