Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this inalicious software on Android platform. We design a detection engine ...Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this inalicious software on Android platform. We design a detection engine consisting of six parts: decompile, grammar parsing, control flow and data flow analysis, safety analysis, and comprehensive evaluation. In the comprehensive evaluation, we obtain a weight vector of 29 evaluation indexes using the analytic hierarchy process. During this process, the detection engine exports a list of suspicious API. On the basis of this list, the evaluation part of the engine performs a compre- hensive evaluation of the hazard assessment of software sample. Finally, hazard classification is given for the software. The false positive rate of our approach for detecting rnalware samples is 4. 7% and normal samples is 7.6%. The experimental results show that the accuracy rate of our approach is almost similar to the method based on virus signatures. Compared with the method based on virus signatures, our approach performs well in detecting unknown malware. This approach is promising for the application of malware detection.展开更多
For the Android app market,malware uses code encryption techniques for block detection.For Android applications,scholars have proposed a method to determine whether Android applications are malicious software by analy...For the Android app market,malware uses code encryption techniques for block detection.For Android applications,scholars have proposed a method to determine whether Android applications are malicious software by analyzing the behavioral characteristics of software operation.The most traditional method is static detection,which is characterized by fast detection speed and less resource occupation.However,Android software cannot be detected by static methods after using encryption technology.The APK package of the application isfirst decom-piled to detect and extract key features,behavioral patterns,and invocation infor-mation using Frida and Camille.Subsequently,the long short-term memory net-work(LSTM)is employed to analyze software intent for determining the presence of malware.The experimental results demonstrate that the static method achieves an accuracy of approximately 80%,whereas the dynamic method achieves an accuracy of 91%.Through the utilization of software intention analysis and per-mission usage checks in combination,the accuracy rate can be further enhanced to 94%.Upon comparison of the different algorithms utilized in each detection method,it is concluded that both the KNN and random forest algorithms exhibit higher accuracy in the application of such detection methods.展开更多
Outside the explosive successful applications of deep learning(DL)in natural language processing,computer vision,and information retrieval,there have been numerous Deep Neural Networks(DNNs)based alternatives for comm...Outside the explosive successful applications of deep learning(DL)in natural language processing,computer vision,and information retrieval,there have been numerous Deep Neural Networks(DNNs)based alternatives for common security-related scenarios with malware detection among more popular.Recently,adversarial learning has gained much focus.However,unlike computer vision applications,malware adversarial attack is expected to guarantee malwares’original maliciousness semantics.This paper proposes a novel adversarial instruction learning technique,DeepMal,based on an adversarial instruction learning approach for static malware detection.So far as we know,DeepMal is the first practical and systematical adversarial learning method,which could directly produce adversarial samples and effectively bypass static malware detectors powered by DL and machine learning(ML)models while preserving attack functionality in the real world.Moreover,our method conducts small-scale attacks,which could evade typical malware variants analysis(e.g.,duplication check).We evaluate DeepMal on two real-world datasets,six typical DL models,and three typical ML models.Experimental results demonstrate that,on both datasets,DeepMal can attack typical malware detectors with the mean F1-score and F1-score decreasing maximal 93.94%and 82.86%respectively.Besides,three typical types of malware samples(Trojan horses,Backdoors,Ransomware)prove to preserve original attack functionality,and the mean duplication check ratio of malware adversarial samples is below 2.0%.Besides,DeepMal can evade dynamic detectors and be easily enhanced by learning more dynamic features with specific constraints.展开更多
基金supported by Major National Science and Technology Projects(No.3) under Grant No. 2012ZX03002012
文摘Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this inalicious software on Android platform. We design a detection engine consisting of six parts: decompile, grammar parsing, control flow and data flow analysis, safety analysis, and comprehensive evaluation. In the comprehensive evaluation, we obtain a weight vector of 29 evaluation indexes using the analytic hierarchy process. During this process, the detection engine exports a list of suspicious API. On the basis of this list, the evaluation part of the engine performs a compre- hensive evaluation of the hazard assessment of software sample. Finally, hazard classification is given for the software. The false positive rate of our approach for detecting rnalware samples is 4. 7% and normal samples is 7.6%. The experimental results show that the accuracy rate of our approach is almost similar to the method based on virus signatures. Compared with the method based on virus signatures, our approach performs well in detecting unknown malware. This approach is promising for the application of malware detection.
文摘For the Android app market,malware uses code encryption techniques for block detection.For Android applications,scholars have proposed a method to determine whether Android applications are malicious software by analyzing the behavioral characteristics of software operation.The most traditional method is static detection,which is characterized by fast detection speed and less resource occupation.However,Android software cannot be detected by static methods after using encryption technology.The APK package of the application isfirst decom-piled to detect and extract key features,behavioral patterns,and invocation infor-mation using Frida and Camille.Subsequently,the long short-term memory net-work(LSTM)is employed to analyze software intent for determining the presence of malware.The experimental results demonstrate that the static method achieves an accuracy of approximately 80%,whereas the dynamic method achieves an accuracy of 91%.Through the utilization of software intention analysis and per-mission usage checks in combination,the accuracy rate can be further enhanced to 94%.Upon comparison of the different algorithms utilized in each detection method,it is concluded that both the KNN and random forest algorithms exhibit higher accuracy in the application of such detection methods.
基金This work was supported by Grant No.XDC02010300.
文摘Outside the explosive successful applications of deep learning(DL)in natural language processing,computer vision,and information retrieval,there have been numerous Deep Neural Networks(DNNs)based alternatives for common security-related scenarios with malware detection among more popular.Recently,adversarial learning has gained much focus.However,unlike computer vision applications,malware adversarial attack is expected to guarantee malwares’original maliciousness semantics.This paper proposes a novel adversarial instruction learning technique,DeepMal,based on an adversarial instruction learning approach for static malware detection.So far as we know,DeepMal is the first practical and systematical adversarial learning method,which could directly produce adversarial samples and effectively bypass static malware detectors powered by DL and machine learning(ML)models while preserving attack functionality in the real world.Moreover,our method conducts small-scale attacks,which could evade typical malware variants analysis(e.g.,duplication check).We evaluate DeepMal on two real-world datasets,six typical DL models,and three typical ML models.Experimental results demonstrate that,on both datasets,DeepMal can attack typical malware detectors with the mean F1-score and F1-score decreasing maximal 93.94%and 82.86%respectively.Besides,three typical types of malware samples(Trojan horses,Backdoors,Ransomware)prove to preserve original attack functionality,and the mean duplication check ratio of malware adversarial samples is below 2.0%.Besides,DeepMal can evade dynamic detectors and be easily enhanced by learning more dynamic features with specific constraints.
