HomDroid: detecting Android covert malware by social-network homophily analysis

Wu, Yueming; Zou, Deqing; Yang, Wei; Li, Xiang; Jin, Hai

doi:10.1145/3460319.3464833

Cited by 12 publications

(5 citation statements)

References 46 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There are many existing methods of AMDs based on machine learning, utilizing features like permission, Android API, Android component, Dalvik code, Call Graph and so on [8], [3], [60], [7], [11], [4], [5], [34], [61], [6], [40], [62], [19]. DREBIN [7] extracts features from AndroidManifest.xml files and Dalvik bytecode by static analysis for behavioral modeling to detect malware.…”

Section: Related Work Ml-based Methodsmentioning

confidence: 99%

“…MalScan [5] leverages centralities of sensitive android APIs in CG as a feature vector for conducting classification. Similar related works also include [62] and [19]. Malicious Code Fragment Detection (MCFD).…”

Section: Related Work Ml-based Methodsmentioning

confidence: 99%

“…From the software engineering perspective, each module should have high modularity [42], [43], [44]. A module in a program can be regarded as one function (feature) for users [33], [45], [46], [47], and malicious behaviors are distributed in these functions [19]. Therefore, it reduces the influence on the evolution direction and is easier to refine solutions.…”

Section: ) Selection Of Initial Subgraphsmentioning

confidence: 99%

“…III-C). The capture of time dependency is necessary since malicious components may be small parts of malware apps (e.g., 2%) [19] and distributed separately in JSTS.…”

Section: A Properties Of Amcdroidmentioning

confidence: 99%

“…However, most existing AMDs only extract single and simple information for behavioral modeling [12], [4], [5], [13] (e.g., API sequence, Android APIs, graph), which makes malware able to evade them [14], [15], [16]; • C2: Time Dependency: Time dependency represents the execution logic of code and contains semantic and structural information (i.e., control flow, data flow, and invocation relationship) [17], [3], [18]. Capturing time dependency is necessary since malicious components may be some small parts of malware apps (e.g., 2%) [19] and distributed separately in them [17]. Most existing AMDs [20], [7], [21], [22], [4], [5] neglect it or consider parts of it, allowing malware to evade detection with specific modifications [17], [16]; and • C3: Fine-granularity Malicious Component Detection: Existing few malicious code fragment detection systems [23], [24], [12] can locate malicious code at class or method level.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components

Liu,

Zhang,

Tang

2023

2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

Existing Android malware detection systems primarily concentrate on detecting malware apps, leaving a gap in the research concerning the detection of malicious components in apps. In this work, we propose a novel approach to detect fine-granularity malicious components for Android apps and build a prototype called AMCDroid. For a given app, AMCDroid first models app behavior to a homogenous graph based on the call graph and code statements of the app. Then, the graph is converted to a statement tree sequence for malware detection through the AST-based Neural Network with Feature Mapping (ASTNNF) model. Finally, if the app is detected as malware, AMCDroid applies fine-granularity malicious component detection (MCD) algorithm which is based on many-objective genetic algorithm to the homogenous graph for detecting malicious component in the app adaptively. We evaluate AMCDroid on 95,134 samples. Compared with the other two state-of-the-art methods in malware detection, AMCDroid gets the highest performance on the test set with 0.9699 F1-Score, and shows better robustness in facing obfuscation. Moreover, AMCDroid is capable of detecting fine-granularity malicious components of (obfuscated) malware apps. Especially, its average F1-Score exceeds another state-ofthe-art method by 50%.

show abstract

Section: Related Work Ml-based Methodsmentioning

confidence: 99%

Section: Related Work Ml-based Methodsmentioning

confidence: 99%

Section: ) Selection Of Initial Subgraphsmentioning

confidence: 99%

“…III-C). The capture of time dependency is necessary since malicious components may be small parts of malware apps (e.g., 2%) [19] and distributed separately in JSTS.…”

Section: A Properties Of Amcdroidmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components

Liu,

Zhang,

Tang

2023

2023 38th IEEE/ACM International Conference on Automated Software Engineering (ASE)

View full text Add to dashboard Cite

show abstract

Android malware detection through centrality analysis of applications network

Mafakheri,

Sulaimany

2024

Applied Soft Computing

View full text Add to dashboard Cite

DCDroid: An APK Static Identification Method Based on Naïve Bayes Classifier and Dual‐Centrality Analysis

Han,

Chen,

Liao

2024

IET Information Security

View full text Add to dashboard Cite

The static scanning identification of android application packages (APK) has been widely proven to be an effective and scalable method. However, the existing identification methods either collect feature values from known APKs for inefficient comparative analysis, or use expensive program syntax or semantic analysis methods to extract features. Therefore, this paper proposes an APK static identification method that is different from traditional graph analysis. We match application programming interface (API) call graph to a complex network, and use a dual‐centrality analysis method to calculate the importance of sensitive nodes in the API call graph, while integrating the global and relative influence of sensitive nodes. Our key insight is that the dual‐centrality analysis method can more accurately characterize the graph semantic information of Android malicious APKs. We created and named a method DCDroid and evaluated it on a dataset of 4,428 benign samples and 4,626 malicious samples. The experimental results show that compared to the four advanced methods Drebin, MaMaDroid, MalScan, and HomeDroid, DCDroid can identify Android malicious APKs with an accuracy of 97.5%, with an F1 value of 96.7% and is two times faster than HomeDroid, eight times faster than Drebin, and 17 times faster than MaMaDroid. We grabbed 10,000 APKs from the Google Play Market, DCDroid was able to find 68 malicious APKs, of which 67 were confirmed Android malicious APKs, with a good ability to identify market‐level malicious APKs.

show abstract

HomDroid: detecting Android covert malware by social-network homophily analysis

Cited by 12 publications

References 46 publications

Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components

Enhancing Malware Detection for Android Apps: Detecting Fine-Granularity Malicious Components

Android malware detection through centrality analysis of applications network

DCDroid: An APK Static Identification Method Based on Naïve Bayes Classifier and Dual‐Centrality Analysis

Contact Info

Product

Resources

About