Wenhao fan,Liang Zhao,Jiayang Wang,Ye Chen,Fan Wu,Yuan'an Liu

DOI: https://doi.org/10.48550/arXiv.2101.03965

2021-01-29

Abstract:Android is currently the most extensively used smartphone platform in the world. Due to its popularity and open source nature, Android malware has been rapidly growing in recent years, and bringing great risks to users' privacy. The malware applications in a malware family may have common features and similar behaviors, which are beneficial for malware detection and inspection. Thus, classifying Android malware into their corresponding families is an important task in malware analysis. At present, the main problem of existing research works on Android malware family classification lies in that the extracted features are inadequate to represent the common behavior characteristics of the malware in malicious families, and leveraging a single classifier or a static ensemble classifier is restricted to further improve the accuracy of classification. In this paper, we propose FamDroid, a learning-based Android malware family classification scheme using static analysis technology. In FamDroid, the explicit features including permissions, hardware components, app components, intent filters are extracted from the apk files of a malware application. Besides, a hidden feature generated from the extracted APIs is used to represents the API call relationship in the application. Then, we design an adaptive weighted ensemble classifier, which considers the adaptability of the sample to each base classifier, to carry out accurate malware family classification. We conducted experiments on the Drebin dataset which contains 5560 Android malicious applications. The superiority of FamDroid is demonstrated through comparing it with 5 traditional machine learning models and 4 state-of-the-art reference schemes. FamDroid can correctly classify 98.92% of malware samples into their families and achieve 99.12% F1-Score.

Cryptography and Security

Ming Fan,Jun Liu,Xiapu Luo,Kai Chen,Zhenzhou Tian,Qinghua Zheng,Ting Liu

DOI: https://doi.org/10.1109/tifs.2018.2806891

IF: 7.231

2018-08-01

IEEE Transactions on Information Forensics and Security

Abstract:The rapid increase in the number of Android malware poses great challenges to anti-malware systems, because the sheer number of malware samples overwhelms malware analysis systems. The classification of malware samples into families, such that the common features shared by malware samples in the same family can be exploited in malware detection and inspection, is a promising approach for accelerating malware analysis. Furthermore, the selection of representative malware samples in each family can drastically decrease the number of malware to be analyzed. However, the existing classification solutions are limited because of the following reasons. First, the legitimate part of the malware may misguide the classification algorithms because the majority of Android malware are constructed by inserting malicious components into popular apps. Second, the polymorphic variants of Android malware can evade detection by employing transformation attacks. In this paper, we propose a novel approach that constructs frequent subgraphs (fregraphs) to represent the common behaviors of malware samples that belong to the same family. Moreover, we propose and develop FalDroid, a novel system that automatically classifies Android malware and selects representative malware samples in accordance with fregraphs. We apply it to 8407 malware samples from 36 families. Experimental results show that FalDroid can correctly classify 94.2% of malware samples into their families using approximately 4.6 sec per app. FalDroid can also dramatically reduce the cost of malware investigation by selecting only 8.5% to 22% representative samples that exhibit the most common malicious behavior among all samples.

computer science, theory & methods,engineering, electrical & electronic

Peng Wang,Zhijie Tang,Junfeng Wang

DOI: https://doi.org/10.1016/j.cose.2021.102273

2021-07-01

Abstract:<p>New malware variants appear rapidly and continuously increase the difficulty to classify malware into correct families. This brings two challenges for malware classification: The first is the scarce samples problem, where collecting a large volume of a newly detected malware family to train a classifier can be extremely hard and it is unavoidable to suffer from overfitting using a small number of samples. The second is the dynamic recognition problem. Most widely adopted classifiers are trained on predefined known malware families, lacking ability to incrementally identifying novel families, which require to retrain from scratch. To tackle these challenges, in this study, we employ the meta-learning based few-shot learning (FSL) technique and propose a new few-shot malware classification model called SIMPLE (Supervised Infinite Mixture Prototypes LEarning). With the help of meta-learning, SIMPLE is trained with predefined malware families and can maintain its ability to classify novel malware families that has never met. Furthermore, the prior knowledge learned via meta-learning can prevent from overfitting caused by scarce samples. Our proposed SIMPLE introduces multi-prototype modeling to generate multiple prototypes of each family to enhance the generalization, based on API invocation sequences from dynamic analysis. This is inspired by the observation that behaviors within the same family often match multiple subpatterns and satisfy multimodal data distribution. In the broad experiments, SIMPLE achieves the state-of-the-art few-shot malware classification performance and outperforms all the baselines. With only 5 samples per family, SIMPLE reaches a very high accuracy of 90% in 5-way classification task on novel malware families, which substantially solves the problem of scarce samples and dynamic recognition. We also make analysis on the reason of effectiveness with multi-prototype and fast adaption feature to provide more interpretability for the results.</p>

computer science, information systems

Bo Sun,Takeshi Takahashi,Tao Ban,Daisuke Inoue

DOI: https://doi.org/10.1145/3464323

2022-06-30

ACM Transactions on Management Information Systems

Abstract:To relieve the burden of security analysts, Android malware detection and its family classification need to be automated. There are many previous works focusing on using machine (or deep) learning technology to tackle these two important issues, but as the number of mobile applications has increased in recent years, developing a scalable and precise solution is a new challenge that needs to be addressed in the security field. Accordingly, in this article, we propose a novel approach that not only enhances the performance of both Android malware and its family classification, but also reduces the running time of the analysis process. Using large-scale datasets obtained from different sources, we demonstrate that our method is able to output a high F-measure of 99.71% with a low FPR of 0.37%. Meanwhile, the computation time for processing a 300K dataset is reduced to nearly 3.3 hours. In addition, in classification evaluation, we demonstrate that the F-measure, precision, and recall are 97.5%, 96.55%, 98.64%, respectively, when classifying 28 malware families. Finally, we compare our method with previous studies in both detection and classification evaluation. We observe that our method produces better performance in terms of its effectiveness and efficiency.

Yajin Zhou,Xuxian Jiang

DOI: https://doi.org/10.1109/sp.2012.16

2012-01-01

Abstract:The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.

Dan Li,Ning Lu,Siyu Wang,Wenbo Shi,Chang Choi

DOI: https://doi.org/10.1111/exsy.13481

IF: 3.3

2023-11-04

Expert Systems

Abstract:Implementing the necessary countermeasures to detect the growing and highly destructive family of malware is an urgent obligation. The proliferation and diversity of malware make these problems more challenging. For beginners, it is arduous to attain crucial features for multi‐class family classification and extract valuable information from the obtained features. Another issue is that building a classification model that effectively absorbs multi‐class samples and adapts to various features is challenging. This work indicates a precise identification method for Android application families (ANDF) to tackle these issues. It perceptively analyzes the features that multi‐class families can utilize to identify members and further excavates the relationship between implicit information and the severity of those distinctions. A more appropriate classification model is developed for the heterogeneous file formats, and a more beneficial feature with a diverse array of heterogeneous information is chosen as the replacement representation of the sample. It is capable of upgrading learning ability and mastering the multi‐modal traits of the family malware. The application of ANDF to real data sets yields effective classification results. It is capable of 0.9800 in f1‐macro and has a classification accuracy of 98.61%. It performs, respectively, 0.0088 points better than the two‐feature comparison classification model and 0.0872 points better than the single‐feature comparison classification model. The kappa coefficient can also exceed 0.9830, which is at least 0.1044 higher than other contrasting classifiers and is 0.0105 greater than that of the contrasted model containing two features, which is 0.1046 larger than the classifier with a contrasting single feature.

computer science, artificial intelligence, theory & methods

Junyang Qiu,Qing-Long Han,Wei Luo,Lei Pan,Surya Nepal,Jun Zhang,Yang Xiang

DOI: https://doi.org/10.1109/TCYB.2022.3164625

Abstract:Evolving Android malware poses a severe security threat to mobile users, and machine-learning (ML)-based defense techniques attract active research. Due to the lack of knowledge, many zero-day families' malware may remain undetected until the classifier gains specialized knowledge. The most existing ML-based methods will take a long time to learn new malware families in the latest malware family landscape. Existing ML-based Android malware detection and classification methods struggle with the fast evolution of the malware landscape, particularly in terms of the emergence of zero-day malware families and limited representation of single-view features. In this article, a new multiview feature intelligence (MFI) framework is developed to learn the representation of a targeted capability from known malware families for recognizing unknown and evolving malware with the same capability. The new framework performs reverse engineering to extract multiview heterogeneous features, including semantic string features, API call graph features, and smali opcode sequential features. It can learn the representation of a targeted capability from known malware families through a series of processes of feature analysis, selection, aggregation, and encoding, to detect unknown Android malware with shared target capability. We create a new dataset with ground-truth information regarding capability. Many experiments are conducted on the new dataset to evaluate the performance and effectiveness of the new method. The results demonstrate that the new method outperforms three state-of-the-art methods, including: 1) Drebin; 2) MaMaDroid; and 3) N -opcode, when detecting unknown Android malware with targeted capabilities.

Sandeep Sharma,Prachi Ahlawat,Kavita Khanna

DOI: https://doi.org/10.1002/spy2.347

2023-10-17

Security and Privacy

Abstract:Unprecedented growth and prevalent adoption of the Android Operating System (OS) have triggered a substantial transformation, not only within the smartphone industry but across various categories of intelligent devices. These intelligent devices store a wealth of sensitive data, making them enticing targets for malicious individuals who create harmful Android applications to steal this data for malicious purposes. While numerous Android malware detection methods have been proposed, the exponential growth in sophisticated and malicious Android apps presents an unprecedented challenge to existing detection techniques. Some of the researchers have attempted to classify malicious Android applications into families through static analysis of applications but most of them are evaluated on applications of previous API levels. This paper introduces a novel dataset compromising of 2019 to 2021 applications and proposes a Deep Learning based Malware Detection and Family Classification method (DeepMDFC) to detect and classify emerging malicious Android applications through static analysis and deep Artificial Neural Networks. Experimental findings indicate that DeepMDFC surpasses standard machine learning algorithms, achieving accuracy rates of 99.3% and 96.7% for Android malware detection and classification, respectively, with a limited size feature set. The performance of DeepMDFC is also assessed using the benchmark dataset (DREBIN) and results showed that DeepMDFC surpasses these methods in terms of performance. Furthermore, it leverages the proposed dataset to construct a prediction model that adeptly identifies malicious Android applications from both the years 2022 and 2023. This process the potency and resilience of DeepMDFC against emerging Android applications.

Chao Ding,Nurbol Luktarhan,Bei Lu,Wenhui Zhang

DOI: https://doi.org/10.3390/e23081009

2021-08-03

Abstract:With the popularity of Android, malware detection and family classification have also become a research focus. Many excellent methods have been proposed by previous authors, but static and dynamic analyses inevitably require complex processes. A hybrid analysis method for detecting Android malware and classifying malware families is presented in this paper, and is partially optimized for multiple-feature data. For static analysis, we use permissions and intent as static features and use three feature selection methods to form a subset of three candidate features. Compared with various models, including k-nearest neighbors and random forest, random forest is the best, with a detection rate of 95.04%, while the chi-square test is the best feature selection method. After using feature selection to explore the critical static features contained in this dataset, we analyzed a subset of important features to gain more insight into the malware. In a dynamic analysis based on network traffic, unlike those that focus on a one-way flow of traffic and work on HTTP protocols and transport layer protocols, we focused on sessions and retained protocol layers. The Res7LSTM model is then used to further classify the malicious and partially benign samples detected in the static detection. The experimental results show that our approach can not only work with fewer static features and guarantee sufficient accuracy, but also improve the detection rate of Android malware family classification from 71.48% in previous work to 99% when cutting the traffic in terms of the sessions and protocols of all layers.

Yueming Wu,Shihan Dou,Deqing Zou,Wei Yang,Weizhong Qiang,Hai Jin

DOI: https://doi.org/10.1109/tdsc.2022.3219082

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to its open-source nature, Android operating system has been the main target of attackers to exploit. Malware creators always perform different code obfuscations on their apps to hide malicious activities. Features extracted from these obfuscated samples through program analysis contain many useless and disguised features, which leads to many false negatives. To address the issue, in this paper, we demonstrate that obfuscation-resilient malware family analysis can be achieved through contrastive learning. The key insight behind our analysis is that contrastive learning can be used to reduce the difference introduced by obfuscation while amplifying the difference between malware and other types of malware. Based on the proposed analysis, we design a system that can achieve robust and interpretable classification of Android malware. To achieve robust classification, we perform contrastive learning on malware samples to learn an encoder that can automatically extract robust features from malware samples. To achieve interpretable classification, we transform the function call graph of a sample into an image by centrality analysis. Then the corresponding heatmaps can be obtained by visualization techniques. These heatmaps can help users understand why the malware is classified as this family. We implement IFDroid and perform extensive evaluations on two datasets. Experimental results show that IFDroid is superior to state-of-the-art Android malware familial classification systems. Moreover, IFDroid is capable of maintaining a 98.4% F1 on classifying 69,421 obfuscated malware samples.

computer science, information systems, software engineering, hardware & architecture

Qijing Qiao,Ruitao Feng,Sen Chen,Fei Zhang,Xiaohong Li

DOI: https://doi.org/10.1109/TDSC.2022.3213689

2024-10-09

Abstract:The existing malware classification approaches (i.e., binary and family classification) can barely benefit subsequent analysis with their outputs. Even the family classification approaches suffer from lacking a formal naming standard and an incomplete definition of malicious behaviors. More importantly, the existing approaches are powerless for one malware with multiple malicious behaviors, while this is a very common phenomenon for Android malware in the wild. So, neither of them can provide researchers with a direct and comprehensive enough understanding of malware. In this paper, we propose MLCDroid, an ML-based multi-label classification approach that can directly indicate the existence of pre-defined malicious behaviors. With an in-depth analysis, we summarize six basic malicious behaviors from real-world malware with security reports and construct a labeled dataset. We compare the results of 70 algorithm combinations to evaluate the effectiveness (best at 73.3%). Faced with the challenge of the expensive cost of data annotation, we further propose an active learning approach based on data augmentation, which can improve the overall accuracy to 86.7% with a data augmentation of 5,000+ high-quality samples from an unlabeled malware dataset. This is the first multi-label Android malware classification approach intending to provide more information on fine-grained malicious behaviors.

Cryptography and Security

Weina Niu,Rong Cao,Xiaosong Zhang,Kangyi Ding,Kaimeng Zhang,Ting Li

DOI: https://doi.org/10.3390/s20133645

2020-06-29

Abstract:Due to the openness of an Android system, many Internet of Things (IoT) devices are running the Android system and Android devices have become a common control terminal for IoT devices because of various sensors on them. With the popularity of IoT devices, malware on Android-based IoT devices is also increasing. People's lives and privacy security are threatened. To reduce such threat, many researchers have proposed new methods to detect Android malware. Currently, most malware detection products on the market are based on malware signatures, which have a fast detection speed and normally a low false alarm rate for known malware families. However, they cannot detect unknown malware and are easily evaded by malware that is confused or packaged. Many new solutions use syntactic features and machine learning techniques to classify Android malware. It has been known that analysis of the Function Call Graph (FCG) can capture behavioral features of malware well. This paper presents a new approach to classifying Android malware based on deep learning and OpCode-level FCG. The FCG is obtained through static analysis of Operation Code (OpCode), and the deep learning model we used is the Long Short-Term Memory (LSTM). We conducted experiments on a dataset with 1796 Android malware samples classified into two categories (obtained from Virusshare and AndroZoo) and 1000 benign Android apps. Our experimental results showed that our proposed approach with an accuracy of 97 % outperforms the state-of-the-art methods such as those proposed by Nikola et al. and Hou et al. (IJCAI-18) with the accuracy of 97 % and 91 % , respectively. The time consumption of our proposed approach is less than the other two methods.

Ahmed Hashem El Fiky,Ayman El Shenawy,Mohamed Ashraf Madkour

DOI: https://doi.org/10.48550/arXiv.2107.01927

2021-07-05

Abstract:Android malware is one of the most dangerous threats on the internet, and it's been on the rise for several years. Despite significant efforts in detecting and classifying android malware from innocuous android applications, there is still a long way to go. As a result, there is a need to provide a basic understanding of the behavior displayed by the most common Android malware categories and families. Each Android malware family and category has a distinct objective. As a result, it has impacted every corporate area, including healthcare, banking, transportation, government, and e-commerce. In this paper, we presented two machine-learning approaches for Dynamic Analysis of Android Malware: one for detecting and identifying Android Malware Categories and the other for detecting and identifying Android Malware Families, which was accomplished by analyzing a massive malware dataset with 14 prominent malware categories and 180 prominent malware families of CCCS-CIC-AndMal2020 dataset on Dynamic Layers. Our approach achieves in Android Malware Category detection more than 96 % accurate and achieves in Android Malware Family detection more than 99% accurate. Our approach provides a method for high-accuracy Dynamic Analysis of Android Malware while also shortening the time required to analyze smartphone malware.

Cryptography and Security,Artificial Intelligence,Machine Learning

Wei Gu,Hongyan Xing,Tianhao Hou

DOI: https://doi.org/10.1049/2024/2850804

2024-02-17

IET Information Security

Abstract:The continuous malicious attacks on Internet of Things devices pose a potential threat to the economic and private information security of end-users, especially on the dominant Android devices. Combining static analysis methods with deep Learning is a promising approach to defend against that. This kind of method has two limitations: the first is that the current single-permission mechanism is not insufficient to regulate interapplication resource acquisition; another problem is that current work on feature learning is dedicated to modifying a single network structure, which may result in a suboptimal solution. In this study, to solve the abovementioned problems, we propose a novel malware detection framework MFEMDroid, which combines multitype features analysis and ensemble modeling. The Provider feature, facilitating information requests between applications (apps) and serving as an indispensable data storage method, plays a vital role in characterizing app behavior. Hence, we extract permissions and Provider features to comprehensively characterize app behavior and probe potentially dangerous combinations between or within these features. To address oversparse datasets and reduce feature learning overhead, we employ an auto-encoder for feature dimensionality reduction. Furthermore, we design an ensemble network based on SENet, ResNet, and the evolutionary convolutional neural network Squeeze Excitation Residual Network (SEResNet) to explore the hidden associations between different types of features from multiple perspectives. We performed extensive experiments to evaluate its method performance on real-world samples. The evaluation results demonstrate that the proposed framework can detect malware with an accuracy of 95.38%, which is much better than state-of-the-art solutions. These promising experimental results show that MFEMDroid is an effective approach to detect Android malware.

computer science, information systems, theory & methods

Maksim E. Eren,Ryan Barron,Manish Bhattarai,Selma Wanna,Nicholas Solovyev,Kim Rasmussen,Boian S. Alexandrov,Charles Nicholas

2024-03-05

Abstract:National security is threatened by malware, which remains one of the most dangerous and costly cyber threats. As of last year, researchers reported 1.3 billion known malware specimens, motivating the use of data-driven machine learning (ML) methods for analysis. However, shortcomings in existing ML approaches hinder their mass adoption. These challenges include detection of novel malware and the ability to perform malware classification in the face of class imbalance: a situation where malware families are not equally represented in the data. Our work addresses these shortcomings with MalwareDNA: an advanced dimensionality reduction and feature extraction framework. We demonstrate stable task performance under class imbalance for the following tasks: malware family classification and novel malware detection with a trade-off in increased abstention or reject-option rate.

Cryptography and Security

Xiaolong Xu,Shuai Jiang,Jinbo Zhao,Xinheng Wang

DOI: https://doi.org/10.23919/jsee.2024.000018

IF: 1.363

2024-02-01

Journal of Systems Engineering and Electronics

Abstract:The rapid growth of mobile applications, the popularity of the Android system and its openness have attracted many hackers and even criminals, who are creating lots of Android malware. However, the current methods of Android malware detection need a lot of time in the feature engineering phase. Furthermore, these models have the defects of low detection rate, high complexity, and poor practicability, etc. We analyze the Android malware samples, and the distribution of malware and benign software in application programming interface (API) calls, permissions, and other attributes. We classify the software&#x27;s threat levels based on the correlation of features. Then, we propose deep neural networks and convolutional neural networks with ensemble learning (DCEL), a new classifier fusion model for Android malware detection. First, DCEL preprocesses the malware data to remove redundant data, and converts the one-dimensional data into a two-dimensional gray image. Then, the ensemble learning approach is used to combine the deep neural network with the convolutional neural network, and the final classification results are obtained by voting on the prediction of each single classifier. Experiments based on the Drebin and Malgenome datasets show that compared with current state-of-art models, the proposed DCEL has a higher detection rate, higher recall rate, and lower computational cost.

automation & control systems,engineering, electrical & electronic,operations research & management science

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Wenbo Fang,Junjiang He,Wenshan Li,Xiaolong Lan,Yang Chen,Tao Li,Jiwu Huang,Linlin Zhang

DOI: https://doi.org/10.1109/tifs.2023.3287395

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Android malware and its variants are a major challenge for mobile platforms. However, there are two main problems in the existing detection methods: $a$ ) The detection method lacks the evolution ability for Android malware, which leads to the low detection rate of the detection model for malware and its variants. $b$ ) Traditional detection methods require centralized data for model training, however, the aggregation of training samples is limited due to the infectivity of malware and growing data privacy concerns, centralized detection methods are difficult to be applied in actual detection scenarios. In this paper, we propose FEDriod, a comprehensive Android malware detection method based on federated learning architecture that protects against growing Android malware or emerging Android malware variants. Specifically, we employ genetic evolution strategy to simulate the evolution of Android malware and develop potential malware variants from typical Android malware. Then, we customize the Android malware detection model based on residual neural network to achieve high detection accuracy. Finally, to achieve the protection sensitive data, we develope a federated learning framework to allows multiple Android malware detection agencies to jointly build a comprehensive Android malware detection model. We comprehensively evaluate the performance of FEDriod on the CIC, Drebin, and Contagio authoritative datasets. Experimental results show that our local model outperforms all baseline classifiers. In the federal scenario, our proposed method is superior to the state-of-the-art detection methods, especially in the cross-dataset evaluation, the F1 of FEDriod is 98.53%. More important, we performed genetic evolution experiments on the Drebin dataset, and the results showed that our proposed method has the ability to detect Android malware variants.

computer science, theory & methods,engineering, electrical & electronic

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Gang Zhang,Hao Li,Zhenxiang Chen,Lizhi Peng,Yuhui Zhu,Chuan Zhao

DOI: https://doi.org/10.1109/trustcom53373.2021.00097

2021-01-01

Abstract:Android platform is facing serious malware threats due to its popularity, as evidenced by the drastic increase on the number of mobile malware families and variants in recent years. Detecting malware variants and zero-day malware is a critical challenge that must be addressed to protect mobile devices against malware attacks. In this study, we present AndroCreme, a novel network intrusion detection system (NIDS) that can identify unseen malware by analyzing the network behavior of Android malware. To address the temporal bias issue in NIDS, we propose a method for rapid iterative update of the model based on data selection and data size limitation. The selection of effective data is carried out by induction and conformal technology, and the data scale is controlled by the method of time window and data cycle selection. To further achieve fast training speed and high efficiency, we leverage a gradient boosting framework that uses a tree-based learning algorithm, namely, LightGBM, as the meta predictor. We evaluate the performance of AndroCreme over 400K real-world network flows, which are collected from over 30K Android benignware and 21K malware applications. The experimental results show that, compared with the retraining method using all data, AndroCreme requires only a small amount of datareduce more than 3x to obtain better detection performance, which effectively solves the temporal bias.