EAODroid: Android Malware Detection Based on Enhanced API Order

HUANG Lu; XUE Jingfeng; WANG Yong; QU Dacheng; CHEN Junbao; ZHANG Nan; ZHANG Li

doi:10.23919/cje.2021.00.451

Volume 32 Issue 5

Sep. 2023

Turn off MathJax

Article Contents

Article Navigation > Chinese Journal of Electronics > 2023 > 32(5): 1169-1178

HUANG Lu, XUE Jingfeng, WANG Yong, et al., “EAODroid: Android Malware Detection Based on Enhanced API Order,” Chinese Journal of Electronics, vol. 32, no. 5, pp. 1169-1178, 2023, doi: 10.23919/cje.2021.00.451

Citation:

HUANG Lu, XUE Jingfeng, WANG Yong, et al., “EAODroid: Android Malware Detection Based on Enhanced API Order,” Chinese Journal of Electronics, vol. 32, no. 5, pp. 1169-1178, 2023, doi: 10.23919/cje.2021.00.451

Citation:

PDF( 3899 KB)

EAODroid: Android Malware Detection Based on Enhanced API Order

doi: 10.23919/cje.2021.00.451

HUANG Lu^1
,,
XUE Jingfeng^1
,,
WANG Yong^1
,,
QU Dacheng^1
,,
CHEN Junbao^1
,,
ZHANG Nan^1
,,
ZHANG Li^2
,

1.
School of Computer Science and Technology, Beijing Institute of Technology, Beijing 100081, China
2.
Department of Media Engineering, Communication University of Zhejiang, Hangzhou 310018, China

Funds: This work was supported by the National Natural Science Foundation of China (62172042), the National Key Research & Development Program of China (2020YFB1712104), and the Major Scientific and Technological Innovation Projects of Shandong Province (2020CXGC010116))

More Information

Author Bio:
Lu HUANG was born in 1997. She received the B.E. degree in software engineering from the Central South University. She is now a Ph.D. candidate of Beijing Institute of Technology. Her research interests include Android malware detection and software security. (Email: hhuangluu@163.com)

Jingfeng XUE was born in 1975. He is a Professor and Ph.D. Supervisor in Beijing Institute of Technology. His main research interests focus on network security, data security, and software security. (Email: xuejf@bit.edu.cn)

Yong WANG was born in 1975. She received the Ph.D. degree in computer science from Beijing Institute of Technology. She is an Associate Professor of Beijing Institute of Technology. Her research interests include cyber security and machine learning, and software security. (Email: wangyong@bit.edu.cn)

Dacheng QU was born in 1974. He is a Professor in Beijing Institute of Technology. His main research interests focus on social network, recommender systems, and bioinformatics. (Email: qudc@bit.edu.cn)

Junbao CHEN was born in 1999. He received the B.E. degree in software engineering from Beijing Institute of Technology. He is currently pursuing the master’s degree with School of Computer Science and Technology, Beijing Institute of Technology. His research interests include federated learning and AI security. (Email: chen.junbao@outlook.com)

Nan ZHANG was born in 1991. He received the B.E. degree in computer application technology from Anyang Normal University. He is a Ph.D. candidate of Beijing Institute of Technology. His research interests include machine learning, malware detection, and information security. (Email: nanzhang611@bit.edu.cn)

Li ZHANG (corresponding author) received the Ph.D. degree in computer application technology from Beijing Institute of Technology, Beijing, China. She is currently an Associate Professor of the Communication University of Zhejiang. Her current research interests include digital forensics, machine learning, and information security. (Email: nythhsg@sina.com)
Received Date: 2021-12-26
Accepted Date: 2022-03-10

Available Online: 2022-07-29

Publish Date: 2023-09-05

Abstract

Abstract

The development of smart mobile devices brings convenience to people’s lives, but also provides a breeding ground for Android malware. The sharp increasing malware poses a disastrous threat to personal privacy in the information age. Based on the fact that malware heavily resorts to system application programming interfaces (APIs) to perform its malicious actions, there has been a variety of API-based detection methods. Most of them do not consider the relationship between APIs. We contribute a new approach based on the enhanced API order for Android malware detection, named EAODroid, which learns the similarity of system APIs from a large number of API sequences and groups similar APIs into clusters. The extracted API clusters are further used to enhance the original API calls executed by an app to characterize behaviors and perform classification. We perform multi-dimensional experiments to evaluate EAODroid on three datasets with ground truth. We compare with many state-of-the-art works, showing that EAODroid achieves effective performance in Android malware detection.
- Android malware,
- Malware detection,
- Deep learning,
- Application programming interface

https://ibotpeaches.github.io/Apktool/

http://app.mi.com/

FullText(HTML)

References(44)

References

[1]	X. H. Zhang, Y. Zhang, M. Zhong, et al., “Enhancing state-of-the-art classifiers with API semantics to detect evolved Android malware,” in Proceedings of ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, pp.757–770, 2020.
[2]	M. Scalas, D. Maiorca, F. Mercaldo, et al., “On the effectiveness of system API-related information for Android ransomware detection,” Computers & Security, vol.86, pp.168–182, 2019. doi: 10.1016/j.cose.2019.06.004
[3]	L. Onwuzurike, E. Mariconti, P. Andriotis, et al., “MaMaDroid: Detecting Android malware by building Markov chains of behavioral models (Extended Version),” ACM Transactions on Privacy and Security, vol.22, no.2, article no.14, 2019. doi: 10.1145/3313391
[4]	A. Arora, S. K. Peddoju, and M. Conti, “PermPair: Android malware detection using permission pairs,” IEEE Transactions on Information Forensics and Security, vol.15, pp.1968–1982, 2020. doi: 10.1109/TIFS.2019.2950134
[5]	X. Jiang, B. L. Mao, J. Guan, et al., “Android malware detection using fine-grained features,” Scientific Programming, vol.2020, article no.5190138, 2020. doi: 10.1155/2020/5190138
[6]	J. Li, L. C. Sun, Q. B. Yan, et al., “Significant permission identification for machine-learning-based Android malware detection,” IEEE Transactions on Industrial Informatics, vol.14, no.7, pp.3216–3225, 2018. doi: 10.1109/TII.2017.2789219
[7]	A. Pektaş and T. Acarman, “Learning to detect Android malware via opcode sequences,” Neurocomputing, vol.396, pp.599–608, 2020. doi: 10.1016/j.neucom.2018.09.102
[8]	T. M. Chen, Q. Y. Mao, Y. M. Yang, et al., “TinyDroid: A lightweight and efficient model for Android malware detection and classification,” Mobile Information Systems, vol.2018, article no.4157156, 2018. doi: 10.1155/2018/4157156
[9]	N. McLaughlin, J. M. del Rincon, B. Kang, et al., “Deep Android malware detection,” in Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, Scottsdale, AZ, USA, pp.301–308, 2017.
[10]	W. N. Niu, R. Cao, X. S. Zhang, et al., “OpCode-level function call graph based Android malware classification using deep learning,” Sensors, vol.20, no.13, article no.3645, 2020. doi: 10.3390/s20133645
[11]	R. Mateless, D. Rejabek, O. Margalit, et al., “Decompiled APK based malicious code classification,” Future Generation Computer Systems, vol.110, pp.135–147, 2020. doi: 10.1016/j.future.2020.03.052
[12]	J. W. Li, B. Z. Wu, and W. P. Wen, “Android malware detection method based on frequent pattern and weighted naive Bayes,” in Proceedings of the 15th International Annual Conference, Beijing, China, pp.36–51, 2018.
[13]	N. N. Xie, F. P. Zeng, X. X. Qin, et al., “RepassDroid: Automatic detection of Android malware based on essential permissions and semantic features of sensitive APIs,” in Proceedings of 2018 International Symposium on Theoretical Aspects of Software Engineering, Guangzhou, China, pp.52–59, 2018.
[14]	J. Allen, M. Landen, S. Chaba, et al., “Improving accuracy of Android malware detection with lightweight contextual awareness,” in Proceedings of the 34th Annual Computer Security Applications Conference, San Juan, PR, USA, pp.210–221, 2018.
[15]	S. Bhandari, R. Panihar, S. Naval, et al., “SWORD: semantic aWare andrOid malwaRe detector,” Journal of information Security and Applications, vol.42, pp.46–56, 2018. doi: 10.1016/j.jisa.2018.07.003
[16]	S. S. Wang, Q. B. Yan, Z. X. Chen, et al., “Detecting Android malware leveraging text semantics of network flows,” IEEE Transactions on Information Forensics and Security, vol.13, no.5, pp.1096–1109, 2018. doi: 10.1109/TIFS.2017.2771228
[17]	C. Liang, X. M. Wang, X. S. Zhang, et al., “A payload-dependent packet rearranging covert channel for mobile VoIP traffic,” Information Sciences, vol.465, pp.162–173, 2018. doi: 10.1016/j.ins.2018.07.011
[18]	H. P. Cai, N. Meng, B. Ryder, et al., “DroidCat: effective Android malware detection and categorization via app-level profiling,” IEEE Transactions on Information Forensics and Security, vol.14, no.6, pp.1455–1470, 2019. doi: 10.1109/TIFS.2018.2879302
[19]	H. P. Cai, “Assessing and improving malware detection sustainability through app evolution studies,” ACM Transactions on Software Engineering and Methodology, vol.29, no.2, article no.8, 2020. doi: 10.1145/3371924
[20]	N. Zhang, J. F. Xue, Y. X. Ma, et al., “Hybrid sequence-based Android malware detection using natural language processing,” International Journal of Intelligent Systems, vol.36, no.10, pp.5770–5784, 2021. doi: 10.1002/int.22529
[21]	X. Su, L. J. Xiao, W. J. Li, et al., “DroidPortrait: Android malware portrait construction based on multidimensional behavior analysis,” Applied Sciences, vol.10, no.11, article no.3978, 2020. doi: 10.3390/app10113978
[22]	X. M. Wang, J. Li, X. H. Kuang, et al., “The security of machine learning in an adversarial setting: a survey,” Journal of Parallel and Distributed Computing, vol.130, pp.12–23, 2019. doi: 10.1016/j.jpdc.2019.03.003
[23]	T. Kim, B. Kang, M. Rho, et al., “A multimodal deep learning method for Android malware detection using various features,” IEEE Transactions on Information Forensics and Security, vol.14, no.3, pp.773–788, 2019. doi: 10.1109/TIFS.2018.2866319
[24]	K. Xu, Y. J. Li, R. H. Deng, et al., “DeepRefiner: Multi-layer Android malware detection system applying deep neural networks,” in Proceedings of 2018 IEEE European Symposium on Security and Privacy, London, UK, pp.473–487, 2018.
[25]	N. Zhang, Y. A. Tan, C. Yang, et al., “Deep learning feature exploration for Android malware detection,” Applied Soft Computing, vol.102, article no.107069, 2021. doi: 10.1016/j.asoc.2020.107069
[26]	H. M. Kim, H. M. Song, J. W. Seo, et al., “Andro-Simnet: Android malware family classification using social network analysis,” in Proceedings of the 2018 16th Annual Conference on Privacy, Security and Trust, Belfast, Ireland, pp.1–8, 2018.
[27]	K. Xu, Y. J. Li, R. Deng, et al., “DroidEvolver: Self-evolving Android malware detection system,” in Proceedings of 2019 IEEE European Symposium on Security and Privacy, Stockholm, Sweden, pp.47–62, 2019.
[28]	S. Y. Yerima and S. Sezer, “DroidFusion: A novel multilevel classifier fusion approach for Android malware detection,” IEEE Transactions on Cybernetics, vol.49, no.2, pp.453–466, 2019. doi: 10.1109/TCYB.2017.2777960
[29]	M. Fan, J. Liu, X. P. Luo, et al., “Android malware familial classification and representative sample selection via frequent subgraph analysis,” IEEE Transactions on Information Forensics and Security, vol.13, pp.1890–1905, 2018. doi: 10.1109/TIFS.2018.2806891
[30]	M. Fan, X. P. Luo, J. Liu, et al., “Graph embedding based familial analysis of Android malware using unsupervised learning,” in Proceedings of the 2019 IEEE/ACM 41st International Conference on Software Engineering, Montreal, QC, Canada, pp.771–782, 2019.
[31]	O. Mirzaei, G. Suarez-Tangil, J. M. de Fuentes, et al., “AndrEnsemble: Leveraging API ensembles to characterize Android malware families,” in Proceedings of 2019 ACM Asia Conference on Computer and Communications Security, Auckland, New Zealand, pp.307–314, 2019.
[32]	H. Gao, S. Y. Cheng, and W. M. Zhang, “GDroid: Android malware detection and classification with graph convolutional network,” Computers & Security, vol.106, article no.102264, 2021. doi: 10.1016/j.cose.2021.102264
[33]	M. H. Cai, Y. Jiang, C. Y. Gao, et al., “Learning features from enhanced function call graphs for Android malware detection,” Neurocomputing, vol.423, pp.301–307, 2021. doi: 10.1016/j.neucom.2020.10.054
[34]	P. B. Feng, J. F. Ma, T. Li, et al., “Android malware detection via graph representation learning,” Mobile Information Systems, vol.2021, article no.5538841, 2021. doi: 10.1155/2021/5538841
[35]	R. Surendran, T. Thomas, and S. Emmanuel, “GSDroid: Graph signal based compact feature representation for Android malware detection,” Expert Systems with Applications, vol.159, article no.113581, 2020. doi: 10.1016/j.eswa.2020.113581
[36]	S. Rasthofer, S. Arzt, and E. Bodden, “A machine-learning approach for classifying and categorizing Android sources and sinks,” in Proceedings of the 21stAnnual Network and Distributed System Security Symposium, San Diego, CA, USA, pp.1–15, 2014.
[37]	Z. P. Yu, R. Cao, Q. Y. Tang, et al., “Order matters: Semantic-aware neural networks for binary code similarity detection,” in Proceedings of the 34th AAAI Conference on Artificial Intelligence, New York, NY, USA, pp.1145–1152, 2020.
[38]	D. Arp, M. Spreitzenbarth, M. Hübner, et al., “DREBIN: Effective and explainable detection of Android malware in your pocket,” in Proceedings of the 21st Annual Network and Distributed System Security Symposium, San Diego, CA, USA, pp.23–26, 2014.
[39]	F. g. Wei, Y. p. Li, S. Roy, et al., “Deep ground truth analysis of current Android malware,” in Proceedings of the 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Bonn, Germany, pp.252–276, 2017.
[40]	N. Viennot, E. Garcia, and J. Nieh, “A measurement study of Google play,” in Proceedings of 2014 ACM International Conference on Measurement and Modeling of Computer Systems, Austin, TX, USA, pp.221–233, 2014.
[41]	S. Arzt, S. Rasthofer, C. Fritz, et al., “FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps,” ACM SIGPLAN Notices, vol.49, no.6, pp.259–269, 2014. doi: 10.1145/2666356.2594299
[42]	S. K. Sasidharan and C. Thomas, “Prodroid—an Android malware detection framework based on profile hidden Markov model,” Pervasive and Mobile Computing, vol.72, article no.101336, 2021. doi: 10.1016/j.pmcj.2021.101336
[43]	H. P. Bai, N. N. Xie, X. Q. Di, et al., “FAMD: A fast multifeature Android malware detection framework, design, and implementation,” IEEE Access, vol.8, pp.194729–194740, 2020. doi: 10.1109/ACCESS.2020.3033026
[44]	T. Frenklach, D. Cohen, A. Shabtai, et al., “Android malware detection via an app similarity graph,” Computers & Security, vol.109, article no.102386, 2021. doi: 10.1016/j.cose.2021.102386