Nowadays, Android is the most dominant operating system in the mobile ecosystem, with billions of people using its apps daily. As expected, this trend did not go unnoticed by miscreants, and Android became the favorite platform for discovering new victims through malicious apps. Moreover, these apps have become so sophisticated that they can bypass anti-malware measures to protect the users. Therefore, it is safe to admit that traditional anti-malware techniques have become cumbersome, sparking the urge to develop an efficient way to detect Android malware. This paper presents hybrid-Flacon, a hybrid pattern Android malware detection and categorization framework. It combines dynamic and static features of Android malware, which are from network traffic and code graph structure. In hybrid-Flacon, we treat network traffic as a dynamic feature and process it as a 2D image sequence. Meanwhile, hybrid-Flacon handles each network flow in the packet as a 2D image and uses a bidirectional LSTM network to process those 2D-image sequences to obtain vectors representing network packets. We use the program code graph for a static feature and introduce natural language processing (NLP) inspired techniques on function call graph (FCG). We design a graph neural network-based approach to convert the whole graph structure of Android apps to vectors. Finally, We utilize those converted vectors, both network and program code features, and concatenate them to detect and categorize the malware. Our results reveal that hybrid-Flacon yields better results as we get 97.16% accuracy on average for malware detection and 88.32% accuracy for malware categorization. Additionally, we release a dataset AndroNetMnist, which converts the network traffic to a 2D-image sequence and helps to accomplish malware detection on a 2D-image sequence.
翻译:现在,Android是移动生态系统中最主要的操作系统, 数十亿人每天使用它的应用程序。 正如所预期的那样, 这一趋势并没有被错误分子忽视, 而Android成了通过恶意应用程序发现新受害人的最受欢迎的平台。 此外, 这些应用程序已经变得如此精密, 能够绕过抗疟措施来保护用户。 因此, 可以安全地承认传统抗疟技术已经变得繁琐, 引发开发一种高效检测Android 恶意软件的冲动。 本文展示了混合- Flacon, 一个混合模式和机器人软件的检测和分类框架。 它把Android 恶意软件的动态和静态特性结合起来, 这些功能来自网络的流量和代码结构。 在混合- Flacon中, 我们把网络的动态特性当作一个动态功能, 处理它作为2D 图像, 并使用双向的 LSTM 网络的双向流, 将2D- 服务器的序列进行处理, 以获取更好的网络软件的矢量 。 我们使用程序代码图图图图图图的特性图解, 并引入自然语言设计 GLOD 。