GDroid: Android malware detection and classification with graph convolutional network

Gao, Han; Cheng, Shiduan; Zhang, Weimin

doi:10.1016/j.cose.2021.102264

Cited by 108 publications

(46 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…They proposed to use GNN and its variants to learn the representations of the network flow graphs. GDroid [19] proposed a heterogeneous graph to be fed into the graph convolutional network. The heterogeneous graph consists of edges representing patterns of the API invocations by the apps and the API occurrence in the methods.…”

Section: B Deep Learning-based Malware Detectionmentioning

confidence: 99%

DeepCatra: Learning Flow- and Graph-based Behaviors for Android Malware Detection

Wu¹,

Shi²,

Wang³

et al. 2022

Preprint

View full text Add to dashboard Cite

As Android malware is growing and evolving, deep learning has been introduced into malware detection, resulting in great effectiveness. Recent work is considering hybrid models and multi-view learning. However, they use only simple features, limiting the accuracy of these approaches in practice. In this paper, we propose DeepCatra, a multi-view learning approach for Android malware detection, whose model consists of a bidirectional LSTM (BiLSTM) and a graph neural network (GNN) as subnets. The two subnets rely on features extracted from statically computed call traces leading to critical APIs derived from public vulnerabilities. For each Android app, DeepCatra first constructs its call graph and computes call traces reaching critical APIs. Then, temporal opcode features used by the BiLSTM subnet are extracted from the call traces, while flow graph features used by the GNN subnet are constructed from all the call traces and inter-component communications. We evaluate the effectiveness of DeepCatra by comparing it with several state-of-the-art detection approaches. Experimental results on over 18,000 real-world apps and prevalent malware show that DeepCatra achieves considerable improvement, e.g., 2.7% to 14.6% on F1-measure, which demonstrates the feasibility of DeepCatra in practice.

show abstract

Section: B Deep Learning-based Malware Detectionmentioning

confidence: 99%

DeepCatra: Learning Flow- and Graph-based Behaviors for Android Malware Detection

Wu¹,

Shi²,

Wang³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…In [21], GDroid was proposed for Android malware detection by utilizing word embedding and GNN techniques. The skip-gram model extracted the features for graph nodes based on API sequences.…”

Section: Android Malware Detection Based On Graph Representation Lear...mentioning

confidence: 99%

Graph Neural Network-based Android Malware Classification with Jumping Knowledge

Lo¹,

Layeghy²,

Sarhan³

et al. 2022

Preprint

View full text Add to dashboard Cite

This paper presents a new Android malware detection method based on Graph Neural Networks (GNNs) with Jumping-Knowledge (JK). Android function call graphs (FCGs) consist of a set of program functions and their interprocedural calls. Thus, this paper proposes a GNN-based method for Android malware detection by capturing meaningful intraprocedural call path patterns. In addition, a Jumping-Knowledge technique is applied to minimize the effect of the over-smoothing problem, which is common in GNNs. The proposed method has been extensively evaluated using two benchmark datasets. The results demonstrate the superiority of our approach compared to state-of-the-art approaches in terms of key classification metrics, which demonstrates the potential of GNNs in Android malware detection and classification.

show abstract

“…Compared with static analysis, dynamic analysis is less affected by obfuscation and shelling, but it consumes resources and has difficulty covering all execution paths. GDroid [9] maps applications and their APIs to construct a heterogeneous graph, which performs better in both detection and family classification, but does not take into account the network behavior characteristics of malware, and therefore uses traffic files as a feature for dynamic analysis in our work. Describing malware as a two-dimensional image [10] is more convenient in feature engineering, which somewhat inspired our treatment when dealing with traffic files.…”

Section: Related Workmentioning

confidence: 99%

A Hybrid Analysis-Based Approach to Android Malware Family Classification

Ding

Luktarhan

et al. 2021

Entropy

View full text Add to dashboard Cite

With the popularity of Android, malware detection and family classification have also become a research focus. Many excellent methods have been proposed by previous authors, but static and dynamic analyses inevitably require complex processes. A hybrid analysis method for detecting Android malware and classifying malware families is presented in this paper, and is partially optimized for multiple-feature data. For static analysis, we use permissions and intent as static features and use three feature selection methods to form a subset of three candidate features. Compared with various models, including k-nearest neighbors and random forest, random forest is the best, with a detection rate of 95.04%, while the chi-square test is the best feature selection method. After using feature selection to explore the critical static features contained in this dataset, we analyzed a subset of important features to gain more insight into the malware. In a dynamic analysis based on network traffic, unlike those that focus on a one-way flow of traffic and work on HTTP protocols and transport layer protocols, we focused on sessions and retained all protocol layers.he Res7LSTM model is then used to further classify the malicious and partially benign samples detected in the static detection. The experimental results show that our approach can not only work with fewer static features and guarantee sufficient accuracy, but also improve the detection rate of Android malware family classification from 71.48% in previous work to 99% when cutting the traffic in terms of the sessions and protocols of all layers.

show abstract

GDroid: Android malware detection and classification with graph convolutional network

Cited by 108 publications

References 23 publications

DeepCatra: Learning Flow- and Graph-based Behaviors for Android Malware Detection

DeepCatra: Learning Flow- and Graph-based Behaviors for Android Malware Detection

Graph Neural Network-based Android Malware Classification with Jumping Knowledge

A Hybrid Analysis-Based Approach to Android Malware Family Classification

Contact Info

Product

Resources

About