Sensitive Behavioral Chain-Focused Android Malware Detection Fused With AST Semantics

The proliferation of Android malware poses a substantial security threat to mobile devices. Thus, achieving efficient and accurate malware detection and malware family identification is crucial for safeguarding users' individual property and privacy. Graph-based approaches have demonstrated rem...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 19; pp. 9216 - 9229
Main Authors Gong, Jiacheng, Niu, Weina, Li, Song, Zhang, Mingxue, Zhang, Xiaosong
Format Journal Article
LanguageEnglish
Published IEEE 2024
Subjects
abstract syntax tree
Android malware detection
code semantic embedding
Codes
Computational modeling
Costs
Feature extraction
function call graph
graph neural networks
Malware
Operating systems
Semantics
Social networking (online)
Syntactics
Vectors
Online AccessGet full text

Cover

More Information
Summary:The proliferation of Android malware poses a substantial security threat to mobile devices. Thus, achieving efficient and accurate malware detection and malware family identification is crucial for safeguarding users' individual property and privacy. Graph-based approaches have demonstrated remarkable detection performance in the realm of intelligent Android malware detection methods. This is attributed to the robust representation capabilities of graphs and the rich semantic information. The function call graph (FCG) is the most widely used graph in intelligent Android malware detection. However, existing FCG-based malware detection methods face challenges, such as the enormous computational and storage costs of modeling large graphs. Additionally, the ignorance of code semantics also makes them susceptible to structured attacks. In this paper, we proposed AndroAnalyzer, which embeds abstract syntax tree (AST) code semantics while focusing on sensitive behavior chains. It leverages FCGs to represent the macroscopic behavior of the application, and employs structured code semantics to represent the microscopic behavior of functions. Furthermore, we proposed the sensitive function call graph (SFCG) generation algorithm to narrow down the analysis scope to sensitive function calls, and the AST vectorization algorithm (AST2Vec) to capture structured code semantics. Experimental results demonstrate that the proposed SFCG generation algorithm noticeably reduces graph size while ensuring robust detection performance. AndroAnalyzer outperforms the baseline methods in binary and multiclass classification tasks, achieving F1-scores of 99.21% and 98.45% respectively. Moreover, AndroAnalyzer (trained with samples of 2010-2018) exhibits good generalization capabilities in detecting samples of 2019-2022.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2024.3468891