Jiayin Feng,Limin Shen,Zhen Chen,Yuying Wang,Hui Li

DOI: https://doi.org/10.1109/access.2020.3008081

IF: 3.9

2020-01-01

IEEE Access

Abstract:Because of the characteristic of openness and flexibility, Android has become the most popular mobile platform. However, it has also become the most targeted system by mobile malware. It is necessary for the users to have a fast and reliable detection method. In this paper, a two-layer method is proposed to detect malware in Android APPs. The first layer is permission, intent and component information based static malware detection model. It combines the static features with fully connected neural network to detect the malware and test its effectiveness through experiment, the detection rate of the first layer is 95.22%. Then the result (benign APPs from the first layer) is input into the second layer. In the second layer, a new method CACNN which cascades CNN and AutoEncoder, is used to detect malware through network traffic features of APPs. The detection rate of the second layer is 99.3% in binary classification (2-classifier). Moreover, the new two-layer model can also detect malware by its category (4-classifier) and malicious family (40-classifier). The detection rates are 98.2% and 71.48% respectively. The experimental results show that our two-layer method not only can achieve semi-supervise learning, but also can effectively improve the detection rate of malicious Android APPs.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Farhan Ullah,Shamsher Ullah,Gautam Srivastava,Jerry Chun-Wei Lin,Yue Zhao

DOI: https://doi.org/10.1007/s11276-023-03414-5

IF: 2.701

2023-06-27

Wireless Networks

Abstract:Currently, malware activities pose a substantial risk to the security of Android applications. These risks are capable of stealing important information and causing chaos in the economy, social structure, and financial sector. Malicious network traffic targets Android applications due to their constant connectivity. This study develops the NMal-Droid approach for network-based Android malware detection and classification. First, we designed a packet parser algorithm that filters the combination of HTTP traces and TCP flows from PCAPs (Packet Capturing) files. Second, the fine-tune embedding approach is developed that uses a word2vec pre-trained model to analyze features’ embeddings in three different ways, i.e., random, static, and dynamic. It is used to learn and extract feature-matrix matrices with related meanings. Third, The Convolutional Neural Network (CNN) is used to extract effective features from embedded information. Fourth, the Bi-directional Gated Recurrent Unit (Bi-GRU) neural network is designed to compute gradient computation in the context of time-forward and time-reversed. Finally, a multi-head ensemble of CNN-BiGRU is developed for accurate malware classification and detection. The proposed approach is evaluated on five different activation functions with 100 filters and a range of 1–5 kernel sizes for in-depth investigation. An explainable AI-based experiment is conducted to interpret and validate the proposed approach. The proposed method is tested using two big Android malware datasets, CIC-AAGM2017 and CICMalDroid 2020, which comprise a total of 10.2k malware and 3.2K benign samples. It is shown that the proposed approach outperforms as compared to the state-of-the-art methods.

computer science, information systems,telecommunications,engineering, electrical & electronic

Chunyan Zhang,Qinglei Zhou,Yizhao Huang,Ke Tang,Hairen Gui,Fudong Liu

DOI: https://doi.org/10.1155/2022/7245403

2022-05-13

Wireless Communications and Mobile Computing

Abstract:Automatic malware detection was aimed at determining whether the application is malicious or not with automated systems. Android malware attacks have gained tremendous pace owing to the widespread use of mobile devices. Although significant progress has been made in antimalware techniques, these methods mainly rely on the program features, ignoring the importance of source code analysis. Furthermore, the dynamic analysis is low code coverage and poor efficiency. Hence, we propose an automatic Android malware detection approach, named HyGNN-Mal. It analyzes the Android applications at source code level by exploiting the sequence and structure information. Meanwhile, we combine the typical static features, permissions, and APIs. In HyGNN-Mal, we utilize a deep traversal tree neural network (Deep-TNN) to process the code structure information. Particularly, we add position information to code sequence information before putting in self-attention mechanism. The evaluations conducted on multiple public datasets indicate that our method can accurately identify and classify the malicious software, and their best accuracy is 99.62% and 99.2%, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Wei Gu,Hongyan Xing,Tianhao Hou

DOI: https://doi.org/10.1049/cmu2.12754

IF: 1.345

2024-04-29

IET Communications

Abstract:An Android malware detection framework, AMERDroid, is proposed. A novel deep network, AMERNet, is designed to learn informative features. A dataset (8,981 benign and 7,896 malware) is constructed. Due to its open source and large user base, Android has emerged as the most popular operating system. Android's popularity and openness have made it a prime target for malicious attackers. Permissions have received great attention from researchers because of their effectiveness in restricting applications' access to sensitive resources. However, existing malware detection methods based on permissions are easily bypassed by inter‐application resource access. To address these issues, we combine inter‐application resource access‐related intent features with permission features. Besides, we designed a customized convolutional neural network using two squeeze‐and‐excitation blocks to learn the inherent relationships between multi‐type features. The two basic SE blocks perform squeezing operations based on average pooling and max pooling, respectively, to compute channel‐wise attention from multiple perspectives. We designed a series of experiments based on real‐world samples to evaluate the efficacy of the proposed framework. Empirical results demonstrate that our framework outperforms state‐of‐the‐art methods, achieving an accuracy of 96.29%, precision of 97.52%, recall of 94.63%, F1‐score of 96.06% and MCC of 92.60%. These promising experimental results consistently demonstrate that AMERDroid is an effective approach for Android malware detection.

engineering, electrical & electronic

Niall McLaughlin,Jesus Martinez del Rincon,BooJoong Kang,Suleiman Yerima,Paul Miller,Sakir Sezer,Yeganeh Safaei,Erik Trickel,Ziming Zhao,Adam Doupé,Gail Joon Ahn

DOI: https://doi.org/10.1145/3029806.3029823

2017-03-22

Abstract:In this paper, we propose a novel android malware detection system that uses a deep convolutional neural network (CNN). Malware classification is performed based on static analysis of the raw opcode sequence from a disassembled program. Features indicative of malware are automatically learned by the network from the raw opcode sequence thus removing the need for hand-engineered malware features. The training pipeline of our proposed system is much simpler than existing n-gram based malware detection methods, as the network is trained end-to-end to jointly learn appropriate features and to perform classification, thus removing the need to explicitly enumerate millions of n-grams during training. The network design also allows the use of long n-gram like features, not computationally feasible with existing methods. Once trained, the network can be efficiently executed on a GPU, allowing a very large number of files to be scanned quickly.

Sifan Wu,Xi Xiao

2019-01-01

Abstract:The explosive amount of Android malware have threatened the security of legitimate users. In Recent years, with the development of the neural network, more and more research is focusing on detecting malware based on the neural network. Where, most of these techniques are depending on the complex feature engineering process and have a resource and time expensive classification neural network. In this paper, we propose a novel lightweight convolution neural network model, ConvDroid, with the system call sequences as features. Different from the existing n-gram models utilizing system call sequences, we construct a two-layer convolution neural network to learn the global information of sequences instead of limited windows. Furthermore, we assess ConvDroid for accuracy, efficiency using a dataset consisting of 3567 malicious applications and 3536 benign ones. Our experiments show that ConvDroid achieves an accuracy of more than 98% with a low time cost. We further demonstrate ConvDroid’s superiority against state-of-the-art approaches.

Collins Chimezie Obidiagha,Mohamed Rahouti,Thaier Hayajneh

DOI: https://doi.org/10.1109/access.2024.3485593

IF: 3.9

2024-11-01

IEEE Access

Abstract:As the leading mobile operating system, Android powers critical infrastructure and personal devices across sectors such as finance and healthcare and a wide range of user scenarios. However, its open-source nature presents considerable security challenges. Exploiting vulnerabilities in native and custom permissions, malicious API calls, intents, signatures, and manifests, threat actors can gain access to sensitive data and device control. The continuously evolving landscape of Android malware necessitates robust and generalized detection methods. While traditional machine learning (ML) models have been employed to address this issue, they have limitations. Focusing on single datasets can impede both generalization and effective detection. Further, the dynamic nature of malware renders many traditional methods inadequate for providing comprehensive and real-time protection. This paper addresses this critical need by proposing DeepImageDroid, an advanced and efficient deep learning (DL) framework for Android malware detection. DeepImageDroid harnesses the combined power of Convolutional Neural Networks (CNNs) and Vision Transformers (ViTs), utilizing three diverse Android malware datasets. This hybrid approach significantly improves detection accuracy and model generalization compared to existing solutions. By employing the weighted average ensemble method, DeepImageDroid achieved a remarkable 96% accuracy.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smart:phones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malv -are detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android mahvare detection and can achieve a high level of 96% accuracy with real-world Android application sets.

TianYue Liu,HongQi Zhang,HaiXia Long,Jinmei Shi,YuHua Yao

DOI: https://doi.org/10.1038/s41598-022-18402-6

2022-08-17

Abstract:Deep learning technology is changing the landscape of cybersecurity research, especially the study of large amounts of data. With the rapid growth in the number of malware, developing of an efficient and reliable method for classifying malware has become one of the research priorities. In this paper, a new method, BIR-CNN, is proposed to classify of Android malware. It combines convolution neural network (CNN) with batch normalization and inception-residual (BIR) network modules by using 347-dim network traffic features. CNN combines inception-residual modules with a convolution layer that can enhance the learning ability of the model. Batch Normalization can speed up the training process and avoid over-fitting of the model. Finally, experiments are conducted on the publicly available network traffic dataset CICAndMal2017 and compared with three traditional machine learning algorithms and CNN. The accuracy of BIR-CNN is 99.73% in binary classification (2-classifier). Moreover, the BIR-CNN can classify malware by its category (4-classifier) and malicious family (35-classifier), with a classification accuracy of 99.53% and 94.38%, respectively. The experimental results show that the proposed model is an effective method for Android malware classification, especially in malware category and family classifier.

Dongfang Li,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1109/ICACCE.2018.8441737

2018-01-01

Abstract:The security issue of Android Smart Phones has been most concerned by the users these years. We propose a novel method to extract exhaustive features from Android applications and use the deep-learning-based method to detect malicious applications. Then we implement an automatic detection engine, DeepDetector, to detect malicious applications. Furthermore, the detection model can identify the fine-grained malware family at the same time. We conducted the evaluation and analysis with thousands of malicious applications and benign applications from a public dataset. The results show that DeepDetector can detect 97% of the malware at 0.1 % false positive rate (FPR) and achieves a 96% precision when showing the detailed malware families. Besides, the relationship between the detection performance and the architecture of the neural network is also discussed in our work.

Sharipuddin,Rafi Septiandi Putra,M. Farhan Aulia,Sayid Achmad Maulana,Pareza Alam Jusia

DOI: https://doi.org/10.62205/mjgcs.v1i1.7

2023-12-09

Abstract:Android is a mobile operating system based on a modified version of the Linux kernel and other open-source tools. Due to its system efficiency and the multitude of features it offers to users, the Android operating system has taken a leading position in the technology market and often attracts the attention of cybercriminals. As malware continues to evolve, traditional methods for detecting Android malware, such as signature-based approaches, may not be sufficient to detect the latest malware threats. Therefore, this research proposes a deep learning algorithm, specifically Convolutional Neural Network (CNN) and Component Analysis (PCA), for feature extraction to enhance the accuracy of Android malware detection. The dataset used in this study is the CICAndMal2017 dataset. Testing results are evaluated using three parameters: accuracy, precision, and recall. Experimental results indicate that our deep learning approach outperforms many other methods with an accuracy of 91%.

Ning Lu,Dan Li,Wenbo Shi,Pandi Vijayakumar,Francesco Piccialli,Victor Chang

DOI: https://doi.org/10.1016/j.comnet.2021.107932

IF: 5.493

2021-04-01

Computer Networks

Abstract:<p>While Android smart phones are widely used in 5G networks, third-party application platforms are facing a rapid increase in the screening of applications for market launch. However, on the one hand, due to the receipt of excessive applications for listing, the review requires a lot of time and computing resources. On the other hand, due to the multi-selectivity of Android application features, it is difficult to determine the best feature combination as a criterion for distinguishing benign and malicious software. To address these challenges, this paper proposes an efficient malware detection framework based on deep neural network called DLAMD that can face large-scale samples. An efficient detection framework is designed, which combines the pre-detection phase of rapid detection and the deep detection phase of deep detection. The Android application package (APK) is analyzed in detail, and the permissions and opcodes feature that can distinguish benign from malicious are quickly extracted from the APK. In addition, the random forest with good effect is selected for importance selection and the convolutional neural network (CNN) which automatically extracted the hidden pattern inside features is selected for feature selection, so as to select the feature subset that can distinguish the attributes most. In the experiment, real data from AMD datasets and third-party application download platform are used to verify the high efficiency of the proposed method. The results show that the F1-score index of this method can reach 95.69%.</p>

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Nan Zhang,Yu-an Tan,Chen Yang,Yuanzhang Li

DOI: https://doi.org/10.1016/j.asoc.2020.107069

IF: 8.7

2021-04-01

Applied Soft Computing

Abstract:<p>Android mobile devices and applications are widely deployed and used in industry and smart city. Malware detection is one of the most powerful and effective approaches to guarantee security of Android systems, especially for industrial platform and smart city. Recently, researches using machine learning-based techniques for Android malware detection increased rapidly. Nevertheless, most of the appeared approaches have to perform feature analysis and selection, so-called feature engineering, which is time-consuming and reles on artificial experience. To solve the inefficiency problem of feature engineering, we propose TC-Droid, an automatic framework for Android malware detection based on text classification method. The core idea of TC-Droid is derived from the field of text classification. TC-Droid feeds on the text sequence of APPs analysis reports generated by AndroPyTool, applies a convolutional neural network (CNN) to explore significant information (or knowledge) under original report text, instead of manual feature engineering. In an evaluation with different number of real-world samples, TC-Droid outperforms state-of-the-art model (Drebin) and several classic models (NB, LR, KNN, RF) as well. With multiple experimental settings and corresponding comparisons, TC-Droid achieves effective and flexible performance in Android malware detection task.</p>

computer science, artificial intelligence, interdisciplinary applications

Seema Sachin Vanjire,Mohandoss Lakshmi

DOI: https://doi.org/10.11591/eei.v13i3.6986

2024-06-01

Bulletin of Electrical Engineering and Informatics

Abstract:The increasing prevalence of malware targeting android mobile devices has raised significant concerns regarding user privacy and security. In response, effective methods for malware classification and detection are crucial to protect users from malicious applications. This paper presents an approach that leverages deep learning techniques and explainable artificial intelligence (XAI) for android mobile malware classification and detection. Convolutional neural networks (CNNs) are deep learning model that has shown impressive performance in several application areas, including image and text classification. In the context of android mobile malware, CNNs have shown promising results in capturing intricate patterns and features inherent in malware samples. By training these models on large datasets of benign and malicious applications, accurate classification can be achieved. To enhance transparency and interpretability, XAI techniques are integrated into the classification process. These techniques provide insights into the decision-making process of the deep learning models, enabling the identification of critical features and characteristics that contribute to the classification results. This research, by combining deep learning and XAI methods, presents a fresh strategy for identifying and categorizing Android malware. This research paper will focus on a fascinating CNN-based malware categorization technique.

Xiaolong Xu,Shuai Jiang,Jinbo Zhao,Xinheng Wang

DOI: https://doi.org/10.23919/jsee.2024.000018

IF: 1.363

2024-02-01

Journal of Systems Engineering and Electronics

Abstract:The rapid growth of mobile applications, the popularity of the Android system and its openness have attracted many hackers and even criminals, who are creating lots of Android malware. However, the current methods of Android malware detection need a lot of time in the feature engineering phase. Furthermore, these models have the defects of low detection rate, high complexity, and poor practicability, etc. We analyze the Android malware samples, and the distribution of malware and benign software in application programming interface (API) calls, permissions, and other attributes. We classify the software&#x27;s threat levels based on the correlation of features. Then, we propose deep neural networks and convolutional neural networks with ensemble learning (DCEL), a new classifier fusion model for Android malware detection. First, DCEL preprocesses the malware data to remove redundant data, and converts the one-dimensional data into a two-dimensional gray image. Then, the ensemble learning approach is used to combine the deep neural network with the convolutional neural network, and the final classification results are obtained by voting on the prediction of each single classifier. Experiments based on the Drebin and Malgenome datasets show that compared with current state-of-art models, the proposed DCEL has a higher detection rate, higher recall rate, and lower computational cost.

automation & control systems,engineering, electrical & electronic,operations research & management science

Zhuo Ma,Haoran Ge,Zhuzhu Wang,Yang Liu,Ximeng Liu

DOI: https://doi.org/10.48550/arXiv.2002.03594

2020-02-10

Cryptography and Security

Abstract:Android malware detection is a critical step towards building a security credible system. Especially, manual search for the potential malicious code has plagued program analysts for a long time. In this paper, we propose Droidetec, a deep learning based method for android malware detection and malicious code localization, to model an application program as a natural language sequence. Droidetec adopts a novel feature extraction method to derive behavior sequences from Android applications. Based on that, the bi-directional Long Short Term Memory network is utilized for malware detection. Each unit in the extracted behavior sequence is inventively represented as a vector, which allows Droidetec to automatically analyze the semantics of sequence segments and eventually find out the malicious code. Experiments with 9616 malicious and 11982 benign programs show that Droidetec reaches an accuracy of 97.22% and an F1-score of 98.21%. In all, Droidetec has a hit rate of 91% to properly find out malicious code segments.

Brahami Menaouer,Abdallah El Hadj Mohamed Islem,Matta Nada

DOI: https://doi.org/10.4018/ijiit.329956

2023-09-08

International Journal of Intelligent Information Technologies

Abstract:In the past decade, Android has become a standard smartphone operating system. The mobile devices running on the Android operating system are particularly interesting to malware developers, as the users often keep personal information on their mobile devices. This paper proposes a deep learning model for mobile malware detection and classification. It is based on SAE for reducing the data dimensionality. Then, a CNN is utilized to detect and classify malware apps in Android devices through binary visualization. Tests were carried out with an original Android application (Drebin-215) dataset consisting of 15,036 applications. The conducted experiments prove that the classification performance achieves high accuracy of about 98.50%. Other performance measures used in the study are precision, recall, and F1-score. Finally, the accuracy and results of these techniques are analyzed by comparing the effectiveness with previous works.