Xiaohan Zhang,Yuan Zhang,Ming Zhong,Daizong Ding,Yinzhi Cao,Yukun Zhang,Mi Zhang,Min Yang

DOI: https://doi.org/10.1145/3372297.3417291

2020-10-30

Abstract:Machine learning (ML) classifiers have been widely deployed to detect Android malware, but at the same time the application of ML classifiers also faces an emerging problem. The performance of such classifiers degrades---or called ages---significantly over time given the malware evolution. Prior works have proposed to use retraining or active learning to reverse and improve aged models. However, the underlying classifier itself is still blind, unaware of malware evolution. Unsurprisingly, such evolution-insensitive retraining or active learning comes at a price, i.e., the labeling of tens of thousands of malware samples and the cost of significant human efforts. In this paper, we propose the first framework, called APIGraph, to enhance state-of-the-art malware classifiers with the similarity information among evolved Android malware in terms of semantically-equivalent or similar API usages, thus naturally slowing down classifier aging. Our evaluation shows that because of the slow-down of classifier aging, APIGraph saves significant amounts of human efforts required by active learning in labeling new malware samples.

Xiaohan Zhang,Mi Zhang,Yuan Zhang,Ming Zhong,Xin Zhang,Yinzhi Cao,Min Yang

DOI: https://doi.org/10.1109/tdsc.2022.3144697

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Learning-based malware detectors are widely used in practice to safeguard real-world computers. One major challenge is known as model aging, where the effectiveness of these models drops drastically as malware variants keep evolving. To tackle model aging, most existing works choose to label new samples to retrain the aged models. However, such data-perspective methods often require excessive costs in labeling and retraining. In this article, we observe that during evolution, malware samples often preserve similar malicious semantics while switching to new implementations with semantically equivalent APIs. Such observation enables us to look into the problem from a different perspective: feature space. More specifically, if the models can capture the intrinsic semantics of malware variants from feature space, it will help slow down the aging of learning-based detectors. Based on this insight, we design APIGraph to automatically extract API knowledge from API documentation and incorporate these knowledge into the training of malware detection models. We use APIGraph to enhance 5 state-of-the-art malware detectors, covering both Android and Windows platforms and various learning algorithms. Experiments on large-scale, evolutionary datasets with nearly 340K samples show that APIGraph can help slow down the aging of these models by 5.9% to 19.6%, as well as reduce labeling efforts from 33.07% to 96.30% on top of data-perspective methods.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Jiyun Yang,Hanwei Li,Lijun He,Tao Xiang,Yujie Jin

DOI: https://doi.org/10.1016/j.cose.2024.104061

2024-01-01

Abstract:As the Android ecosystem develops, malware also evolves to adapt to the changes. Consequently, malware remains a significant threat, posing a challenge in developing a low-resource consumption malware detection method that can adjust to updates in the Android API versions. We propose a novel method called MDADroid, which detects malware based on self-built Functionality-API mapping. We start by building a set of permission-related APIs using open-source knowledge. Then, we construct a Functionality-App-API heterogeneous graph based on collected data and establish a Functionality-API mapping from it. Finally, MDADroid transforms app features from the API level to the functionality level for malware detection, ensuring model resilience to API changes. We also design an API similarity calculation method that updates the Functionality-API mapping at a low cost. We evaluate MDADroid on multiple datasets, and the results show that MDADroid achieves an accuracy of 95.22%, 96.23%, 98.77%, and 99.56% on the AndroZoo, CICAndMal 2017, CICMalDroid 2020, and Drebin datasets, respectively, with training and testing times of 2 s, 0.6188 s, 1.34 s, and 1.02 s. Moreover, our method demonstrates excellent performance in the tests for resilience capabilities.

Gang Zhang,Hao Li,Zhenxiang Chen,Lizhi Peng,Yuhui Zhu,Chuan Zhao

DOI: https://doi.org/10.1109/trustcom53373.2021.00097

2021-01-01

Abstract:Android platform is facing serious malware threats due to its popularity, as evidenced by the drastic increase on the number of mobile malware families and variants in recent years. Detecting malware variants and zero-day malware is a critical challenge that must be addressed to protect mobile devices against malware attacks. In this study, we present AndroCreme, a novel network intrusion detection system (NIDS) that can identify unseen malware by analyzing the network behavior of Android malware. To address the temporal bias issue in NIDS, we propose a method for rapid iterative update of the model based on data selection and data size limitation. The selection of effective data is carried out by induction and conformal technology, and the data scale is controlled by the method of time window and data cycle selection. To further achieve fast training speed and high efficiency, we leverage a gradient boosting framework that uses a tree-based learning algorithm, namely, LightGBM, as the meta predictor. We evaluate the performance of AndroCreme over 400K real-world network flows, which are collected from over 30K Android benignware and 21K malware applications. The experimental results show that, compared with the retraining method using all data, AndroCreme requires only a small amount of datareduce more than 3x to obtain better detection performance, which effectively solves the temporal bias.

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Annamalai Narayanan,Mahinthan Chandramohan,Lihui Chen,Yang Liu

DOI: https://doi.org/10.48550/arXiv.1706.00947

2017-07-06

Abstract:It is well-known that Android malware constantly evolves so as to evade detection. This causes the entire malware population to be non-stationary. Contrary to this fact, most of the prior works on Machine Learning based Android malware detection have assumed that the distribution of the observed malware characteristics (i.e., features) does not change over time. In this work, we address the problem of malware population drift and propose a novel online learning based framework to detect malware, named CASANDRA (Contextaware, Adaptive and Scalable ANDRoid mAlware detector). In order to perform accurate detection, a novel graph kernel that facilitates capturing apps' security-sensitive behaviors along with their context information from dependency graphs is proposed. Besides being accurate and scalable, CASANDRA has specific advantages: i) being adaptive to the evolution in malware features over time ii) explaining the significant features that led to an app's classification as being malicious or benign. In a large-scale comparative analysis, CASANDRA outperforms two state-of-the-art techniques on a benchmark dataset achieving 99.23% F-measure. When evaluated with more than 87,000 apps collected in-the-wild, CASANDRA achieves 89.92% accuracy, outperforming existing techniques by more than 25% in their typical batch learning setting and more than 7% when they are continuously retained, while maintaining comparable efficiency.

Cryptography and Security,Machine Learning,Software Engineering

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Annamalai Narayanan,Liu Yang,Lihui Chen,Liu Jinliang

DOI: https://doi.org/10.48550/arXiv.1606.07150

2016-09-26

Abstract:It is well-known that malware constantly evolves so as to evade detection and this causes the entire malware population to be non-stationary. Contrary to this fact, prior works on machine learning based Android malware detection have assumed that the distribution of the observed malware characteristics (i.e., features) do not change over time. In this work, we address the problem of malware population drift and propose a novel online machine learning based framework, named DroidOL to handle it and effectively detect malware. In order to perform accurate detection, security-sensitive behaviors are captured from apps in the form of inter-procedural control-flow sub-graph features using a state-of-the-art graph kernel. In order to perform scalable detection and to adapt to the drift and evolution in malware population, an online passive-aggressive classifier is used. In a large-scale comparative analysis with more than 87,000 apps, DroidOL achieves 84.29% accuracy outperforming two state-of-the-art malware techniques by more than 20% in their typical batch learning setting and more than 3% when they are continuously re-trained. Our experimental findings strongly indicate that online learning based approaches are highly suitable for real-world malware detection.

Cryptography and Security,Machine Learning

Molina-Coronado B.,Mori U.,Mendiburu A.,Miguel-Alonso J

DOI: https://doi.org/10.48550/arXiv.2309.09807

2023-09-18

Abstract:The rapidly evolving nature of Android apps poses a significant challenge to static batch machine learning algorithms employed in malware detection systems, as they quickly become obsolete. Despite this challenge, the existing literature pays limited attention to addressing this issue, with many advanced Android malware detection approaches, such as Drebin, DroidDet and MaMaDroid, relying on static models. In this work, we show how retraining techniques are able to maintain detector capabilities over time. Particularly, we analyze the effect of two aspects in the efficiency and performance of the detectors: 1) the frequency with which the models are retrained, and 2) the data used for retraining. In the first experiment, we compare periodic retraining with a more advanced concept drift detection method that triggers retraining only when necessary. In the second experiment, we analyze sampling methods to reduce the amount of data used to retrain models. Specifically, we compare fixed sized windows of recent data and state-of-the-art active learning methods that select those apps that help keep the training dataset small but diverse. Our experiments show that concept drift detection and sample selection mechanisms result in very efficient retraining strategies which can be successfully used to maintain the performance of the static Android malware state-of-the-art detectors in changing environments.

Cryptography and Security,Artificial Intelligence,Machine Learning

Jiyun Yang,Hanwei Li,Lijun He,Tao Xiang,Yujie Jin

DOI: https://doi.org/10.1016/j.cose.2024.104061

IF: 5.105

2024-01-01

Computers & Security

Abstract:As the Android ecosystem develops, malware also evolves to adapt to the changes. Consequently, malware remains a significant threat, posing a challenge in developing a low-resource consumption malware detection method that can adjust to updates in the Android API versions. We propose a novel method called MDADroid, which detects malware based on self-built Functionality-API mapping. We start by building a set of permission-related APIs using open-source knowledge. Then, we construct a Functionality-App-API heterogeneous graph based on collected data and establish a Functionality-API mapping from it. Finally, MDADroid transforms app features from the API level to the functionality level for malware detection, ensuring model resilience to API changes. We also design an API similarity calculation method that updates the Functionality-API mapping at a low cost. We evaluate MDADroid on multiple datasets, and the results show that MDADroid achieves an accuracy of 95.22%, 96.23%, 98.77%, and 99.56% on the AndroZoo, CICAndMal 2017, CICMalDroid 2020, and Drebin datasets, respectively, with training and testing times of 2 s, 0.6188 s, 1.34 s, and 1.02 s. Moreover, our method demonstrates excellent performance in the tests for resilience capabilities.

Sanfeng Zhang,Jiahao Wu,Mengzhe Zhang,Wang Yang

DOI: https://doi.org/10.3390/app13116526

2023-05-26

Applied Sciences

Abstract:The existing dynamic malware detection methods based on API call sequences ignore the semantic information of functions. Simply mapping API to numerical values does not reflect whether a function has performed a query or modification operation, whether it is related to network communication, the file system, or other factors. Additionally, the detection performance is limited when the size of the API call sequence is too large. To address this issue, we propose Mal-ASSF, a novel malware detection model that fuses the semantic and sequence features of the API calls. The API2Vec embedding method is used to obtain the dimensionality reduction representation of the API function. To capture the behavioral features of sequential segments, Balts is used to extract the features. To leverage the implicit semantic information of the API functions, the operation and the type of resource operated by the API functions are extracted. These semantic and sequential features are then fused and processed by the attention-related modules. In comparison with the existing methods, Mal-ASSF boasts superior capabilities in terms of semantic representation and recognition of critical sequences within API call sequences. According to the evaluation with a dataset of malware families, the experimental results show that Mal-ASSF outperforms existing solutions by 3% to 5% in detection accuracy.

materials science, multidisciplinary,engineering,chemistry,physics, applied

Yanfang Ye,Shifu Hou,Lingwei Chen,Jingwei Lei,Wenqiang Wan,Jiabin Wang,Qi Xiong,Fudong Shao

DOI: https://doi.org/10.48550/arXiv.1811.01027

2019-05-21

Abstract:The explosive growth and increasing sophistication of Android malware call for new defensive techniques that are capable of protecting mobile users against novel threats. In this paper, we first extract the runtime Application Programming Interface (API) call sequences from Android apps, and then analyze higher-level semantic relations within the ecosystem to comprehensively characterize the apps. To model different types of entities (i.e., app, API, IMEI, signature, affiliation) and the rich semantic relations among them, we then construct a structural heterogeneous information network (HIN) and present meta-path based approach to depict the relatedness over apps. To efficiently classify nodes (e.g., apps) in the constructed HIN, we propose the HinLearning method to first obtain in-sample node embeddings and then learn representations of out-of-sample nodes without rerunning/adjusting HIN embeddings at the first attempt. Afterwards, we design a deep neural network (DNN) classifier taking the learned HIN representations as inputs for Android malware detection. A comprehensive experimental study on the large-scale real sample collections from Tencent Security Lab is performed to compare various baselines. Promising experimental results demonstrate that our developed system AiDroid which integrates our proposed method outperforms others in real-time Android malware detection. AiDroid has already been incorporated into Tencent Mobile Security product that serves millions of users worldwide.

Cryptography and Security,Machine Learning

Xingyuan Wei,Ce Li,Qiujian Lv,Ning Li,Degang Sun,Yan Wang

2024-08-03

Abstract:In dynamic Windows malware detection, deep learning models are extensively deployed to analyze API sequences. Methods based on API sequences play a crucial role in malware prevention. However, due to the continuous updates of APIs and the changes in API sequence calls leading to the constant evolution of malware variants, the detection capability of API sequence-based malware detection models significantly diminishes over time. We observe that the API sequences of malware samples before and after evolution usually have similar malicious semantics. Specifically, compared to the original samples, evolved malware samples often use the API sequences of the pre-evolution samples to achieve similar malicious behaviors. For instance, they access similar sensitive system resources and extend new malicious functions based on the original functionalities. In this paper, we propose a frame(MME), a framework that can enhance existing API sequence-based malware detectors and mitigate the adverse effects of malware evolution. To help detection models capture the similar semantics of these post-evolution API sequences, our framework represents API sequences using API knowledge graphs and system resource encodings and applies contrastive learning to enhance the model's encoder. Results indicate that, compared to Regular Text-CNN, our framework can significantly reduce the false positive rate by 13.10% and improve the F1-Score by 8.47% on five years of data, achieving the best experimental results. Additionally, evaluations show that our framework can save on the human costs required for model maintenance. We only need 1% of the budget per month to reduce the false positive rate by 11.16% and improve the F1-Score by 6.44%.

Cryptography and Security

Yuge Nie,Yulei Chen,Yujia Jiang,Huayao Wu,Beibei Yin,Kai-Yuan Cai

DOI: https://doi.org/10.1016/j.infsof.2024.107422

IF: 3.9

2024-02-26

Information and Software Technology

Abstract:Context: Software aging refers to the phenomenon of performance degradation, increasing failure rate, or system crash due to resource consumption and error accumulation in software systems running for a long time. It has become the key factor affecting software systems' sustainability. Due to its complex formation reasons, precisely predicting the aging state in actual execution is hard but crucial for enabling proactive measures before a catastrophic situation. Machine learning (ML) has been employed on this issue. Objective: However, previous ML-based prediction methods are single-threaded in the whole process, posing challenges in delivering the desired performance facing diverse user scenarios. To alleviate this problem, we propose a multidimensional software aging prediction method based on ensemble learning (MSAP). Method: In the framework of MSAP, five dimensions, including datasets, labeling metrics, labeling thresholds, algorithms, and model decisions, are extracted and diversified according to aging characteristics and application situations. Results: Plenty of experiments have been conducted on Android devices from three distinct vendors. When subjected to identical workloads, MSAP demonstrates comparable performance to most unidimensional models. While under varied workloads, MSAP outperforms unidimensional models whose performance drops dramatically, demonstrating enhanced adaptability and predictive accuracy. Conclusion: MSAP shows exceptional stability while concurrently upholding outstanding prediction precision across a spectrum of user scenarios. It has better generalization characteristics and application prospects.

computer science, information systems, software engineering

Lucky Onwuzurike,Enrico Mariconti,Panagiotis Andriotis,Emiliano De Cristofaro,Gordon Ross,Gianluca Stringhini

DOI: https://doi.org/10.48550/arXiv.1711.07477

2019-03-02

Abstract:As Android has become increasingly popular, so has malware targeting it, thus pushing the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MaMaDroid, a static-analysis based system that abstracts the API calls performed by an app to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MaMaDroid using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure two years after training). We also show that MaMaDroid remarkably outperforms DroidAPIMiner, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MaMaDroid's effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps.

Cryptography and Security,Artificial Intelligence

Jinsung Kim,Younghoon Ban,Eunbyeol Ko,Haehyun Cho,Jeong Hyun Yi

DOI: https://doi.org/10.1007/s10207-022-00579-6

2022-02-09

International Journal of Information Security

Abstract:Abstract A lot of malicious applications appears every day, threatening numerous users. Therefore, a surge of studies have been conducted to protect users from newly emerging malware by using machine learning algorithms. Albeit existing machine or deep learning-based Android malware detection approaches achieve high accuracy by using a combination of multiple features, it is not possible to employ them on our mobile devices due to the high cost for using them. In this paper, we propose MAPAS , a malware detection system, that achieves high accuracy and adaptable usages of computing resources. MAPAS analyzes behaviors of malicious applications based on API call graphs of them by using convolution neural networks (CNN). However, MAPAS does not use a classifier model generated by CNN, it only utilizes CNN for discovering common features of API call graphs of malware. For efficiently detecting malware, MAPAS employs a lightweight classifier that calculates a similarity between API call graphs used for malicious activities and API call graphs of applications that are going to be classified. To demonstrate the effectiveness and efficiency of MAPAS , we implement a prototype and thoroughly evaluate it. And, we compare MAPAS with a state-of-the-art Android malware detection approach, MaMaDroid. Our evaluation results demonstrate that MAPAS can classify applications 145.8% faster and uses memory around ten times lower than MaMaDroid. Also, MAPAS achieves higher accuracy (91.27%) than MaMaDroid (84.99%) for detecting unknown malware. In addition, MAPAS can generally detect any type of malware with high accuracy.

computer science, information systems, theory & methods, software engineering

Huang Lu,Xue Jingfeng,Wang Yong,Qu Dacheng,Chen Junbao,Zhang Nan,Zhang Li

DOI: https://doi.org/10.23919/cje.2021.00.451

IF: 1.019

2023-01-01

Chinese Journal of Electronics

Abstract:The development of smart mobile devices brings convenience to people's lives, but also provides a breeding ground for Android malware. The sharp increasing malware poses a disastrous threat to personal privacy in the information age. Based on the fact that malware heavily resorts to system application programming interfaces (APIs) to perform its malicious actions, there has been a variety of API-based detection methods. Most of them do not consider the relationship between APIs. We contribute a new approach based on the enhanced API order for Android malware detection, named EAODroid, which learns the similarity of system APIs from a large number of API sequences and groups similar APIs into clusters. The extracted API clusters are further used to enhance the original API calls executed by an app to characterize behaviors and perform classification. We perform multi-dimensional experiments to evaluate EAODroid on three datasets with ground truth. We compare with many state-of-the-art works, showing that EAODroid achieves effective performance in Android malware detection.

Lu Huang,Jingfeng Xue,Yong Wang,Junbao Chen,Tianwei Lei

DOI: https://doi.org/10.1016/j.ins.2024.120923

IF: 8.1

2024-07-21

Information Sciences

Abstract:Large language model (LLM) platform vendors have begun to make their models available for developers to build for different use cases. However, the emergence of LLM-based applications may raise security and privacy issues, and even LLM-based applications may be susceptible to malware. To strengthen LLM ecosystem security, it's crucial to develop malware detection algorithms for various platforms. We pay attention to Android malware because the Android platform is widely used and vulnerable. Existing single feature based-solutions cannot effectively describe applications, and aged models fail to detect new malware as Android platform develops and malware evolves. Therefore, existing detection methods are ill-suited for evolved malware that may manipulate LLM-based applications. To tackle the above problems, we design EvolveDroid, an anti-aging Android malware detection system. On the one hand, EvolveDroid utilizes different view features to reflect malware behavior from multiple dimensions, and maximizes the advantages of each feature type through feature aggregation. On the other hand, EvolveDroid learns good representation of applications through contrastive learning and generates pseudo labels by measuring the distance between unknown samples and existing samples for model updating. Extensive evaluations show that EvolveDroid outperforms state-of-the-art (sota) solutions in detection performance and slowing model aging.

computer science, information systems

Peng Chen,Shengwei Tian,Xin Wang,Xinjun Pei,Weitao Nong,Hao Zhang

DOI: https://doi.org/10.1007/s10586-024-04530-3

2024-06-03

Cluster Computing

Abstract:With the development of science and technology, the number of smartphones has increased dramatically. This also exposes Android-based smartphones to an increasing number of malware attacks. Currently, feature extraction schemes based on sensitive API calls have become mainstream in malware detection. However, such an approach can only capture the behavior of malware when the API is called, but it cannot detect malicious behavior implemented through other means. In the real world, attackers often use the Inter-Component Communication (ICC) mechanism to hide and conceal their malicious intent. In this paper, we propose a novel malware detection framework (named ADACapsNet). This framework first employs an entropy-based approach to extract sensitive API features to reflect the behavior patterns of malware and then captures the information flow across components by monitoring the ICC interactions in the Android systems. We transform sensitive API calls and ICC features into vector representations that are used as inputs to the learning model. Moreover, we propose an adaptive capsule network to mine deep program semantics, which uses an adaptive factor to dynamically assign weights for features, enhancing the model's ability to focus on relevant features and capture complex spatial relationships. We conducted a number of experiments to demonstrate the effectiveness of the proposed ADACapsNet in detecting malware. Experimental results show that the proposed method is robust against malware attacks.

computer science, information systems, theory & methods