Detecting Android malware: A multimodal fusion method with fine-grained feature

IF 14.7 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Information Fusion Pub Date : 2024-09-05 DOI:10.1016/j.inffus.2024.102662

Xun Li , Lei Liu , Yuzhou Liu , Huaxiao Liu

{"title":"Detecting Android malware: A multimodal fusion method with fine-grained feature","authors":"Xun Li , Lei Liu , Yuzhou Liu , Huaxiao Liu","doi":"10.1016/j.inffus.2024.102662","DOIUrl":null,"url":null,"abstract":"<div><p>Context: Recently, many studies have been proposed to address the threat posed by Android malware. However, the continuous evolution of malware poses challenges to the task of representing application features in current detection methods. Objective: This paper introduces a novel Android malware detection approach based on the source code and binary code of software by leveraging large pre-trained models with a fine-grained multimodal fusion strategy. Method: Specifically, the approach treats the source code and binary code as the programming language modality (PM) and machine language modality (MM), respectively. Then, domain-specific knowledge (sensitive API) combined with large pre-trained model is further applied to extract PM features; while the binary code is transformed into RGB images, from which MM features are extracted using a pre-trained image processing model. Furthermore, a fine-grained fusion strategy is implemented using a multi-head self-attention mechanism to effectively capture the correlations among features across different modalities and generate comprehensive features for application malware detection. Results and Conclusion: The detection performance and generalization ability of the proposed method were validated on two experimental datasets. The results demonstrate that our method can accurately distinguish malware, achieving an accuracy of 98.28% and an F1-score of 98.66%. Additionally, it performs well on unseen data, with an accuracy of 92.86% and an F1-score of 94.49%. Meanwhile, ablation experiments confirm the contributions of sensitive API knowledge and the fine-grained multimodal fusion strategy to the success of malware detection.</p></div>","PeriodicalId":50367,"journal":{"name":"Information Fusion","volume":"114 ","pages":"Article 102662"},"PeriodicalIF":14.7000,"publicationDate":"2024-09-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Fusion","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1566253524004408","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Context: Recently, many studies have been proposed to address the threat posed by Android malware. However, the continuous evolution of malware poses challenges to the task of representing application features in current detection methods. Objective: This paper introduces a novel Android malware detection approach based on the source code and binary code of software by leveraging large pre-trained models with a fine-grained multimodal fusion strategy. Method: Specifically, the approach treats the source code and binary code as the programming language modality (PM) and machine language modality (MM), respectively. Then, domain-specific knowledge (sensitive API) combined with large pre-trained model is further applied to extract PM features; while the binary code is transformed into RGB images, from which MM features are extracted using a pre-trained image processing model. Furthermore, a fine-grained fusion strategy is implemented using a multi-head self-attention mechanism to effectively capture the correlations among features across different modalities and generate comprehensive features for application malware detection. Results and Conclusion: The detection performance and generalization ability of the proposed method were validated on two experimental datasets. The results demonstrate that our method can accurately distinguish malware, achieving an accuracy of 98.28% and an F1-score of 98.66%. Additionally, it performs well on unseen data, with an accuracy of 92.86% and an F1-score of 94.49%. Meanwhile, ablation experiments confirm the contributions of sensitive API knowledge and the fine-grained multimodal fusion strategy to the success of malware detection.

查看原文本刊更多论文

检测安卓恶意软件：具有细粒度特征的多模态融合方法

背景：最近，针对安卓恶意软件的威胁提出了许多研究。然而，恶意软件的不断演变给当前检测方法中的应用特征描述任务带来了挑战。目标本文介绍了一种基于软件源代码和二进制代码的新型安卓恶意软件检测方法，该方法利用大型预训练模型和细粒度多模态融合策略。方法：具体来说，该方法将源代码和二进制代码分别视为编程语言模态（PM）和机器语言模态（MM）。然后，将特定领域知识（敏感 API）与大型预训练模型相结合，进一步应用于提取 PM 特征；同时将二进制代码转换为 RGB 图像，并使用预训练图像处理模型从中提取 MM 特征。此外，还利用多头自注意机制实施了细粒度融合策略，以有效捕捉不同模态特征之间的相关性，并生成用于应用恶意软件检测的综合特征。结果与结论：在两个实验数据集上验证了所提方法的检测性能和泛化能力。结果表明，我们的方法能准确区分恶意软件，准确率达到 98.28%，F1 分数达到 98.66%。此外，它在未见过的数据上也表现出色，准确率为 92.86%，F1 分数为 94.49%。同时，消融实验证实了敏感 API 知识和细粒度多模态融合策略对成功检测恶意软件的贡献。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information Fusion 工程技术-计算机：理论方法

CiteScore

33.20

自引率

4.30%

发文量

161

审稿时长

7.9 months

期刊介绍： Information Fusion serves as a central platform for showcasing advancements in multi-sensor, multi-source, multi-process information fusion, fostering collaboration among diverse disciplines driving its progress. It is the leading outlet for sharing research and development in this field, focusing on architectures, algorithms, and applications. Papers dealing with fundamental theoretical analyses as well as those demonstrating their application to real-world problems will be welcome.