基于可解释性的Android恶意软件检测
作者:
基金项目:

国家自然科学基金(62062020)


Interpretability-based Android Malware Detection
Author:
  • 摘要
  • | |
  • 访问统计
  • |
  • 参考文献 [40]
  • |
  • 相似文献 [20]
  • | | |
  • 文章评论
    摘要:

    针对Android恶意软件检测, 通常仅有检测结果缺乏对其检测结果的可解释性. 基于此, 从可解释性的角度分析Android恶意软件检测, 综合利用多层感知机和注意力机制提出一种可解释性的Android恶意软件检测方法(multilayer perceptron attention-method, MLP_At). 通过提取Android恶意软件的应用权限和应用程序接口(application programming interface, API)特征来进行数据预处理生成特征信息, 采用多层感知机对特征学习. 最后, 利用BP算法对学习到的数据进行分类识别. 在多层感知机中引入注意力机制, 以捕获敏感特征, 根据敏感特征生成描述来解释应用的核心恶意行为. 实验结果表明所提方法能有效检测恶意软件, 与SVM、RF、XGBoost相比准确率分别提高了3.65%、3.70%和2.93%, 并能准确地揭示软件的恶意行为. 此外, 该方法还可以解释样本被错误分类的原因.

    Abstract:

    As the detection result lacks interpretability, the Android malware detection is analyzed in terms of interpretability. This study proposes an interpretable Android malware detection method (multilayer perceptron attention method, MLP_At) comprehensively using the multilayer perceptron and attention mechanism. By extracting permissions and application programming interface (API) features from Android malware, it performs data preprocessing on the proposed features to generate feature information, and multilayer perceptrons are utilized for learning features. Finally, the learned data is classified by the BP algorithm. The attention mechanism is introduced in the multilayer perceptron to capture sensitive features and generate descriptions based on the sensitive features to explain the core malicious behavior of the application. The experimental results show that the proposed method can effectively detect malware and the accuracy is improved by 3.65%, 3.70%, and 2.93% compared with that of SVM, RF and XGBoost, respectively. The method can accurately reveal the malicious behavior of the software and can also explain the reasons why samples are misclassified.

    参考文献
    [1] 中国互联网络信息中心. 第47次中国互联网络发展状况统计报告. 北京: 中国互联网络信息中心, 2021.
    [2] IDC. Smartphone market share. https://www.idc.com/promo/smartphone-market-share. (2021-10-28).
    [3] Chen S, Fan LL, Meng GZ, et al. An empirical assessment of security risks of global Android banking apps. Proceedings of the 2020 IEEE/ACM 42nd International Conference on Software Engineering. Seoul: IEEE, 2020. 1310–1322.
    [4] Chen S, Su T, Fan LL, et al. Are mobile banking apps secure? What can be improved? Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Lake Buena Vista: ACM, 2018. 797–802.
    [5] Schlegel R, Zhang KH, Zhou XY, et al. Soundcomber: A stealthy and context-aware sound trojan for smartphones. Proceedings of Network and Distributed System Security Symposium. San Diego: The Internet Society, 2011. 17–33.
    [6] Zhou W, Zhou YJ, Grace M, et al. Fast, scalable detection of “piggybacked” mobile applications. Proceedings of the 3rd ACM Conference on Data and Application Security and Privacy. San Antonio: ACM, 2013. 185–196.
    [7] Zhou YJ, Wang Z, Zhou W, et al. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. Proceedings of the 19th Annual Network and Distributed System Security Symposium. San Diego: The Internet Society, 2012. 50–52.
    [8] Graziano M, Canali D, Bilge L, et al. Needles in a haystack: Mining information from public dynamic analysis sandboxes for malware intelligence. Proceedings of the 24th USENIX Security Symposium. Washington: USENIX Association, 2015. 1057–1072.
    [9] Tam K, Khan SJ, Fattoriy A, et al. CopperDroid: Automatic reconstruction of Android malware behaviors. Proceedings of the 22nd Annual Network and Distributed System Security Symposium. San Diego: The Internet Society, 2015. 1–15
    [10] Wu C, Zhou YJ, Patel K, et al. AirBag: Boosting smartphone resistance to malware infection. Proceedings of the 21st Annual Network and Distributed System Security Symposium. San Diego: The Internet Society, 2014.
    [11] Yan LK, Yin H. DroidScope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic Android malware analysis. Proceedings of the 21th USENIX Security Symposium. Bellevue: USENIX Association, 2012. 569–584.
    [12] Arzt S, Rasthofer S, Fritz C, et al. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation. Edinburgh: ACM, 2014. 259–269.
    [13] Gordon MI, Kim D, Perkins J, et al. Information-flow analysis of Android applications in droidsafe. Proceedings of the 22nd Annual Network and Distributed System Security Symposium. San Diego: The Internet Society, 2015. 110.
    [14] Li L, Bartel A, Bissyandé TF, et al. IccTA: Detecting inter-component privacy leaks in Android apps. Proceedings of the 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering. Florence: IEEE, 2015. 280–291.
    [15] Aafer Y, Du WL, Yin H. Droidapiminer: Mining api-level features for robust malware detection in Android. Proceedings of the 9th International Conference on Security and Privacy in Communication Systems. Sydney: Springer, 2013. 86–103.
    [16] Arp D, Spreitzenbarth M, Hubner M, et al. Drebin: Effective and explainable detection of Android malware in your pocket. Proceedings of the 21st Annual Network and Distributed System Security Symposium. San Diego: The Internet Society, 2014. 23–26.
    [17] Rastogi V, Chen Y, Jiang XX. Droidchameleon: Evaluating Android anti-malware against transformation attacks. Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Hangzhou: ACM, 2013. 329–334.
    [18] Fereidooni H, Conti M, Yao DF, et al. ANASTASIA: Android malware detection using static analysis of applications. Proceedings of the 2016 8th IFIP International Conference on New Technologies, Mobility and Security. Larnaca: IEEE, 2016. 1–5.
    [19] Chen S, Xue MH, Fan LL, et al. Automated poisoning attacks and defenses in malware detection systems: An adversarial machine learning approach. Computers & Security, 2018, 73: 326–344
    [20] Chen S, Xue MH, Tang ZS, et al. StormDroid: A streaminglized machine learning-based system for detecting Android malware. Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security. Xi’an: ACM, 2016. 377–388.
    [21] Taheri R, Ghahramani M, Javidan R, et al. Similarity-based Android malware detection using Hamming distance of static binary features. Future Generation Computer Systems, 2020, 105: 230–247. [doi: 10.1016/j.future.2019.11.034
    [22] Feng RT, Chen S, Xie GZ, et al. A performance-sensitive malware detection system using deep learning on mobile devices. IEEE Transactions on Information Forensics and Security, 2020, 16: 1563–1578
    [23] Feng RT, Lim JQ, Chen S, et al. SeqMobile: An efficient sequence-based malware detection system using RNN on mobile devices. Proceedings of the 2020 25th International Conference on Engineering of Complex Computer Systems. Singapore: IEEE, 2020. 63–72
    [24] Naeem H, Ullah F, Naeem MR, et al. Malware detection in industrial Internet of Things based on hybrid image visualization and deep learning model. Ad Hoc Networks, 2020, 105: 102154. [doi: 10.1016/j.adhoc.2020.102154
    [25] Ribeiro MT, Singh S, Guestrin C. “Why should I trust you?”: Explaining the predictions of any classifier. Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. San Francisco: ACM, 2016. 1135–1144.
    [26] Ribeiro MT, Singh S, Guestrin C. Anchors: High-precision model-agnostic explanations. Proceedings of the AAAI Conference on Artificial Intelligence, 2018, 32(1): 1527–1535
    [27] Guidotti R, Monreale A, Ruggieri S, et al. Local rule-based explanations of black box decision systems. 2018, arXiv:1805.10820.
    [28] Lundberg SM, Lee SI. A unified approach to interpreting model predictions. Proceedings of the 31st International Conference on Neural Information Processing Systems. Long Beach: Curran Associates Inc., 2017. 4768–4777.
    [29] Guo WB, Mu DL, Xu J, et al. LEMNA: Explaining deep learning based security applications. Proceedings of 2018 ACM SIGSAC Conference on Computer and Communications Security. Toronto: ACM, 2018. 364–379.
    [30] Krause J, Perer A, Ng K. Interacting with predictions: Visual inspection of black-box machine learning models. Proceedings of 2016 CHI Conference on Human Factors in Computing Systems. San Jose: ACM, 2016. 5686–5697.
    [31] Liu NH, Yang HX, Hu X. Adversarial detection with model interpretation. Proceedings of the 24th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. London: ACM, 2018. 1803–1811.
    [32] Adebayo J, Gilmer J, Muelly M, et al. Sanity checks for saliency maps. Proceedings of the 32nd International Conference on Neural Information Processing Systems. Montréal: Curran Associates Inc., 2018. 9525–9536.
    [33] Yeh CK, Hsieh CY, Suggala AS, et al. On the (in) fidelity and sensitivity of explanations. Proceedings of the 33rd International Conference on Neural Information Processing Systems. Vancouver: Curran Associates Inc., 2019. 10967–10978.
    [34] Camburu OM, Giunchiglia E, Foerster J, et al. Can I trust the explainer? Verifying post-hoc explanatory methods. arXiv:1910.02065.
    [35] Peiravian N, Zhu XQ. Machine learning for Android malware detection using permission and API calls. Proceedings of the 2013 IEEE 25th International Conference on Tools with Artificial Intelligence. Herndon: IEEE, 2013. 300–305.
    [36] Desnos A, Gueguen G, Bachmann S. Androguard package. https://androguard.readthedocs.io/en/latest/api/androguard.html. (2020-04-30).
    [37] Li J, Sun LC, Yan QB, et al. Significant permission identification for machine-learning-based Android malware detection. IEEE Transactions on Industrial Informatics, 2018, 14(7): 3216–3225. [doi: 10.1109/TII.2017.2789219
    [38] 刘亚姝, 王志海, 李经纬, 等. 基于卡方检验的Android恶意应用检测方法. 北京理工大学学报, 2019, 39(3): 290–294
    [39] Fan M, Liu J, Luo XP, et al. Android malware familial classification and representative sample selection via frequent subgraph analysis. IEEE Transactions on Information Forensics and Security, 2018, 13(8): 1890–1905. [doi: 10.1109/TIFS.2018.2806891
    [40] Sharma S, Singh S. Texture-based automated classification of ransomware. Journal of the Institution of Engineers (India):Series B, 2021, 102(1): 131–142. [doi: 10.1007/s40031-020-00499-w
    引证文献
    网友评论
    网友评论
    分享到微博
    发 布
引用本文

黄海彬,万良,褚堃.基于可解释性的Android恶意软件检测.计算机系统应用,2022,31(12):29-40

复制
分享
文章指标
  • 点击次数:918
  • 下载次数: 2106
  • HTML阅读次数: 1801
  • 引用次数: 0
历史
  • 收稿日期:2022-03-06
  • 最后修改日期:2022-04-02
  • 在线发布日期: 2022-07-15
文章二维码
您是第11418602位访问者
版权所有:中国科学院软件研究所 京ICP备05046678号-3
地址:北京海淀区中关村南四街4号 中科院软件园区 7号楼305房间,邮政编码:100190
电话:010-62661041 传真: Email:csa (a) iscas.ac.cn
技术支持:北京勤云科技发展有限公司

京公网安备 11040202500063号