Lichao Zhao,Dan Li,Guangcong Zheng,Wenbo Shi

DOI: https://doi.org/10.1109/icct.2018.8600052

2018-01-01

Abstract:Malware detection is more challenging due to the increase in android malicious programs and the current problems of android malicious detection. This paper proposes an android mobile malware detection system based on deep neural network, a novel malware detection method which uses optimized deep Convolutional Neural Network to learn from opcode sequences. In the proposed detection system, the optimized Convolutional Neural Network is trained multiple times by the raw operation code sequence extracted from the decompiled android file, so that the feature information can be effectively learned and the malicious program can be detected more accurately. More critically, the k-max pooling method with better results was adopted in the pooling operation phase, and which improves the detection effect of the proposed method. The experimental results show that the detection system achieved the accuracy of 99%, which is 2%-11 % higher than the accuracy of the machine learning detection algorithms when using the same dataset. It also ensures that the indicators such as Fl-score, Recall and Precision are maintained above 97%.

Yi Zhang,Yuexiang Yang,Xiaolei Wang

DOI: https://doi.org/10.1145/3199478.3199492

2018-01-01

Abstract:With the explosive growth of Android malware, there is a pressure for us to improve the performance of existing malware detection approaches. In this paper, we proposed DeepClassifyDroid, a novel android malware detection system based on deep learning. DeepClassifyDroid takes a three-step approach: feature extraction, feature embedding and deep learning based detection. The first and second steps perform a broad static analysis and generate five different feature sets. The last step performs malware detection based on convolutional neural networks. We evaluated our approach with different feature sets and compared with a variety of machine learning based approaches. Study shows that DeepClassifyDroid outperforms most existing machine learning based approaches and detects 97.4% of the malware with few false alarms. Moreover, our approach is 10 times faster than Linear-SVM and 80 times faster than kNN.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Zeliang Kan,Haoyu Wang,Guoai Xu,Yao Guo,Xiangqun Chen

DOI: https://doi.org/10.1109/COMPSAC.2018.00092

2018-01-01

Abstract:The explosive amount of malware continues threating the security of operating systems and networks. Traditional malware detection approaches fail to meet the requirements of detecting polymorphic and new samples. Existing neural network based detection approaches performs better, but consuming much more time in both feature extraction and training. In this paper, we propose a light-weight PC malware detection system which is based on deep convolutional neural network (CNN). The raw inputs of our system are sequences of grouped instructions, which were generated by our Instruction Analyzer in according to different functionalities of the instructions. The network will automatically learn features of malware from the grouped instruction sequences. The experiment results suggest that in a large dataset which contains roughly 70,000 samples, our detection system can achieve an overall accuracy of 95\%. The training time of our system with single convolutional layer was only about 10 hours, which is one order of magnitude less than traditional methods.

Dongfang Li,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1109/ICACCE.2018.8441737

2018-01-01

Abstract:The security issue of Android Smart Phones has been most concerned by the users these years. We propose a novel method to extract exhaustive features from Android applications and use the deep-learning-based method to detect malicious applications. Then we implement an automatic detection engine, DeepDetector, to detect malicious applications. Furthermore, the detection model can identify the fine-grained malware family at the same time. We conducted the evaluation and analysis with thousands of malicious applications and benign applications from a public dataset. The results show that DeepDetector can detect 97% of the malware at 0.1 % false positive rate (FPR) and achieves a 96% precision when showing the detailed malware families. Besides, the relationship between the detection performance and the architecture of the neural network is also discussed in our work.

Buket Doğan,Esra Calik Bayazit,O. K. Sahingoz

DOI: https://doi.org/10.1109/hora55278.2022.9800057

2022-06-09

Abstract:In recent years, smart mobile devices have become indispensable due to the availability of office applications, the Internet, game applications, vehicle guidance or similar most of our daily lives applications in addition to traditional services such as voice calls, SMSs, and multimedia services. Due to Android's open source structure and easy development platforms, the number of applications on Google Play, the official Android app store increased day by day. This also brig some security related issues for the end users. The increased popularity of Android operating system on mobile devices, and the associated financial benefits attracted attackers for developing some malware for these devices, which results a significant increase in the number of Android malware applications. To detect this type of security threats, signature based detection (static detection) in generally preferred due to its easy applicability and fast identification ability. Therefore in this study it is aimed to implement an up-to-date, effective, and reliable malware detection system with the help of some deep learning algorithms. In the proposed system, RNN-based LSTM, BiLSTM and GRU algorithms are evaluated on CICInvesAndMal2019 data set which contains 8115 static features for malware detection. Experimental results show that the BiLSTM model outperforms other proposed RNN-based deep learning methods with an accuracy rate of 98.85 %.

Computer Science

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Sifan Wu,Xi Xiao

2019-01-01

Abstract:The explosive amount of Android malware have threatened the security of legitimate users. In Recent years, with the development of the neural network, more and more research is focusing on detecting malware based on the neural network. Where, most of these techniques are depending on the complex feature engineering process and have a resource and time expensive classification neural network. In this paper, we propose a novel lightweight convolution neural network model, ConvDroid, with the system call sequences as features. Different from the existing n-gram models utilizing system call sequences, we construct a two-layer convolution neural network to learn the global information of sequences instead of limited windows. Furthermore, we assess ConvDroid for accuracy, efficiency using a dataset consisting of 3567 malicious applications and 3536 benign ones. Our experiments show that ConvDroid achieves an accuracy of more than 98% with a low time cost. We further demonstrate ConvDroid’s superiority against state-of-the-art approaches.

Xin Su,Dafang Zhang,Wenjia Li,Kai Zhao

DOI: https://doi.org/10.1109/TrustCom.2016.69

2016-01-01

Abstract:The growing amount and diversity of Android malware has significantly weakened the effectiveness of the conventional defense mechanisms, and thus Android platform often remains unprotected from new and unknown malware. To address these limitations, we propose DroidDeep, a malware detection approach for the Android platform based on the deep learning model. Deep learning emerges as a new area of machine learning research that has attracted increasing attention in artificial intelligence. To implement this, we first extract five types of features from the static analysis of Android apps. Then, we build the deep learning model to learn features from Android apps. Finally, the learned features are used to detect unknown Android malware. In an experiment with 3,986 benign apps and 3,986 malware, DroidDeep outperforms several existing malware detection approaches and achieves a 99.4% detection accuracy. Moreover, DroidDeep can achieve a remarkable run-time efficiency which makes it very easy to adapt to a lager scale of real-world Android malware detection.

Dan Li,Lichao Zhao,Qingfeng Cheng,Ning Lu,Wenbo Shi

DOI: https://doi.org/10.1002/cpe.5308

2019-01-01

Abstract:SummaryThe number of malware has exploded due to the openness of the Android platform, and the endless stream of malware poses a threat to the privacy, tariffs, and device of mobile phone users. A novel Android mobile malware detection system is proposed, which employs an optimized deep convolutional neural network to learn from opcode sequences. The optimized convolutional neural network is trained multiple times by the raw opcode sequences extracted from the decompiled Android file, so that the feature information can be effectively learned and the malicious program can be detected more accurately. More critically, the k‐max pooling method with better results is adopted in the pooling operation phase, which improves the detection effect of the proposed method. The experimental results show that the detection system achieved the accuracy of 99%, which is 2%‐11% higher than the accuracy of the machine learning detection algorithms when using the same data set. It also ensures that the indicators, such as F1‐score, recall, and precision, are maintained above 97%. Based on the detection system, a multi–data set comparison experiment is carried out. The introduced k‐max pooling is deeply studied, and the effect of k of k‐max pooling on the overall detection effect is observed.

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Collins Chimezie Obidiagha,Mohamed Rahouti,Thaier Hayajneh

DOI: https://doi.org/10.1109/access.2024.3485593

IF: 3.9

2024-11-01

IEEE Access

Abstract:As the leading mobile operating system, Android powers critical infrastructure and personal devices across sectors such as finance and healthcare and a wide range of user scenarios. However, its open-source nature presents considerable security challenges. Exploiting vulnerabilities in native and custom permissions, malicious API calls, intents, signatures, and manifests, threat actors can gain access to sensitive data and device control. The continuously evolving landscape of Android malware necessitates robust and generalized detection methods. While traditional machine learning (ML) models have been employed to address this issue, they have limitations. Focusing on single datasets can impede both generalization and effective detection. Further, the dynamic nature of malware renders many traditional methods inadequate for providing comprehensive and real-time protection. This paper addresses this critical need by proposing DeepImageDroid, an advanced and efficient deep learning (DL) framework for Android malware detection. DeepImageDroid harnesses the combined power of Convolutional Neural Networks (CNNs) and Vision Transformers (ViTs), utilizing three diverse Android malware datasets. This hybrid approach significantly improves detection accuracy and model generalization compared to existing solutions. By employing the weighted average ensemble method, DeepImageDroid achieved a remarkable 96% accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Wang,Mengxue Zhao,Jigang Wang

DOI: https://doi.org/10.1007/s12652-018-0803-6

IF: 3.662

2018-01-01

Journal of Ambient Intelligence and Humanized Computing

Abstract:Android security incidents occurred frequently in recent years. To improve the accuracy and efficiency of large-scale Android malware detection, in this work, we propose a hybrid model based on deep autoencoder (DAE) and convolutional neural network (CNN). First, to improve the accuracy of malware detection, we reconstruct the high-dimensional features of Android applications (apps) and employ multiple CNN to detect Android malware. In the serial convolutional neural network architecture (CNN-S), we use Relu, a non-linear function, as the activation function to increase sparseness and “dropout” to prevent over-fitting. The convolutional layer and pooling layer are combined with the full-connection layer to enhance feature extraction capability. Under these conditions, CNN-S shows powerful ability in feature extraction and malware detection. Second, to reduce the training time, we use deep autoencoder as a pre-training method of CNN. With the combination, deep autoencoder and CNN model (DAE-CNN) can learn more flexible patterns in a short time. We conduct experiments on 10,000 benign apps and 13,000 malicious apps. CNN-S demonstrates a significant improvement compared with traditional machine learning methods in Android malware detection. In details, compared with SVM, the accuracy with the CNN-S model is improved by 5%, while the training time using DAE-CNN model is reduced by 83% compared with CNN-S model.

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Xi Xiao,Shaofeng Zhang,Francesco Mercaldo,Guangwu Hu,Arun Kumar Sangaiah

DOI: https://doi.org/10.1007/s11042-017-5104-0

IF: 2.577

2017-01-01

Multimedia Tools and Applications

Abstract:As Android-based mobile devices become increasingly popular, malware detection on Android is very crucial nowadays. In this paper, a novel detection method based on deep learning is proposed to distinguish malware from trusted applications. Considering there is some semantic information in system call sequences as the natural language, we treat one system call sequence as a sentence in the language and construct a classifier based on the Long Short-Term Memory (LSTM) language model. In the classifier, at first two LSTM models are trained respectively by the system call sequences from malware and those from benign applications. Then according to these models, two similarity scores are computed. Finally, the classifier determines whether the application under analysis is malicious or trusted by the greater score. Thorough experiments show that our approach can achieve high efficiency and reach high recall of 96.6% with low false positive rate of 9.3%, which is better than the other methods.

Mohammed K. Alzaylaee,Suleiman Y. Yerima,Sakir Sezer

DOI: https://doi.org/10.1016/j.cose.2019.101663

2019-11-23

Abstract:The Android operating system has been the most popular for smartphones and tablets since 2012. This popularity has led to a rapid raise of Android malware in recent years. The sophistication of Android malware obfuscation and detection avoidance methods have significantly improved, making many traditional malware detection methods obsolete. In this paper, we propose DL-Droid, a deep learning system to detect malicious Android applications through dynamic analysis using stateful input generation. Experiments performed with over 30,000 applications (benign and malware) on real devices are presented. Furthermore, experiments were also conducted to compare the detection performance and code coverage of the stateful input generation method with the commonly used stateless approach using the deep learning system. Our study reveals that DL-Droid can achieve up to 97.8% detection rate (with dynamic features only) and 99.6% detection rate (with dynamic + static features) respectively which outperforms traditional machine learning techniques. Furthermore, the results highlight the significance of enhanced input generation for dynamic analysis as DL-Droid with the state-based input generation is shown to outperform the existing state-of-the-art approaches.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Weina Niu,Rong Cao,Xiaosong Zhang,Kangyi Ding,Kaimeng Zhang,Ting Li

DOI: https://doi.org/10.3390/s20133645

2020-06-29

Abstract:Due to the openness of an Android system, many Internet of Things (IoT) devices are running the Android system and Android devices have become a common control terminal for IoT devices because of various sensors on them. With the popularity of IoT devices, malware on Android-based IoT devices is also increasing. People's lives and privacy security are threatened. To reduce such threat, many researchers have proposed new methods to detect Android malware. Currently, most malware detection products on the market are based on malware signatures, which have a fast detection speed and normally a low false alarm rate for known malware families. However, they cannot detect unknown malware and are easily evaded by malware that is confused or packaged. Many new solutions use syntactic features and machine learning techniques to classify Android malware. It has been known that analysis of the Function Call Graph (FCG) can capture behavioral features of malware well. This paper presents a new approach to classifying Android malware based on deep learning and OpCode-level FCG. The FCG is obtained through static analysis of Operation Code (OpCode), and the deep learning model we used is the Long Short-Term Memory (LSTM). We conducted experiments on a dataset with 1796 Android malware samples classified into two categories (obtained from Virusshare and AndroZoo) and 1000 benign Android apps. Our experimental results showed that our proposed approach with an accuracy of 97 % outperforms the state-of-the-art methods such as those proposed by Nikola et al. and Hou et al. (IJCAI-18) with the accuracy of 97 % and 91 % , respectively. The time consumption of our proposed approach is less than the other two methods.

Farhan Ullah,Shamsher Ullah,Gautam Srivastava,Jerry Chun-Wei Lin,Yue Zhao

DOI: https://doi.org/10.1007/s11276-023-03414-5

IF: 2.701

2023-06-27

Wireless Networks

Abstract:Currently, malware activities pose a substantial risk to the security of Android applications. These risks are capable of stealing important information and causing chaos in the economy, social structure, and financial sector. Malicious network traffic targets Android applications due to their constant connectivity. This study develops the NMal-Droid approach for network-based Android malware detection and classification. First, we designed a packet parser algorithm that filters the combination of HTTP traces and TCP flows from PCAPs (Packet Capturing) files. Second, the fine-tune embedding approach is developed that uses a word2vec pre-trained model to analyze features’ embeddings in three different ways, i.e., random, static, and dynamic. It is used to learn and extract feature-matrix matrices with related meanings. Third, The Convolutional Neural Network (CNN) is used to extract effective features from embedded information. Fourth, the Bi-directional Gated Recurrent Unit (Bi-GRU) neural network is designed to compute gradient computation in the context of time-forward and time-reversed. Finally, a multi-head ensemble of CNN-BiGRU is developed for accurate malware classification and detection. The proposed approach is evaluated on five different activation functions with 100 filters and a range of 1–5 kernel sizes for in-depth investigation. An explainable AI-based experiment is conducted to interpret and validate the proposed approach. The proposed method is tested using two big Android malware datasets, CIC-AAGM2017 and CICMalDroid 2020, which comprise a total of 10.2k malware and 3.2K benign samples. It is shown that the proposed approach outperforms as compared to the state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Ahsan Wajahat,Jingsha He,Nafei Zhu,Tariq Mahmood,Ahsan Nazir,Muhammad Salman Pathan,Sirajuddin Qureshi,Faheem Ullah

DOI: https://doi.org/10.3233/jifs-231969

2023-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Positive developments in smartphone usage have led to an increase in malicious attacks, particularly targeting Android mobile devices. Android has been a primary target for malware exploiting security vulnerabilities due to the presence of critical applications, such as banking applications. Several machine learning-based models for mobile malware detection have been developed recently, but significant research is needed to achieve optimal efficiency and performance. The proliferation of Android devices and the increasing threat of mobile malware have made it imperative to develop effective methods for detecting malicious apps. This study proposes a robust hybrid deep learning-based approach for detecting and predicting Android malware that integrates Convolutional Neural Networks (CNN) and Long Short-Term Memory (LSTM). It also presents a creative machine learning-based strategy for dealing with unbalanced datasets, which can mislead the training algorithm during classification. The proposed strategy helps to improve method performance and mitigate over- and under-fitting concerns. The proposed model effectively detects Android malware. It extracts both temporal and spatial features from the dataset. A well-known Drebin dataset was used to train and evaluate the efficacy of all creative frameworks regarding the accuracy, sensitivity, MAE, RMSE, and AUC. The empirical finding proclaims the projected hybrid ConvLSTM model achieved remarkable performance with an accuracy of 0.99, a sensitivity of 0.99, and an AUC of 0.99. The proposed model outperforms standard machine learning-based algorithms in detecting malicious apps and provides a promising framework for real-time Android malware detection.

Jaiteg Singh,Deepak Thakur,Farman Ali,Tanya Gera,Kyung Sup Kwak

DOI: https://doi.org/10.3390/s20247013

IF: 3.9

2020-12-08

Sensors

Abstract:The Android operating system has gained popularity and evolved rapidly since the previous decade. Traditional approaches such as static and dynamic malware identification techniques require a lot of human intervention and resources to design the malware classification model. The real challenge lies with the fact that inspecting all files of the application structure leads to high processing time, more storage, and manual effort. To solve these problems, optimization algorithms and deep learning has been recently tested for mitigating malware attacks. This manuscript proposes Summing of neurAl aRchitecture and VisualizatiOn Technology for Android Malware identification (SARVOTAM). The system converts the malware non-intuitive features into fingerprint images to extract the quality information. A fine-tuned Convolutional Neural Network (CNN) is used to automatically extract rich features from visualized malware thus eliminating the feature engineering and domain expert cost. The experiments were done using the DREBIN dataset. A total of fifteen different combinations of the Android malware image sections were used to identify and classify Android malware. The softmax layer of CNN was substituted with machine learning algorithms like K-Nearest Neighbor (KNN), Support Vector Machine (SVM), and Random Forest (RF) to analyze the grayscale malware images. It observed that CNN-SVM model outperformed original CNN as well as CNN-KNN, and CNN-RF. The classification results showed that our method is able to achieve an accuracy of 92.59% using Android certificates and manifest malware images. This paper reveals the lightweight solution and much precise option for malware identification.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation