Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware

Zhang, Xiaohan; Zhang, Yuan; Zhong, Ming; Ding, Daizong; Cao, Yinzhi; Zhang, Yukun; Zhang, Mi; Yang, Min

doi:10.1145/3372297.3417291

Cited by 118 publications

(83 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…model aging, model decays) usually makes trained models fail to function on new testing samples, primarily due to the changed statistical properties of samples over time. The existing work [36]- [38] measured how a model performs over time facing the concept drift, underpinned the root causes for such drift and proposed enhanced approaches to improve the model sustainability. However, active learning typically involves massive labeling for tens of thousands of malware samples, usually at a significant cost of human efforts.…”

Section: Discussionmentioning

confidence: 99%

Hawk: Rapid Android Malware Detection Through Heterogeneous Graph Attention Networks

Hei

Yang

Peng³

et al. 2024

IEEE Trans. Neural Netw. Learning Syst.

View full text Add to dashboard Cite

Android is undergoing unprecedented malicious threats daily, but the existing methods for malware detection often fail to cope with evolving camouflage in malware. To address this issue, we present HAWK, a new malware detection framework for evolutionary Android applications. We model Android entities and behavioural relationships as a heterogeneous information network (HIN), exploiting its rich semantic metastructures for specifying implicit higher-order relationships. An incremental learning model is created to handle the applications that manifest dynamically, without the need for re-constructing the whole HIN and the subsequent embedding model. The model can pinpoint rapidly the proximity between a new application and existing in-sample applications and aggregate their numerical embeddings under various semantics. Our experiments examine more than 80,860 malicious and 100,375 benign applications developed over a period of seven years, showing that HAWK achieves the highest detection accuracy against baselines and takes only 3.5ms on average to detect an out-of-sample application, with the accelerated training time of 50x faster than the existing approach.

show abstract

Section: Discussionmentioning

confidence: 99%

Hawk: Rapid Android Malware Detection Through Heterogeneous Graph Attention Networks

Hei

Yang

Peng³

et al. 2024

IEEE Trans. Neural Netw. Learning Syst.

View full text Add to dashboard Cite

show abstract

“…A key to achieving high sustainability of a classifier lies in the underlying features being able to differentiate benign apps from malware for a long period. Zhang [28] built an API Graph based on API features to enhance malware classifier performance and slow down model aging with the similarity information among evolved Android malware. Xu [29] eir features include entry points for malicious attack behaviors, permissions, intent filters, and source and sink APIs.…”

Section: Control Flow Graph and Data Flow Graph Featuresmentioning

confidence: 99%

A Survey of Android Malware Static Detection Technology Based on Machine Learning

Zhu

Liu

2021

Mobile Information Systems

View full text Add to dashboard Cite

With the rapid growth of Android devices and applications, the Android environment faces more security threats. Malicious applications stealing usersʼ privacy information, sending text messages to trigger deductions, exploiting privilege escalation to control the system, etc., cause significant harm to end users. To detect Android malware, researchers have proposed various techniques, among which the machine learning-based methods with static features of apps as input vectors have apparent advantages in code coverage, operational efficiency, and massive sample detection. In this paper, we investigated Android applicationsʼ structure, analysed various sources of static features, reviewed the machine learning methods for detecting Android malware, studied the advantages and limitations of these methods, and discussed the future directions in this field. Our work will help researchers better understand the current research state, the benefits and weaknesses of each approach, and future technology directions.

show abstract

“…Another phenomenon we came across is the aggregation of several datasets that come from different sources such as the case of Zhang et al [ 136 ]. While this helps researchers to obtain more samples, it can change the representativeness of real world scenarios when combined with live feeds, such as those given by VirusShare.…”

Section: Usage Of Android Malware Family Labelsmentioning

confidence: 99%

“…Euphony [ 18 ] and AVCLASS2 [ 28 ]. (Euphony and AVCLASS2 were used in Zhang et al [ 136 ] and Sebastian and Caballero [ 28 ] consecutively. We do not include them in Table 3 because they were not used when crafting a dataset but, rather, when authors were designing their experiments.)…”

Section: Usage Of Android Malware Family Labelsmentioning

confidence: 99%

An Analysis of Android Malware Classification Services

Rashed

Suárez-Tangil

2021

Sensors

View full text Add to dashboard Cite

The increasing number of Android malware forced antivirus (AV) companies to rely on automated classification techniques to determine the family and class of suspicious samples. The research community relies heavily on such labels to carry out prevalence studies of the threat ecosystem and to build datasets that are used to validate and benchmark novel detection and classification methods. In this work, we carry out an extensive study of the Android malware ecosystem by surveying white papers and reports from 6 key players in the industry, as well as 81 papers from 8 top security conferences, to understand how malware datasets are used by both. We, then, explore the limitations associated with the use of available malware classification services, namely VirusTotal (VT) engines, for determining the family of an Android sample. Using a dataset of 2.47 M Android malware samples, we find that the detection coverage of VT’s AVs is generally very low, that the percentage of samples flagged by any 2 AV engines does not go beyond 52%, and that common families between any pair of AV engines is at best 29%. We rely on clustering to determine the extent to which different AV engine pairs agree upon which samples belong to the same family (regardless of the actual family name) and find that there are discrepancies that can introduce noise in automatic label unification schemes. We also observe the usage of generic labels and inconsistencies within the labels of top AV engines, suggesting that their efforts are directed towards accurate detection rather than classification. Our results contribute to a better understanding of the limitations of using Android malware family labels as supplied by common AV engines.

show abstract

Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware

Cited by 118 publications

References 30 publications

Hawk: Rapid Android Malware Detection Through Heterogeneous Graph Attention Networks

Hawk: Rapid Android Malware Detection Through Heterogeneous Graph Attention Networks

A Survey of Android Malware Static Detection Technology Based on Machine Learning

An Analysis of Android Malware Classification Services

Contact Info

Product

Resources

About