GDroid: Android malware detection and classification with graph convolutional network

The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The gener...

Full description

Saved in:
Bibliographic Details
Published inComputers & security Vol. 106; p. 102264
Main Authors Gao, Han, Cheng, Shaoyin, Zhang, Weiming
Format Journal Article
LanguageEnglish
Published Amsterdam Elsevier Ltd 01.07.2021
Elsevier Sequoia S.A
Subjects
Android malware
API Embedding
Applications programs
Artificial neural networks
Classification
Cybersecurity
Graph neural network
Graph neural networks
Malware
Malware detection
Malware familial classification
Mobile operating systems
Nodes
Technology assessment
Malware familial classification
Android malware
API Embedding
Malware detection
Graph neural network
Online AccessGet full text

Cover

More Information
Summary:The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The general idea is to map apps and Android APIs into a large heterogeneous graph, converting the original problem into a node classification task. We build the “App-API” and “API-API” edges based on the invocation relationship and the API usage patterns, respectively. The heterogeneous graph is then fed into the GCN model, iteratively generating node embeddings that incorporate topological structure and node features. Eventually, the unlabeled apps are classified by their final embeddings. To our knowledge, this paper is the first study to explore the application of graph neural network in the field of malware classification. We develop a prototype system named GDroid. Experiments show that GDroid can effectively detect 98.99% of Android malware with a low false positive rate of less than 1%, outperforming the existing approaches. It also achieves an average accuracy of almost 97% in the malware familial classification task with surpassing the baselines. Additionally, we cooperate with QI-ANXIN Technology Research Institute to evaluate its real-world impact, and GDroid also maintains satisfactory performance in real-world scenarios.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2021.102264