图卷积网络的抗混淆安卓恶意软件检测

Obfuscation-resilient Android Malware Detection Based on Graph Convolutional Networks

自安卓系统发布以来,由于其开源、硬件丰富和应用市场多样等优势,该系统已成为全球使用最广泛的手机操作系统.同时,安卓设备和安卓应用的爆炸式增长也使其成为96%移动恶意软件的攻击目标.在现有的安卓恶意软件检测方法中,忽视程序语义而直接提取简单程序特征的方法,其检测速度快但精确度不够理想,将程序语义转换为图模型并采用图分析的方法,其精确度虽高但开销大且扩展性低.为了解决上述挑战,将应用的程序语义提取为函数调用图,在保留语义信息的同时,采用抽象API技术将调用图转换为抽象图,以减少运行开销并增强鲁棒性.基于得到的抽象图,以TripletLoss损失训练构建基于图卷积网络的抗混淆安卓恶意软件分类器SriDroid.对20246个安卓应用进行实验分析后发现:SriDroid可以达到99.17%的恶意软件检测精确度,并具有良好的鲁棒性.

Since the release of Android,it has become the most widely used mobile phone operating system in the world due to its advantages such as open source,rich hardware,and diverse application markets.At the same time,the explosive growth of Android devices and Android applications(app for short)has made it a target of 96%of mobile malware.Among current detection methods,the direct extraction of simple program features,ignoring the program semantics is fast but less accurate,and the conversion of semantic information of programs into graph models for analysis improves accuracy but has high runtime overhead and is not very scalable.To address these challenges,the program semantics of an App is distilled into a function call graph and the API call is abstracted to convert the call graph into a simpler graph.Finally,these vectors are fed into a graph convolution network(GCN)model to train a classifier with triplet loss(i.e.,SriDroid).After conducting experimental analysis on 20246 Android apps,it is found that SriDroid can achieve 99.17%malware detection accuracy with sound robustness.