Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this inalicious software on Android platform. We design a detection engine ...Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this inalicious software on Android platform. We design a detection engine consisting of six parts: decompile, grammar parsing, control flow and data flow analysis, safety analysis, and comprehensive evaluation. In the comprehensive evaluation, we obtain a weight vector of 29 evaluation indexes using the analytic hierarchy process. During this process, the detection engine exports a list of suspicious API. On the basis of this list, the evaluation part of the engine performs a compre- hensive evaluation of the hazard assessment of software sample. Finally, hazard classification is given for the software. The false positive rate of our approach for detecting rnalware samples is 4. 7% and normal samples is 7.6%. The experimental results show that the accuracy rate of our approach is almost similar to the method based on virus signatures. Compared with the method based on virus signatures, our approach performs well in detecting unknown malware. This approach is promising for the application of malware detection.展开更多
Outside the explosive successful applications of deep learning(DL)in natural language processing,computer vision,and information retrieval,there have been numerous Deep Neural Networks(DNNs)based alternatives for comm...Outside the explosive successful applications of deep learning(DL)in natural language processing,computer vision,and information retrieval,there have been numerous Deep Neural Networks(DNNs)based alternatives for common security-related scenarios with malware detection among more popular.Recently,adversarial learning has gained much focus.However,unlike computer vision applications,malware adversarial attack is expected to guarantee malwares’original maliciousness semantics.This paper proposes a novel adversarial instruction learning technique,DeepMal,based on an adversarial instruction learning approach for static malware detection.So far as we know,DeepMal is the first practical and systematical adversarial learning method,which could directly produce adversarial samples and effectively bypass static malware detectors powered by DL and machine learning(ML)models while preserving attack functionality in the real world.Moreover,our method conducts small-scale attacks,which could evade typical malware variants analysis(e.g.,duplication check).We evaluate DeepMal on two real-world datasets,six typical DL models,and three typical ML models.Experimental results demonstrate that,on both datasets,DeepMal can attack typical malware detectors with the mean F1-score and F1-score decreasing maximal 93.94%and 82.86%respectively.Besides,three typical types of malware samples(Trojan horses,Backdoors,Ransomware)prove to preserve original attack functionality,and the mean duplication check ratio of malware adversarial samples is below 2.0%.Besides,DeepMal can evade dynamic detectors and be easily enhanced by learning more dynamic features with specific constraints.展开更多
基金supported by Major National Science and Technology Projects(No.3) under Grant No. 2012ZX03002012
文摘Mobile malware is rapidly increasing and its detection has become a critical issue. In this study, we summarize the common characteristics of this inalicious software on Android platform. We design a detection engine consisting of six parts: decompile, grammar parsing, control flow and data flow analysis, safety analysis, and comprehensive evaluation. In the comprehensive evaluation, we obtain a weight vector of 29 evaluation indexes using the analytic hierarchy process. During this process, the detection engine exports a list of suspicious API. On the basis of this list, the evaluation part of the engine performs a compre- hensive evaluation of the hazard assessment of software sample. Finally, hazard classification is given for the software. The false positive rate of our approach for detecting rnalware samples is 4. 7% and normal samples is 7.6%. The experimental results show that the accuracy rate of our approach is almost similar to the method based on virus signatures. Compared with the method based on virus signatures, our approach performs well in detecting unknown malware. This approach is promising for the application of malware detection.
基金This work was supported by Grant No.XDC02010300.
文摘Outside the explosive successful applications of deep learning(DL)in natural language processing,computer vision,and information retrieval,there have been numerous Deep Neural Networks(DNNs)based alternatives for common security-related scenarios with malware detection among more popular.Recently,adversarial learning has gained much focus.However,unlike computer vision applications,malware adversarial attack is expected to guarantee malwares’original maliciousness semantics.This paper proposes a novel adversarial instruction learning technique,DeepMal,based on an adversarial instruction learning approach for static malware detection.So far as we know,DeepMal is the first practical and systematical adversarial learning method,which could directly produce adversarial samples and effectively bypass static malware detectors powered by DL and machine learning(ML)models while preserving attack functionality in the real world.Moreover,our method conducts small-scale attacks,which could evade typical malware variants analysis(e.g.,duplication check).We evaluate DeepMal on two real-world datasets,six typical DL models,and three typical ML models.Experimental results demonstrate that,on both datasets,DeepMal can attack typical malware detectors with the mean F1-score and F1-score decreasing maximal 93.94%and 82.86%respectively.Besides,three typical types of malware samples(Trojan horses,Backdoors,Ransomware)prove to preserve original attack functionality,and the mean duplication check ratio of malware adversarial samples is below 2.0%.Besides,DeepMal can evade dynamic detectors and be easily enhanced by learning more dynamic features with specific constraints.
