基于异构图注意力网络的Android恶意软件检测  被引量：2

作　　者：贺娇君 蔡满春[1] 芦天亮[1] HE Jiaojun;CAI Manchun;LU Tianliang(School of Information Technology and Cyber Security,People's Public Security University of China,Beijing 100038,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京100038

出　　处：《中国人民公安大学学报（自然科学版）》2022年第4期30-38,共9页Journal of People’s Public Security University of China(Science and Technology)

基　　金：“十三五”国家密码发展基金密码理论研究重点课题(MMJJ20180108);中国人民公安大学2020年基本科研业务费重大项目(2020JKF101)。

摘　　要：近年来Android已经成为最流行的移动操作系统,越来越多的移动终端恶意软件窃取用户的私人信息,对安全造成了严重的威胁。现有的检测方法通常是通过挖掘不同APK文件中具有显著区分度的特征信息,使用机器学习的方法对欧式空间数据进行检测,但这类方法往往没有考虑到特征的结构性依赖关系。因此,将Android应用程序的API调用、请求权限、访问URL和包含组件关系映射到一个大型的异质网络中,把原来的检测问题转换成节点分类任务,构造的异质信息网络通过节点级注意力将所有类型的节点映射到统一的特征空间中,学习元路径邻居节点的权重并将其聚合得到特定语义的节点嵌入。实验结果证明,基于异构图注意力网络的检测方法能充分利用异质信息网络的结构特征和语义信息,能有效检测Android恶意软件。In recent years,Android has become the most popular mobile operating system.More and more mobile terminal malware steals users’private information,posing a serious threat to security.Current detection methods usually use machine learning to detect Euclide spatial data by mining feature information with significant distinction in different APK files.However,these methods often fail to take into account the structural dependence of features.In this work,API calls,request permissions,access URLs and inclusion component relations of Android applications are mapped into a large heterogeneous network.The original detection problem is transformed into a node classification task,and the constructed heterogeneous information network maps all types of nodes into a unified feature space through node-level attention.The weights of meta path neighbor nodes are learned and aggregated to obtain node embedding with specific semantics.Results show that the detection method based on heterogeneous graph attention network can make full use of the structural characteristics and semantic information of heterogeneous information network,and Android malware can be effectively detected.

关 键 词：ANDROID 恶意软件检测 图神经网络 异质信息网络 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]