图卷积网络的抗混淆安卓恶意软件检测

doi:10.13328/j.cnki.jos.006848

微信服务号

微信订阅号

2025年3月16日 7:14 星期日

首页 > 过刊浏览>2023年第34卷第6期 >2526-2542. DOI:10.13328/j.cnki.jos.006848

PDF HTML阅读 XML下载导出引用引用提醒

图卷积网络的抗混淆安卓恶意软件检测
DOI:
                        10.13328/j.cnki.jos.006848
                    
CSTR:
                        
                    
作者:
                        吴月明吴月明
大数据技术与系统国家地方联合工程研究中心 (服务计算技术与系统教育部重点实验室 华中科技大学), 湖北 武汉 430074;分布式系统安全湖北省重点实验室, 湖北 武汉 430074;华中科技大学 网络空间安全学院, 湖北 武汉 430074
在期刊界中查找
在百度中查找
在本站中查找
齐蒙齐蒙
大数据技术与系统国家地方联合工程研究中心 (服务计算技术与系统教育部重点实验室 华中科技大学), 湖北 武汉 430074;分布式系统安全湖北省重点实验室, 湖北 武汉 430074;华中科技大学 网络空间安全学院, 湖北 武汉 430074
在期刊界中查找
在百度中查找
在本站中查找
邹德清邹德清
大数据技术与系统国家地方联合工程研究中心 (服务计算技术与系统教育部重点实验室 华中科技大学), 湖北 武汉 430074;分布式系统安全湖北省重点实验室, 湖北 武汉 430074;华中科技大学 网络空间安全学院, 湖北 武汉 430074
在期刊界中查找
在百度中查找
在本站中查找
金海金海
大数据技术与系统国家地方联合工程研究中心 (服务计算技术与系统教育部重点实验室 华中科技大学), 湖北 武汉 430074;华中科技大学 计算机科学与技术学院, 湖北 武汉 430074
在期刊界中查找
在百度中查找
在本站中查找

                    
作者单位:
作者简介:吴月明(1993-),男,博士,CCF学生会员,主要研究领域为移动安全,软件供应链安全,人工智能安全,恶意软件分析,漏洞分析,克隆代码审计;齐蒙(1998-),男,硕士,主要研究领域为机器学习,漏洞检测,安卓恶意软件检测;邹德清(1975-),男,博士,教授,博士生导师,CCF高级会员,主要研究领域为云计算安全,网络攻防与漏洞检测,软件定义安全与主动防御,大数据安全与人工智能安全,容错计算;金海(1966-),男,博士,教授,博士生导师,CCF会士,IEEE会士,ACM终身会员,主要研究领域为计算机系统结构,虚拟化技术,集群计算,网格计算,并行与分布式计算,对等计算普适计算,语义网,存储与安全
通讯作者:邹德清，deqingzou@hust.edu.cn
中图分类号:
基金项目:国家自然科学基金（62172168）；湖北省重点研发计划（2021BAA032）

Obfuscation-resilient Android Malware Detection Based on Graph Convolutional Networks

Author:

WU Yue-Ming
WU Yue-Ming
National Engineering Research Center for Big Data Technology and System (Key Laboratory of Services Computing Technology and System, Ministry of Education, Huazhong University of Science and Technology), Wuhan 430074, China;Hubei Key Laboratory of Distributed System Security, Wuhan 430074, China;School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China
在期刊界中查找
在百度中查找
在本站中查找
QI Meng
QI Meng
National Engineering Research Center for Big Data Technology and System (Key Laboratory of Services Computing Technology and System, Ministry of Education, Huazhong University of Science and Technology), Wuhan 430074, China;Hubei Key Laboratory of Distributed System Security, Wuhan 430074, China;School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China
在期刊界中查找
在百度中查找
在本站中查找
ZOU De-Qing
ZOU De-Qing
National Engineering Research Center for Big Data Technology and System (Key Laboratory of Services Computing Technology and System, Ministry of Education, Huazhong University of Science and Technology), Wuhan 430074, China;Hubei Key Laboratory of Distributed System Security, Wuhan 430074, China;School of Cyber Science and Engineering, Huazhong University of Science and Technology, Wuhan 430074, China
在期刊界中查找
在百度中查找
在本站中查找
JIN Hai
JIN Hai
National Engineering Research Center for Big Data Technology and System (Key Laboratory of Services Computing Technology and System, Ministry of Education, Huazhong University of Science and Technology), Wuhan 430074, China;School of Computer Science and Technology, Huazhong University of Science and Technology, Wuhan 430074, China
在期刊界中查找
在百度中查找
在本站中查找

Affiliation:

Fund Project:

摘要

图/表

访问统计

参考文献 [51]

相似文献 [20]

引证文献

资源附件

文章评论

摘要:

自安卓系统发布以来，由于其开源、硬件丰富和应用市场多样等优势，该系统已成为全球使用最广泛的手机操作系统.同时，安卓设备和安卓应用的爆炸式增长也使其成为96%移动恶意软件的攻击目标.在现有的安卓恶意软件检测方法中，忽视程序语义而直接提取简单程序特征的方法，其检测速度快但精确度不够理想，将程序语义转换为图模型并采用图分析的方法，其精确度虽高但开销大且扩展性低.为了解决上述挑战，将应用的程序语义提取为函数调用图，在保留语义信息的同时，采用抽象API技术将调用图转换为抽象图，以减少运行开销并增强鲁棒性.基于得到的抽象图，以Triplet Loss损失训练构建基于图卷积网络的抗混淆安卓恶意软件分类器SriDroid.对20 246个安卓应用进行实验分析后发现：SriDroid可以达到99.17%的恶意软件检测精确度，并具有良好的鲁棒性.

关键词:安卓恶意软件;抗混淆;函数调用图;抽象API;图卷积网络

Abstract:

Since the release of Android, it has become the most widely used mobile phone operating system in the world due to its advantages such as open source, rich hardware, and diverse application markets. At the same time, the explosive growth of Android devices and Android applications (app for short) has made it a target of 96% of mobile malware. Among current detection methods, the direct extraction of simple program features, ignoring the program semantics is fast but less accurate, and the conversion of semantic information of programs into graph models for analysis improves accuracy but has high runtime overhead and is not very scalable. To address these challenges, the program semantics of an App is distilled into a function call graph and the API call is abstracted to convert the call graph into a simpler graph. Finally, these vectors are fed into a graph convolution network (GCN) model to train a classifier with triplet loss (i.e., SriDroid). After conducting experimental analysis on 20 246 Android apps, it is found that SriDroid can achieve 99.17% malware detection accuracy with sound robustness.

Key words:Android malware;obfuscation-resilient;function call graph;abstract API;graph convolutional network (GCN)

参考文献

[1] CNNIC. 《中国互联网络发展状况统计报告》 (第50次). http://www.cnnic.net.cn/

[2] 360互联网安全中心. 2021年度中国手机安全状况报告. https://pop.shouji.360.cn/safe_report/Mobile-Security-Report-202206.pdf

[3] Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proc. of the 2009 ACM Conf. on Computer and Communications Security (CCS 2009). 2009. 235-245. [doi: 10.1145/1653662.1653691]

[4] Zhou YJ, Wang Z, Zhou W, Jiang X. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In: Proc. of the 19th Annual Network and Distributed System Security Symp. (NDSS 2012). 2012. 1-13.

[5] Feng Y, Anand S, Dillig I, Saswat A. Apposcopy: Semantics-based detection of android malware through static analysis. In: Proc. of the 22nd ACM SIGSOFT Int'l Symp. on Foundations of Software Engineering (FSE 2014). 2014. 576-587. [doi: 10.1145/2635868.2635869]

[6] Feng Y, Bastani O, Martins R, Dillig I, Aiken A. Automated synthesis of semantic malware signatures using maximum satisfiability. In: Proc. of the 24th Annual Network and Distributed System Security Symp. (NDSS 2017). 2017. 1-15. [doi: 10.48550/arXiv.1608.06254]

[7] Gorla A, Tavecchia I, Gross F, Zeller A. Checking App behavior against App descriptions. In: Proc. of the 36th Int'l Conf. on Software Engineering (ICSE 2014). 2014. 1025-1035. [doi: 10.1145/2568225.2568276]

[8] Chen X, Li C, Wang D, Wen S, Zhang J, Nepal S, Xiang Y, Ren K. Android HIV: A study of repackaging malware for evading machine-learning detection. IEEE Trans. on Information Forensics and Security, 2019, 15: 987-1001.

[9] Mariconti E, Onwuzurike L, Andriotis P, Cristofaroy ED, Rossy G, Stringhiniy G. MaMaDroid: Detecting Android malware by building Markov chains of behavioral models. In: Proc. of the 24th Annual Network and Distributed System Security Symp. (NDSS 2017). 2017. 1-16.

[10] Allix K, Bissyandé TF, Klein J, Traon YL. Androzoo: Collecting millions of Android Apps for the research community. In: Proc. of the 2016 IEEE/ACM Working Conf. on Mining Software Repositories (MSR 2016). 2016. 468-471.

[11] VirusShare. com—Because sharing is caring. https://virusshare.com/

[12] Wang W, Wang X, Feng DW, et al. Exploring permission-induced risk in Android applications for malicious application detection. IEEE Trans. on Information Forensics and Security, 2014, 9(11): 1869-1882. [doi: 10.1109/TIFS.2014.2353996]

[13] Li J, Sun LC, Yan QB, Li ZQ, Srisa-an W, Ye H. Significant permission identification for machine-learning-based Android malware detection. IEEE Trans. on Industrial Informatics, 2018, 7(14): 3216-3225.

[14] Aafer Y, Du W L, Yin H. Droidapiminer: Mining API-level features for robust malware detection in Android. In: Proc. of the 2013 Int'l Conf. on Security and Privacy in Communication Networks (SecCom 2013). 2013. 86-103.

[15] Zhao M, Ge FB, Zhang T, Yuan ZJ. AntiMalDroid: An efficient SVM-based malware detection framework for Android. In: Proc. of the 2nd Int'l Conf. on Information Computing and Applications (ICICA 2011). 2011. 158-166. [doi: 10.1007/978-3-642-27503-6_22]

[16] Zhu ZY, Dumitras T. FeatureSmith: Automatically engineering features for malware detection by mining the security literature. In: Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2016). 2016. 767-778. [doi: 10.1145/2976749.2978304]

[17] Kouliaridis V, Potha N, Kambourakis G. Improving Android malware detection through dimensionality reduction techniques. In: Proc. of the 2020 Int'l Conf. on Machine Learning for Networking (ICMLN). 2020. 57-72. [doi: 10.1007/978-3-030-70866-5_4]

[18] Cai L, Li Y, Xiong Z. JOWMDroid: Android malware detection based on feature weighting with joint optimization of weight-mapping and classifier parameters. Computers & Security, 2021, 100: 102086. [doi: 10.1016/j.cose.2020.102086]

[19] Miao XC, Wang R, Xu L, Zhang WF, Xu BW. Security analysis for Android applications using sensitive pathidentification. Ruan Jian Xue Bao/Journal of Software, 2017, 28(9): 2248-2263 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5177.htm[doi: 10.13328/j.cnki.jos.005177] 缪小川, 汪睿, 许蕾, 张卫丰, 徐宝文. 使用敏感路径识别方法分析安卓应用安全性. 软件学报, 2017, 28(9): 2248-2263. http://www.jos.org.cn/1000-9825/5177.htm[doi: 10.13328/j.cnki.jos.005177]

[20] Arp D, Spreitzenbarth M, Hubner M, Gascon1 H, Rieck K. DREBIN: Effective and explainable detection of Android malware in your pocket. In: Proc. of the 21st Annual Network and Distributed System Security Symp. (NDSS 2014). 2014. 1-15.

[21] Daoudi N, Allix K, Bissyandé TF, Klein J. A deep dive inside Drebin: An explorative analysis beyond Android malware detection scores. ACM Trans. on Privacy and Security, 2022, 25(2): 1-28.

[22] Liu W. Research on a method of security detection for Android based on intent. Computer Technology and Development, 2019, 29(5): 102-106 (in Chinese with English abstract). 刘玮. 一种基于意图的安卓应用安全检测方法研究. 计算机技术与发展, 2019, 29(5): 102-106.

[23] Chao F, Yang Z, Du XH, Han B. Classified risk assessment method of Android application based on multi-factor clustering selection. Chinese Journal of Network and Information Security, 2021, 7(2): 161-173 (in Chinese with English abstract). 超凡, 杨智, 杜学绘, 韩冰. 基于多因素聚类选择的Android应用程序分类风险评估方法. 网络与信息安全学报, 2021, 7(2): 161-173.

[24] Teufl P, Ferk M, Fitzek A, Hein D, Kraxberger S, Orthacker C. Malware detection by applying knowledge discovery processes to application metadata on the Android market (Google Play). Security and Communication Networks, 2016, 9(5): 389-419. [doi: 10.1002/sec.675]

[25] Fan M, Luo XP, Liu J, Nong C, Zheng QH, Liu T. CTDroid: Leveraging a corpus of technical blogs for Android malware analysis. IEEE Trans. on Reliability, 2019, 69(1): 124-138. [doi: 10.1109/TR.2019.2926129]

[26] Pandita R, Xiao XS, Yang W, Enck W, Xie T. WHYPER: Towards automating risk assessment of mobile applications. In: Proc. of the 2013 USENIX Security Symp. (USENIX Security 2013). 2013. 527-542.

[27] Chen K, Wang P, Lee Y, Wang XF, Zhang N, Huang HQ, Zou W, LiuP. Finding unknown malice in 10 seconds: Mass vetting for new threats at the Google-play scale. In: Proc. of the 24th USENIX Security Symp. (USENIX Security 2015). 2015. 659-674.

[28] Zhang M, Duan Y, Yin H, Zhao Z. Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Proc. of the 2014 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2014). 2014. 1105-1116. [doi: 10.1145/2660267.2660359]

[29] Wu Y, Zou D, Yang W, Li X, Jin H. HomDroid: Detecting Android covert malware by social-network homophily analysis. In: Proc. of the 30th ACM SIGSOFT Int'l Symp. on Software Testing and Analysis (ISSTA 2021). 2021. 216-229. [doi: 10.1145/3460319.3464833]

[30] He Y, Liu Y, Wu L, Yang ZQ, Ren K, Qin Z. MsDroid: Identifying malicious snippets for Android malware detection. IEEE Trans. on Dependable and Secure Computing, 2022, 1-16. [doi: 10.1109/TDSC.2022.3168285]

[31] Hou SF, Ye YF, Song YQ, Abdulhayoglu M, et al. Hindroid: An intelligent Android malware detection system based on structured heterogeneous information network. In: Proc. of the 25th ACM SIGKDD Int'l Conf. on Knowledge Discovery & Data Mining (KDD 2017). 2017. 1507-1515. [doi: 10.1145/3097983.3098026]

[32] Wu Y, Li X, Zou D, Yang W, Zhang X, Jin H. MalScan: Fast market-wide mobile malware scanning by social-network centrality analysis. In: Proc. of the 34th IEEE/ACM Int'l Conf. on Automated Software Engineering (ASE 2019). 2019. 139-150.

[33] Yumlembam R, Issac B, Jacob SM, Yang LZ. IoT-based Android malware detection using graph neural network with adversarial defense. IEEE Internet of Things Journal, 2022, 1-13. [doi: 10.1109/JIOT.2022.3188583]

[34] Crussell J, Gibler C, Chen H. Attack of the clones: Detecting cloned applications on Android markets. In: Proc. the 17th European Symp. on Research in Computer Security (ESORICS 2012). 2012. 37-54. [doi: 10.1007/978-3-642-33167-1_3]

[35] Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, Traon YL, Octeau D, McDaniel P. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taintanalysis for Android Apps. In: Proc. of the 2014 ACM SIGPLAN Conf. on Programming Language Design and Implementation (PLDI 2014). 2014. 259-269. [doi: 10.1145/2666356.2594299]

[36] Wang L, He DJ, Li L, Feng XB. Sparse framework based static taint analysis optimization. Journal of Computer Research and Development, 2019, 56(3): 480-495 (in Chinese with English abstract). 王蕾, 何冬杰, 李炼, 冯晓兵. 基于稀疏框架的静态污点分析优化技术. 计算机研究与发展, 2019, 56(3): 480-495.

[37] Ma K, Guo SQ. Security analysis of the third-party SDKs in the Android ecosystem. Ruan Jian Xue Bao/Journal of Software, 2018, 29(5): 1379-1391 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/5497.htm[doi: 10.13328/j.cnki.jos.005497] 马凯, 郭山清. 面向Android生态系统中的第三方SDK安全性分析. 软件学报, 2018, 29(5): 1379-1391. http://www.jos.org.cn/1000-9825/5497.htm[doi: 10.13328/j.cnki.jos.005497]

[38] Li L, Bartel A, Bissyande T, Klein J, Traon YL, Arzt S, Rasthofer S, Bodden E, Octeau D, McDanielP. ICCTA: Detecting inter-component privacy leaks in Android Apps. In: Proc. the 37th Int'l Conf. on Software Engineering (ICSE 2015). 2015. 280-291.

[39] Octeau D, Luchaup D, Dering M, Jha S, McDaniel P. Composite constant propagation: Application to Android inter-component communication analysis. In: Proc. of the 37th Int'l Conf. on Software Engineering (ICSE 2015). 2015. 77-88.

[40] Nan YZ, Yang M, Yang ZM, Zhou SF, Gu GF, Wang XF. UIPicker: User-input privacy identification in mobile applications. In: Proc. of the 24th USENIX Security Symp. (USENIX Security 2015). 2015. 993-1008.

[41] Huang JJ, Li ZC, Xiao XS, Wu ZY, Lu KJ, Zhang XY, Jiang GF. SUPOR: Precise and scalable sensitive user input detection for Android Apps. In: Proc. of the 24th USENIX Security Symp. (USENIX Security 2015). 2015. 977-992.

[42] Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, Msdaniel P, Sheth A. TaintDroid: An information-flow tracking system for realtime privacy monitoringon smartphones. ACM Trans. on Computer Systems, 2014, 32(2): 1-29. [doi: 10.1145/ 2619091]

[43] Hornyack P, Han S, Jung J, Schechter S, Wetherall D. These aren't the droids you're looking for: Retrofitting Android to protect data from imperious applications. In: Proc. of the 2011 ACM SIGSAC Conf. on Computer and Communications Security (CCS 2011). 2011. 639-652. [doi: 10.1145/2046707.2046780]

[44] Desnos A. Androguard: Reverse engineering, malware and goodware analysis of Android applications. BlackHat, 2013.

[45]

https://developer.android.com/reference/classes

[46] Gong L, Li Z, Qian F, Zhang ZF, Chen QA, Qian ZY, Lin H, Liu YH. Experiences of landing machine learning onto market-scale mobile malware detection. In: Proc. of the 2020 European Conf. on Computer Systems (EuroSys 2020). 2020. 1-14. [doi: 10.1145/3342195.3387530]

[47] O'Shea K, Nash R. An introduction to convolutional neural networks. arXiv: 1511.08458, 2015.

[48] VirusTotal: Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. https://www.virustotal.com/gui/home/upload

[49] Zou D, Wu Y, Yang S, Chauhan A, Yang W, Zhong JY, Dou SH, Jin H. IntDroid: Android malware detection based on API intimacy analysis. ACM Trans. on Software Engineering and Methodology, 2021, 30(3): 1-32.

[50] Aonzo S, Georgiu GC, Verderame L, Merlo A. Obfuscapk: An open-source black-box obfuscation tool for Android Apps. SoftwareX, 2020, 11: 100403. [doi: 10.1016/j.softx.2020.100403]

[51] Grover A, Leskovec J. Node2Vec: Scalable feature learning for networks. In: Proc. of the 22nd ACM SIGKDD Int'l Conf. on Knowledge Discovery and Data Mining (KDD 2016). 2016. 855-864. [doi: 10.1145/2939672.2939754]

引用本文

吴月明,齐蒙,邹德清,金海.图卷积网络的抗混淆安卓恶意软件检测.软件学报,2023,34(6):2526-2542

复制

文章指标

点击次数:1574
下载次数: 4696
HTML阅读次数: 2864
引用次数: 0

历史

收稿日期:2022-09-05
最后修改日期:2022-10-10
录用日期:
在线发布日期: 2023-01-13
出版日期: 2023-06-06

微信服务号

微信订阅号

引用本文

分享

文章指标

历史

文章二维码

微信服务号

微信订阅号

引用本文

分享

微信扫一扫：分享

文章指标

历史

文章二维码