Detection of Evasive Android Malware Using EigenGCN

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Information Security and Applications Pub Date : 2024-09-07 DOI:10.1016/j.jisa.2024.103880

Teenu S. John , Tony Thomas , Sabu Emmanuel

{"title":"Detection of Evasive Android Malware Using EigenGCN","authors":"Teenu S. John , Tony Thomas , Sabu Emmanuel","doi":"10.1016/j.jisa.2024.103880","DOIUrl":null,"url":null,"abstract":"<div>Recently there is an upsurge in Android malware that use obfuscation and repackaging techniques for evasion. Malware may also combine both these techniques to create stealthy adversarial mimicry samples to launch mimicry attacks. In mimicry attacks, the adversary makes sure that the static and dynamic features present in the crafted malware mimics the features present in the legitimate applications. In such cases, the existing detection mechanisms may become less effective. We found that the malicious nature of Android applications can be determined by identifying certain subgraphs that appear in their system call graphs. These subgraphs can be determined with the help of spectral clustering mechanism present in EigenGCN. With this, the system call graph <math><mi>G</mi></math> will be partitioned into two subgraphs <math><msub><mrow><mi>G</mi></mrow><mrow><mn>1</mn></mrow></msub></math> and <math><msub><mrow><mi>G</mi></mrow><mrow><mn>2</mn></mrow></msub></math>, in which the malicious functionality if any will be present in the subgraph <math><msub><mrow><mi>G</mi></mrow><mrow><mn>1</mn></mrow></msub></math>. The graph Fourier transform based pooling technique in EigenGCN then computes the features of the subgraphs in the form of graph signals. This graph signals serve as a robust signature to detect malware. The proposed mechanism gave an accuracy of 98.7% on common malware, 97.3% on obfuscated malware, 97.8% on repackaged malware, and 90% on adversarial mimicry malware datasets. As far as we know, this is the first work that proposes a malware detection mechanism, that can detect common as well as obfuscated, repackaged, and mimicry malware in Android.</div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"86 ","pages":"Article 103880"},"PeriodicalIF":3.8000,"publicationDate":"2024-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001820","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Recently there is an upsurge in Android malware that use obfuscation and repackaging techniques for evasion. Malware may also combine both these techniques to create stealthy adversarial mimicry samples to launch mimicry attacks. In mimicry attacks, the adversary makes sure that the static and dynamic features present in the crafted malware mimics the features present in the legitimate applications. In such cases, the existing detection mechanisms may become less effective. We found that the malicious nature of Android applications can be determined by identifying certain subgraphs that appear in their system call graphs. These subgraphs can be determined with the help of spectral clustering mechanism present in EigenGCN. With this, the system call graph $G$ will be partitioned into two subgraphs $G_{1}$ and $G_{2}$ , in which the malicious functionality if any will be present in the subgraph $G_{1}$ . The graph Fourier transform based pooling technique in EigenGCN then computes the features of the subgraphs in the form of graph signals. This graph signals serve as a robust signature to detect malware. The proposed mechanism gave an accuracy of 98.7% on common malware, 97.3% on obfuscated malware, 97.8% on repackaged malware, and 90% on adversarial mimicry malware datasets. As far as we know, this is the first work that proposes a malware detection mechanism, that can detect common as well as obfuscated, repackaged, and mimicry malware in Android.

查看原文本刊更多论文

利用 EigenGCN 检测规避性安卓恶意软件

最近，使用混淆和重新打包技术进行规避的安卓恶意软件激增。恶意软件还可能将这两种技术结合起来，创建隐蔽的恶意模仿样本，发起模仿攻击。在模仿攻击中，对手会确保制作的恶意软件中的静态和动态特征模仿合法应用程序中的特征。在这种情况下，现有的检测机制可能会变得不那么有效。我们发现，可以通过识别系统调用图中出现的某些子图来确定 Android 应用程序的恶意性质。这些子图可以借助 EigenGCN 中的光谱聚类机制来确定。这样，系统调用图 G 将被划分为两个子图 G1 和 G2，其中恶意功能（如有）将出现在子图 G1 中。然后，EigenGCN 中基于图傅立叶变换的池化技术将以图信号的形式计算出子图的特征。这种图信号可作为检测恶意软件的稳健签名。所提出的机制对普通恶意软件的准确率为 98.7%，对混淆恶意软件的准确率为 97.3%，对重新打包恶意软件的准确率为 97.8%，对对抗性模仿恶意软件数据集的准确率为 90%。据我们所知，这是第一项提出恶意软件检测机制的工作，它既能检测安卓系统中的普通恶意软件，也能检测混淆、重新打包和模仿恶意软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Journal of Information Security and Applications Computer Science-Computer Networks and Communications

CiteScore

10.90

自引率

5.40%

发文量

206

审稿时长

56 days

期刊介绍： Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.