利用 EigenGCN 检测规避性安卓恶意软件

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Teenu S. John , Tony Thomas , Sabu Emmanuel
{"title":"利用 EigenGCN 检测规避性安卓恶意软件","authors":"Teenu S. John ,&nbsp;Tony Thomas ,&nbsp;Sabu Emmanuel","doi":"10.1016/j.jisa.2024.103880","DOIUrl":null,"url":null,"abstract":"<div><p>Recently there is an upsurge in Android malware that use obfuscation and repackaging techniques for evasion. Malware may also combine both these techniques to create stealthy adversarial mimicry samples to launch mimicry attacks. In mimicry attacks, the adversary makes sure that the static and dynamic features present in the crafted malware mimics the features present in the legitimate applications. In such cases, the existing detection mechanisms may become less effective. We found that the malicious nature of Android applications can be determined by identifying certain subgraphs that appear in their system call graphs. These subgraphs can be determined with the help of spectral clustering mechanism present in EigenGCN. With this, the system call graph <span><math><mi>G</mi></math></span> will be partitioned into two subgraphs <span><math><msub><mrow><mi>G</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> and <span><math><msub><mrow><mi>G</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>, in which the malicious functionality if any will be present in the subgraph <span><math><msub><mrow><mi>G</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span>. The graph Fourier transform based pooling technique in EigenGCN then computes the features of the subgraphs in the form of graph signals. This graph signals serve as a robust signature to detect malware. The proposed mechanism gave an accuracy of 98.7% on common malware, 97.3% on obfuscated malware, 97.8% on repackaged malware, and 90% on adversarial mimicry malware datasets. As far as we know, this is the first work that proposes a malware detection mechanism, that can detect common as well as obfuscated, repackaged, and mimicry malware in Android.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"86 ","pages":"Article 103880"},"PeriodicalIF":3.8000,"publicationDate":"2024-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Detection of Evasive Android Malware Using EigenGCN\",\"authors\":\"Teenu S. John ,&nbsp;Tony Thomas ,&nbsp;Sabu Emmanuel\",\"doi\":\"10.1016/j.jisa.2024.103880\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><p>Recently there is an upsurge in Android malware that use obfuscation and repackaging techniques for evasion. Malware may also combine both these techniques to create stealthy adversarial mimicry samples to launch mimicry attacks. In mimicry attacks, the adversary makes sure that the static and dynamic features present in the crafted malware mimics the features present in the legitimate applications. In such cases, the existing detection mechanisms may become less effective. We found that the malicious nature of Android applications can be determined by identifying certain subgraphs that appear in their system call graphs. These subgraphs can be determined with the help of spectral clustering mechanism present in EigenGCN. With this, the system call graph <span><math><mi>G</mi></math></span> will be partitioned into two subgraphs <span><math><msub><mrow><mi>G</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span> and <span><math><msub><mrow><mi>G</mi></mrow><mrow><mn>2</mn></mrow></msub></math></span>, in which the malicious functionality if any will be present in the subgraph <span><math><msub><mrow><mi>G</mi></mrow><mrow><mn>1</mn></mrow></msub></math></span>. The graph Fourier transform based pooling technique in EigenGCN then computes the features of the subgraphs in the form of graph signals. This graph signals serve as a robust signature to detect malware. The proposed mechanism gave an accuracy of 98.7% on common malware, 97.3% on obfuscated malware, 97.8% on repackaged malware, and 90% on adversarial mimicry malware datasets. As far as we know, this is the first work that proposes a malware detection mechanism, that can detect common as well as obfuscated, repackaged, and mimicry malware in Android.</p></div>\",\"PeriodicalId\":48638,\"journal\":{\"name\":\"Journal of Information Security and Applications\",\"volume\":\"86 \",\"pages\":\"Article 103880\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2024-09-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Information Security and Applications\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S2214212624001820\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001820","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

摘要

最近,使用混淆和重新打包技术进行规避的安卓恶意软件激增。恶意软件还可能将这两种技术结合起来,创建隐蔽的恶意模仿样本,发起模仿攻击。在模仿攻击中,对手会确保制作的恶意软件中的静态和动态特征模仿合法应用程序中的特征。在这种情况下,现有的检测机制可能会变得不那么有效。我们发现,可以通过识别系统调用图中出现的某些子图来确定 Android 应用程序的恶意性质。这些子图可以借助 EigenGCN 中的光谱聚类机制来确定。这样,系统调用图 G 将被划分为两个子图 G1 和 G2,其中恶意功能(如有)将出现在子图 G1 中。然后,EigenGCN 中基于图傅立叶变换的池化技术将以图信号的形式计算出子图的特征。这种图信号可作为检测恶意软件的稳健签名。所提出的机制对普通恶意软件的准确率为 98.7%,对混淆恶意软件的准确率为 97.3%,对重新打包恶意软件的准确率为 97.8%,对对抗性模仿恶意软件数据集的准确率为 90%。据我们所知,这是第一项提出恶意软件检测机制的工作,它既能检测安卓系统中的普通恶意软件,也能检测混淆、重新打包和模仿恶意软件。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Detection of Evasive Android Malware Using EigenGCN

Recently there is an upsurge in Android malware that use obfuscation and repackaging techniques for evasion. Malware may also combine both these techniques to create stealthy adversarial mimicry samples to launch mimicry attacks. In mimicry attacks, the adversary makes sure that the static and dynamic features present in the crafted malware mimics the features present in the legitimate applications. In such cases, the existing detection mechanisms may become less effective. We found that the malicious nature of Android applications can be determined by identifying certain subgraphs that appear in their system call graphs. These subgraphs can be determined with the help of spectral clustering mechanism present in EigenGCN. With this, the system call graph G will be partitioned into two subgraphs G1 and G2, in which the malicious functionality if any will be present in the subgraph G1. The graph Fourier transform based pooling technique in EigenGCN then computes the features of the subgraphs in the form of graph signals. This graph signals serve as a robust signature to detect malware. The proposed mechanism gave an accuracy of 98.7% on common malware, 97.3% on obfuscated malware, 97.8% on repackaged malware, and 90% on adversarial mimicry malware datasets. As far as we know, this is the first work that proposes a malware detection mechanism, that can detect common as well as obfuscated, repackaged, and mimicry malware in Android.

求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信