基于GCN和BiLSTM的Android恶意软件检测方法  

作　　者：贺娇君 蔡满春[1] 芦天亮[1] HE Jiaojun;CAI Manchun;LU Tianliang(School of Information Cyber Security,People’s Public Security University of China,Beijing 100038,China)

机构地区：[1]中国人民公安大学信息网络安全学院,北京100038

出　　处：《计算机科学》2024年第4期388-395,共8页Computer Science

基　　金：中国人民公安大学2022年基科费项目(2022JKF02009);公共安全风险防控与应急技术装备重点专项(20200017)。

摘　　要：现有Android恶意软件检测方法大多是对单一结构类型的特征进行学习,在分析应用程序语义方面有所缺失。针对传统检测方法捕获特征语义不够全面的问题,文中创新性地提出了一种基于GCN和BiLSTM的Android恶意软件检测模型,在精准提取样本结构信息的同时对恶意行为语义进行重点分析。首先以图的方式表征26类关键系统调用间的拓扑关系,使用双层GCN网络聚合系统调用图中节点的高阶结构信息,有效提高特征学习效率;然后利用带有自注意力机制的BiLSTM网络获取操作码序列的上下文语义,通过为具有恶意特征的序列赋予高权重得到特征内部的强相关性;最后使用Softmax输出融合结构信息和上下文特征的样本分类概率。在基于Drebin和AndroZoo数据集的实验中,所提模型准确率达到了93.95%,F1值达到了97.09%,相较于基准算法有显著提高,充分证明了基于GCN和BiLSTM的模型能有效提升Android恶意软件的检测效果。Most of the existing Android malware detection methods learn features of a single structure type,and there are shortcomings in analyzing application semantics.Aiming at the problem that the traditional detection methods are not comprehensive enough in capturing feature semantics,this paper innovatively proposes an Android malware detection model based on GCN and BiLSTM.At the same time,the semantic of malicious behavior is analyzed emphatically while the sample structure information is extracted accurately.Firstly,the topological relationship between 26 types of key system calls is represented in the graph,and the two-layer GCN network is used to aggregate the high-order structure information of nodes in the system call graph to effectively improve the feature learning efficiency.Then,the BiLSTM network with self-attention mechanism is used to obtain the context semantics of opcode sequence.By assigning high weights to sequences with malicious features,the strong correlation within features is obtained.Finally,Softmax is used to output the sample classification probability fused with structural information and context features.In the experiments based on Drebin and AndroZoo datasets,the accuracy of the proposed model reaches 93.95%,and the F1 value reaches 0.97,which is significantly improved compared with the benchmark algorithm.It fully proves that the proposed model based on GCN and BiLSTM can effectively discriminate the properties of applications and improve the detection effect of Android malware.

关 键 词：ANDROID 恶意软件检测 GCN BiLSTM 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]