ArgusDroid:detecting Android malware variants by mining permission-API knowledge graph  被引量：3

作　　者：Yude BAI Sen CHEN Zhenchang XING Xiaohong LI 

机构地区：[1]College of Intelligence and Computing,Tianjin University,Tianjin 300350,China [2]Research School of Computer Science,Australian National University,Acton ACT 2601,Australia

出　　处：《Science China(Information Sciences)》2023年第9期111-129,共19页中国科学（信息科学）（英文版）

基　　金：National Natural Science Foundation of China(Grant Nos.62102284,61872262)。

摘　　要：Malware family variants make minor and relevant changes of behaviors based on the original malware.To analyze and detect family variants,security experts must not only understand malware behaviors but also further observe the correlation between the features of these behaviors.However,the recent data-driven based behavior features are too independent and sometimes too general to obtain a comprehensive profile of the changeable malicious behaviors of family variants derived from the original malware.Those features additionally suffer from limited semantic knowledge which narrows the comprehension of family variants.To this end,in this paper,we propose ArgusDroid that takes advantage of the knowledge graph(KG)to construct a permission-API knowledge graph based on the official Android document.Because each permission or API in the document is described by a specific sentence,we can easily acquire and comprehend the relationship between different features via the hyperlink in sentences or sentence similarity.ArgusDroid also extracts various feature sets from the knowledge graph and validates the detection performance on Android malware family variants based on these features.Extensive experiments by using machine learning and neural network classifiers for variant identification have been carried out.The experimental results demonstrate the effectiveness and usefulness of our obtained feature sets based on ArgusDroid,especially when using the classifiers convolutional neural network(CNN)and multi-layer perception(MLP).Furthermore,when compared to similar feature sets that aim to present relationships across different feature types,such as Axplorer,ArgusDroid generates the feature set which significantly improves malware variant detection by 0.3575 average F1.

关 键 词：malicious behavior Android document knowledge graph malware family variant machine learning 

分 类 号：TP311.5[自动化与计算机技术—计算机软件与理论] TP309[自动化与计算机技术—计算机科学与技术]