Hongyu Yang,Youwei Wang,Liang Zhang,Xiang Cheng,Ze Hu

DOI: https://doi.org/10.1016/j.cose.2023.103651

IF: 5.105

2023-01-01

Computers & Security

Abstract:Due to the continuous evolution of both the Android framework and malware, conventional malware detection methods that have been trained using outdated apps are inadequate in effectively identifying sophisticated evolved malware. To address this issue, in this paper, we propose a novel Android malware detection method with API semantics extraction (AMDASE), it can effectively identify evolved malware instances. Firstly, AMDASE performs API clustering to obtain cluster centers representing API functions before malware detection. We design API sentence to summarize API features and employ natural language processing (NLP) tools to acquire embeddings of API sentence for clustering. With the help of API sentence, it becomes possible to effectively extract the semantics of API contained in features like method name that accurately represents its intended functionality, which also makes the clustering results more accurate. Secondly, AMDASE extracts call graph from each app and optimizes the call graph by removing nodes corresponding to unknown functions, while ensuring the preservation of connectivity between their predecessor and successor nodes. The optimized call graph can extract more robust API contextual information that accurately represents the behavior of each app. Thirdly, in order to maintain resilience against the evolution of Android malware, AMDASE extracts function call pairs from the optimized call graph and abstracts the APIs in function call pairs into cluster centers obtained in API clustering. Finally, feature vectors are generated using one-hot mapping and machine learning classifiers are used for malware detection. We evaluate AMDASE on a dataset of 42,154 benign and 42,450 malicious apps developed over a seven-year period. The experimental results demonstrate that AMDASE greatly outperforms the existing state-of-the-art methods and has a significantly slower aging speed.

Huang Lu,Xue Jingfeng,Wang Yong,Qu Dacheng,Chen Junbao,Zhang Nan,Zhang Li

DOI: https://doi.org/10.23919/cje.2021.00.451

IF: 1.019

2023-01-01

Chinese Journal of Electronics

Abstract:The development of smart mobile devices brings convenience to people's lives, but also provides a breeding ground for Android malware. The sharp increasing malware poses a disastrous threat to personal privacy in the information age. Based on the fact that malware heavily resorts to system application programming interfaces (APIs) to perform its malicious actions, there has been a variety of API-based detection methods. Most of them do not consider the relationship between APIs. We contribute a new approach based on the enhanced API order for Android malware detection, named EAODroid, which learns the similarity of system APIs from a large number of API sequences and groups similar APIs into clusters. The extracted API clusters are further used to enhance the original API calls executed by an app to characterize behaviors and perform classification. We perform multi-dimensional experiments to evaluate EAODroid on three datasets with ground truth. We compare with many state-of-the-art works, showing that EAODroid achieves effective performance in Android malware detection.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Tao Lei,Zhan Qin,Zhibo Wang,Qi Li,Dengpan Ye

DOI: https://doi.org/10.1109/jiot.2019.2909745

IF: 10.6

2019-01-01

IEEE Internet of Things Journal

Abstract:With the proliferation of the smart Internet of Things (IoT) devices based on Android system, malicious Android applications targeting for IoT devices have received more and more attention due to the concern of privacy leakage and property loss. However, existing malware detection approaches based on static or dynamic analysis are not scalable to the evolvement of malware and cannot extract enough valid semantics in application programming interface (API) level, failing to detect new malware. In this paper, we propose EveDroid, a scalable and event-aware Android malware detection system, which exploits the behavioral patterns in different events to effectively detect new malware based on the insight that events can reflect apps' possible running activities. Unlike existing approaches using API calls as features directly, we propose to use event group to describe apps' behaviors in event level, which can capture higher level of semantics than in API level. In event group, we adopt function clusters to represent behaviors in each event so that behaviors hidden in events can still be captured as time goes on, which enables EveDroid to detect new malware in the event level. The function clusters can generalize API calls into vectors based on their API composition to capture new API calls, which makes EveDroid scalable to malware evolving. Moreover, a neural network is specifically designed to aggregate the multiple events and automatically mine the semantic relationship among them. We train the system and evaluate its F1-measure on a dataset of 14 956 benign and 28 848 malicious Android apps released in different years. The experimental results show that EveDroid outperforms other malware detection systems.

Jiyun Yang,Hanwei Li,Lijun He,Tao Xiang,Yujie Jin

DOI: https://doi.org/10.1016/j.cose.2024.104061

2024-01-01

Abstract:As the Android ecosystem develops, malware also evolves to adapt to the changes. Consequently, malware remains a significant threat, posing a challenge in developing a low-resource consumption malware detection method that can adjust to updates in the Android API versions. We propose a novel method called MDADroid, which detects malware based on self-built Functionality-API mapping. We start by building a set of permission-related APIs using open-source knowledge. Then, we construct a Functionality-App-API heterogeneous graph based on collected data and establish a Functionality-API mapping from it. Finally, MDADroid transforms app features from the API level to the functionality level for malware detection, ensuring model resilience to API changes. We also design an API similarity calculation method that updates the Functionality-API mapping at a low cost. We evaluate MDADroid on multiple datasets, and the results show that MDADroid achieves an accuracy of 95.22%, 96.23%, 98.77%, and 99.56% on the AndroZoo, CICAndMal 2017, CICMalDroid 2020, and Drebin datasets, respectively, with training and testing times of 2 s, 0.6188 s, 1.34 s, and 1.02 s. Moreover, our method demonstrates excellent performance in the tests for resilience capabilities.

Na Huang,Ming Xu,Ning Zheng,Tong Qiao,Kim-Kwang Raymond Choo

DOI: https://doi.org/10.1109/trustcom/bigdatase.2019.00047

2019-01-01

Abstract:The rapid growth of Android malware apps poses a great security threat to users thus it is very important and urgent to detect Android malware effectively. What's more, the increasing unknown malware and evasion technique also call for novel detection method. In this paper, we focus on API feature and develop a novel method to detect Android malware. First, we propose a novel selection method for API feature related with the malware class. However, such API also has a legitimate use in benign app thus causing FP problem (misclassify benign as malware). Second, we further explore structure relationships between these APIs and map to a matrix interpreted as the hand-refined API-based feature graph. Third, a CNN-based classifier is developed for the API-based feature graph classification. Evaluations of a real-world dataset containing 3,697 malware apps and 3,312 benign apps demonstrate that selected API feature is effective for Android malware classification, just top 20 APIs can achieve high F1 of 94.3% under Random Forest classifier. When the available API features are few, classification performance including FPR indicator can achieve effective improvement effectively by complementing our further work.

Xiaohan Zhang,Yuan Zhang,Ming Zhong,Daizong Ding,Yinzhi Cao,Yukun Zhang,Mi Zhang,Min Yang

DOI: https://doi.org/10.1145/3372297.3417291

2020-10-30

Abstract:Machine learning (ML) classifiers have been widely deployed to detect Android malware, but at the same time the application of ML classifiers also faces an emerging problem. The performance of such classifiers degrades---or called ages---significantly over time given the malware evolution. Prior works have proposed to use retraining or active learning to reverse and improve aged models. However, the underlying classifier itself is still blind, unaware of malware evolution. Unsurprisingly, such evolution-insensitive retraining or active learning comes at a price, i.e., the labeling of tens of thousands of malware samples and the cost of significant human efforts. In this paper, we propose the first framework, called APIGraph, to enhance state-of-the-art malware classifiers with the similarity information among evolved Android malware in terms of semantically-equivalent or similar API usages, thus naturally slowing down classifier aging. Our evaluation shows that because of the slow-down of classifier aging, APIGraph saves significant amounts of human efforts required by active learning in labeling new malware samples.

Zhijie Wu,Jilin Zhang,Liang Kou

DOI: https://doi.org/10.1109/dsa56465.2022.00157

2022-01-01

Abstract:In recent years, the extensive development of malware industry has brought many threats to the development of information technology. How to effectively detect malware has attracted much attention. The sequence of API calls has been proved to be effective in malware detection. There are obvious differences between the API call sequences of malware and good software. Based on this difference, in this paper, we introduce a Windows platform malware detection method based on deep neural network, which learns the API sequences. We use word embedding to understand the context relationship between API functions in malware call sequence. At the same time, we separate single functions with similar context characteristics into groups, and then convert the API call sequence into the corresponding group sequence. Finally, the group sequence is embedded and sent into the deep neural network to train the binary classifier to detect malware.

Jiyun Yang,Hanwei Li,Lijun He,Tao Xiang,Yujie Jin

DOI: https://doi.org/10.1016/j.cose.2024.104061

IF: 5.105

2024-01-01

Computers & Security

Abstract:As the Android ecosystem develops, malware also evolves to adapt to the changes. Consequently, malware remains a significant threat, posing a challenge in developing a low-resource consumption malware detection method that can adjust to updates in the Android API versions. We propose a novel method called MDADroid, which detects malware based on self-built Functionality-API mapping. We start by building a set of permission-related APIs using open-source knowledge. Then, we construct a Functionality-App-API heterogeneous graph based on collected data and establish a Functionality-API mapping from it. Finally, MDADroid transforms app features from the API level to the functionality level for malware detection, ensuring model resilience to API changes. We also design an API similarity calculation method that updates the Functionality-API mapping at a low cost. We evaluate MDADroid on multiple datasets, and the results show that MDADroid achieves an accuracy of 95.22%, 96.23%, 98.77%, and 99.56% on the AndroZoo, CICAndMal 2017, CICMalDroid 2020, and Drebin datasets, respectively, with training and testing times of 2 s, 0.6188 s, 1.34 s, and 1.02 s. Moreover, our method demonstrates excellent performance in the tests for resilience capabilities.

Yuxia Sun,Yunlong Xie,Zhi Qiu,Yuchang Pan,Jian Weng,Song Guo

DOI: https://doi.org/10.1109/dasc-picom-datacom-cyberscitec.2017.24

2017-01-01

Abstract:To relieve increasingly prominent security issues of Android applications, static malware-detection techniques have become essential, due to their rapid and convenient detection processes which do not require running the detected applications. Most of current commercial anti-malware tools utilize signatures of known malicious Android codes for static detection, but are unable to find out unknown, especially newly created, malware. Many existing malware-detection researches rely on traditional machine learning techniques to analyze some static features of Android applications such as permissions and API calls, but the detection approaches still have room for improvement with respect to simplicity, effectiveness or efficiency. To overcome the limitations of the above detection techniques, we propose a novel static approach to detect malicious Android applications by proposing a set of Android program features, consisting of sensitive permissions and sensitive API calls, and by utilizing Extreme Learning Machine. We implemented our approach with an automated testing tool called WaffleDetector. Controlled experiments have been conducted to compare our approach and the existing ones on detecting malicious Android applications, and the results show that our approach excels the existing ones with minimal human intervention, better detection effectiveness and less detection time.

Hongyu Yang,Youwei Wang,Liang Zhang,Ze Hu,Laiwei Jiang,Xiang Cheng

DOI: https://doi.org/10.1007/978-981-97-0945-8_2

2024-01-01

Abstract:The vast popularity of the Android platform has fueled the rapid expansion of Android malware and existing detection methods are difficult to effectively detect malware. To address this issue, in this paper, we propose an Android malware detection method using better API contextual information (BACI). Firstly, BACI extracts the function call graph from each app. Then, we optimize the call graph by removing nodes of unknown functions while ensuring the connectivity between their predecessor and successor nodes. The optimized call graph can extract more robust API contextual information that accurately represents app behavior. Thirdly, we map the optimized call graph into a feature vector for malware detection, including three steps: call pairs extraction, call pairs abstraction, and one-hot mapping. Finally, machine learning classifiers are used for malware detection. The experimental results demonstrate that BACI greatly outperforms the existing state-of-the-art methods and can effectively detect Android malware.

Yongfeng Li,Tong Shen,Xin Sun,Xuerui Pan,Bing Mao

DOI: https://doi.org/10.1007/978-3-319-28865-9_2

2015-01-01

Abstract:With the popularity of Android devices, more and more Android malware are manufactured every year. How to filter out malicious app is a serious problem for app markets. In this paper, we propose DroidADDMiner, an efficient and precise system to detect, classify and characterize Android malware. DroidADDMiner is a machine learning based system that extracts features based on data dependency between sensitive APIs. It extracts API data dependence paths embedded in app to construct feature vectors for machine learning. While DroidSIFT [13] also attempts automated detection of Android applications according to data flow analysis, DroidADDMiner can not only reduce the run time but also characterize malware’s behaviors automatically. We implement DroidADDMiner based on FlowDroid [14] and evaluate it using 5648 malware samples and 14280 benign apps. Experiments show that, for malware detection, DroidADDMiner achieves a 98% detection rate, with a 0.3% false positive rate. For malware classification, the accuracy of classifying malicious apps under their proper family labels is 96%. Although performing data flow analysis, most of the experimental samples can be examined in 60 seconds.

Yanfang Ye,Shifu Hou,Lingwei Chen,Jingwei Lei,Wenqiang Wan,Jiabin Wang,Qi Xiong,Fudong Shao

DOI: https://doi.org/10.48550/arXiv.1811.01027

2019-05-21

Abstract:The explosive growth and increasing sophistication of Android malware call for new defensive techniques that are capable of protecting mobile users against novel threats. In this paper, we first extract the runtime Application Programming Interface (API) call sequences from Android apps, and then analyze higher-level semantic relations within the ecosystem to comprehensively characterize the apps. To model different types of entities (i.e., app, API, IMEI, signature, affiliation) and the rich semantic relations among them, we then construct a structural heterogeneous information network (HIN) and present meta-path based approach to depict the relatedness over apps. To efficiently classify nodes (e.g., apps) in the constructed HIN, we propose the HinLearning method to first obtain in-sample node embeddings and then learn representations of out-of-sample nodes without rerunning/adjusting HIN embeddings at the first attempt. Afterwards, we design a deep neural network (DNN) classifier taking the learned HIN representations as inputs for Android malware detection. A comprehensive experimental study on the large-scale real sample collections from Tencent Security Lab is performed to compare various baselines. Promising experimental results demonstrate that our developed system AiDroid which integrates our proposed method outperforms others in real-time Android malware detection. AiDroid has already been incorporated into Tencent Mobile Security product that serves millions of users worldwide.

Cryptography and Security,Machine Learning

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Yao ZHENG,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1673-629X.2017.03.026

2017-01-01

Abstract:A static feature-based mechanism is studied to provide a static analysis method for detection of the Android malware. In order to identify the intention of different Android malware,all kinds of clustering algorithms are applied to enhance the malware modeling ca-pability to any Android procedure. Besides,a system,called XDroidMat,is developed. The XDroidMat extracts the information from each application' s manifest file and regards components as entry points drilling down for tracing API Calls related to permissions. Then it uses k-means algorithm to strengthen the malware modeling capability. The number of clusters is decided by Singular Value Decomposition ( SVD) method on the low rank approximation. Finally,it uses kNN algorithm to classify the application as benign or malicious. The ex-perimental results show XDroidMat can get 98. 12% accuracy and do well in detecting the Android malware.

Zhuo Ma,Haoran Ge,Yang Liu,Meng Zhao,Jianfeng Ma

DOI: https://doi.org/10.1109/ACCESS.2019.2896003

IF: 3.9

2019-01-01

IEEE Access

Abstract:Android malware severely threaten system and user security in terms of privilege escalation, remote control, tariff theft, and privacy leakage. Therefore, it is of great importance and necessity to detect Android malware. In this paper, we present a combination method for Android malware detection based on the machine learning algorithm. First, we construct the control flow graph of the application to obtain API information. Based on the API information, we innovatively construct Boolean, frequency, and time-series data sets. Based on these three data sets, three detection models for Android malware detection regarding API calls, API frequency, and API sequence aspects are constructed. Ultimately, an ensemble model is constructed for conformity. We tested and compared the accuracy and stability of our detection models through a large number of experiments. The experiments were conducted on 10010 benign applications and 10683 malicious applications. The results show that our detection model achieves 98.98% detection precision and has high accuracy and stability. All of the results are consistent with the theoretical analysis in this paper.

Wei Wang,Mengxue Zhao,Jigang Wang

DOI: https://doi.org/10.1007/s12652-018-0803-6

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Android security incidents occurred frequently in recent years. To improve the accuracy and efficiency of large-scale Android malware detection, in this work, we propose a hybrid model based on deep autoencoder (DAE) and convolutional neural network (CNN). First, to improve the accuracy of malware detection, we reconstruct the high-dimensional features of Android applications (apps) and employ multiple CNN to detect Android malware. In the serial convolutional neural network architecture (CNN-S), we use Relu, a non-linear function, as the activation function to increase sparseness and “dropout” to prevent over-fitting. The convolutional layer and pooling layer are combined with the full-connection layer to enhance feature extraction capability. Under these conditions, CNN-S shows powerful ability in feature extraction and malware detection. Second, to reduce the training time, we use deep autoencoder as a pre-training method of CNN. With the combination, deep autoencoder and CNN model (DAE-CNN) can learn more flexible patterns in a short time. We conduct experiments on 10,000 benign apps and 13,000 malicious apps. CNN-S demonstrates a significant improvement compared with traditional machine learning methods in Android malware detection. In details, compared with SVM, the accuracy with the CNN-S model is improved by 5%, while the training time using DAE-CNN model is reduced by 83% compared with CNN-S model.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

Xin Su,Dafang Zhang,Wenjia Li,Kai Zhao

DOI: https://doi.org/10.1109/TrustCom.2016.69

2016-01-01

Abstract:The growing amount and diversity of Android malware has significantly weakened the effectiveness of the conventional defense mechanisms, and thus Android platform often remains unprotected from new and unknown malware. To address these limitations, we propose DroidDeep, a malware detection approach for the Android platform based on the deep learning model. Deep learning emerges as a new area of machine learning research that has attracted increasing attention in artificial intelligence. To implement this, we first extract five types of features from the static analysis of Android apps. Then, we build the deep learning model to learn features from Android apps. Finally, the learned features are used to detect unknown Android malware. In an experiment with 3,986 benign apps and 3,986 malware, DroidDeep outperforms several existing malware detection approaches and achieves a 99.4% detection accuracy. Moreover, DroidDeep can achieve a remarkable run-time efficiency which makes it very easy to adapt to a lager scale of real-world Android malware detection.