Graph Convolutional Networks for Android Malware Detection with System Call Graphs

<pre> The popularity of the Android Operating System in the smartphone market has given rise to lots of Android malware. To accurately detect these malware, many of the existing works use machine learning and deep learning-based methods, in which feature extraction methods were used to extract fixed-size feature vectors using the files present inside the Android Application Package (APK). Recently, Graph Convolutional Network (GCN) based methods applied on the Function Call Graph (FCG) extracted from the APK are gaining momentum in Android malware detection, as GCNs are effective at learning tasks on variable-sized graphs such as FCG, and FCG sufficiently captures the structure and behaviour of an APK. However, the FCG lacks information about callback methods as the Android Application Programming Interface (API) is event-driven. This paper proposes enhancing the FCG to eFCG (enhanced-FCG) using the callback information extracted using Android Framework Space Analysis to overcome this limitation. Further, we add permission - API method relationships to the eFCG. The eFCG is reduced using node contraction based on the classes to get R-eFCG (Reduced eFCG) to improve the generalisation ability of the Android malware detection model. The eFCG and R-eFCG are then given as the inputs to the Heterogeneous GCN models to determine whether the APK file from which they are extracted is malicious or not. To test the effectiveness of eFCG and R-eFCG, we conducted an ablation study by removing their various components. To determine the optimal neighbourhood size for GCN, we experimented with a varying number of GCN layers and found that the Android malware detection model using R-eFCG with all its components with four convolution layers achieved maximum accuracy of 96.28%.</pre>

Download Full-text

Heterogeneous Graph Convolutional Networks for Android Malware Detection using Callback-Aware Caller-Callee Graphs

10.36227/techrxiv.15072087.v1 ◽

2021 ◽

Author(s):

Vinayaka K V ◽

Jaidhar C D

Keyword(s):

Malware Detection ◽

Application Programming Interface ◽

Extraction Methods ◽

Android Application ◽

Convolutional Network ◽

Android Malware ◽

Detection Model ◽

Convolutional Networks ◽

Android Malware Detection ◽

Ablation Study

<pre> The popularity of the Android Operating System in the smartphone market has given rise to lots of Android malware. To accurately detect these malware, many of the existing works use machine learning and deep learning-based methods, in which feature extraction methods were used to extract fixed-size feature vectors using the files present inside the Android Application Package (APK). Recently, Graph Convolutional Network (GCN) based methods applied on the Function Call Graph (FCG) extracted from the APK are gaining momentum in Android malware detection, as GCNs are effective at learning tasks on variable-sized graphs such as FCG, and FCG sufficiently captures the structure and behaviour of an APK. However, the FCG lacks information about callback methods as the Android Application Programming Interface (API) is event-driven. This paper proposes enhancing the FCG to eFCG (enhanced-FCG) using the callback information extracted using Android Framework Space Analysis to overcome this limitation. Further, we add permission - API method relationships to the eFCG. The eFCG is reduced using node contraction based on the classes to get R-eFCG (Reduced eFCG) to improve the generalisation ability of the Android malware detection model. The eFCG and R-eFCG are then given as the inputs to the Heterogeneous GCN models to determine whether the APK file from which they are extracted is malicious or not. To test the effectiveness of eFCG and R-eFCG, we conducted an ablation study by removing their various components. To determine the optimal neighbourhood size for GCN, we experimented with a varying number of GCN layers and found that the Android malware detection model using R-eFCG with all its components with four convolution layers achieved maximum accuracy of 96.28%.</pre>

Download Full-text

An Android Malware Detection Approach Using Community Structures of Weighted Function Call Graphs

IEEE Access ◽

10.1109/access.2017.2720160 ◽

2017 ◽

Vol 5 ◽

pp. 17478-17486 ◽

Cited By ~ 14

Author(s):

Yao Du ◽

Junfeng Wang ◽

Qi Li

Keyword(s):

Malware Detection ◽

Community Structures ◽

Weighted Function ◽

Android Malware ◽

Android Malware Detection ◽

Detection Approach ◽

Function Call ◽

Call Graphs

Download Full-text

Android Malware Detection using Function Call Graph with Graph Convolutional Networks

2021 2nd International Conference on Secure Cyber Computing and Communications (ICSCCC) ◽

10.1109/icsccc51823.2021.9478141 ◽

2021 ◽

Author(s):

Vinayaka K V ◽

Jaidhar C D

Keyword(s):

Malware Detection ◽

Android Malware ◽

Call Graph ◽

Convolutional Networks ◽

Android Malware Detection ◽

Function Call

Download Full-text

IntDroid

ACM Transactions on Software Engineering and Methodology ◽

10.1145/3442588 ◽

2021 ◽

Vol 30 (3) ◽

pp. 1-32

Author(s):

Deqing Zou ◽

Yueming Wu ◽

Siru Yang ◽

Anki Chauhan ◽

Wei Yang ◽

...

Keyword(s):

Social Network ◽

Social Network Analysis ◽

Network Analysis ◽

Malware Detection ◽

High Accuracy ◽

Graph Representation ◽

Android Malware ◽

Android Malware Detection ◽

Call Graphs ◽

High Scalability

Android, the most popular mobile operating system, has attracted millions of users around the world. Meanwhile, the number of new Android malware instances has grown exponentially in recent years. On the one hand, existing Android malware detection systems have shown that distilling the program semantics into a graph representation and detecting malicious programs by conducting graph matching are able to achieve high accuracy on detecting Android malware. However, these traditional graph-based approaches always perform expensive program analysis and suffer from low scalability on malware detection. On the other hand, because of the high scalability of social network analysis, it has been applied to complete large-scale malware detection. However, the social-network-analysis-based method only considers simple semantic information (i.e., centrality) for achieving market-wide mobile malware scanning, which may limit the detection effectiveness when benign apps show some similar behaviors as malware. In this article, we aim to combine the high accuracy of traditional graph-based method with the high scalability of social-network-analysis--based method for Android malware detection. Instead of using traditional heavyweight static analysis, we treat function call graphs of apps as complex social networks and apply social-network--based centrality analysis to unearth the central nodes within call graphs. After obtaining the central nodes, the average intimacies between sensitive API calls and central nodes are computed to represent the semantic features of the graphs. We implement our approach in a tool called IntDroid and evaluate it on a dataset of 3,988 benign samples and 4,265 malicious samples. Experimental results show that IntDroid is capable of detecting Android malware with an F-measure of 97.1% while maintaining a True-positive Rate of 99.1%. Although the scalability is not as fast as a social-network-analysis--based method (i.e., MalScan ), compared to a traditional graph-based method, IntDroid is more than six times faster than MaMaDroid . Moreover, in a corpus of apps collected from GooglePlay market, IntDroid is able to identify 28 zero-day malware that can evade detection of existing tools, one of which has been downloaded and installed by more than ten million users. This app has also been flagged as malware by six anti-virus scanners in VirusTotal, one of which is Symantec Mobile Insight .

Download Full-text