一种面向Android恶意软件的多视角多任务学习检测方法

doi:10.3969/j.issn.1671-1122.2022.10.001

信息网络安全 ›› 2022, Vol. 22 ›› Issue (10): 1-7.doi: 10.3969/j.issn.1671-1122.2022.10.001

一种面向Android恶意软件的多视角多任务学习检测方法

仝鑫¹, 金波¹^,²(), 王靖亚¹, 杨莹²

1.中国人民公安大学信息网络安全学院，北京 100038
2.公安部第三研究所，上海 200031

收稿日期:2022-09-07 出版日期:2022-10-10 发布日期:2022-11-15
通讯作者: 金波 E-mail:jinbo@gass.cn
作者简介:仝鑫（1995—），男，河南，博士研究生，主要研究方向为网络空间安全和自然语言处理|金波（1972—），男，上海，研究员，博士，主要研究方向为网络空间安全|王靖亚（1966—），女，北京，教授，硕士，主要研究方向为深度学习和人工智能安全|杨莹（1981—），女，河南，副研究员，博士，主要研究方向为网络空间安全和数据安全
基金资助:
国家重点研发计划(2021YFB3101405);国家社会科学基金重点项目(20AZD114);国家重点研发计划(2022YFC3300800)

A Multi-View and Multi-Task Learning Detection Method for Android Malware

TONG Xin¹, JIN Bo¹^,²(), WANG Jingya¹, YANG Ying²

1. School of Information Network Security, People’s Public Security University of China, Beijing 100038, China
2. The Third Research Institute of the Ministry of Public Security, Shanghai 200031, China

Received:2022-09-07 Online:2022-10-10 Published:2022-11-15
Contact: JIN Bo E-mail:jinbo@gass.cn

摘要/Abstract

摘要：

近年来，针对Android平台的恶意软件急剧增加，给反恶意软件领域带来了巨大挑战。尽管目前基于机器学习的检测方法为弥补传统检测技术的不足提供了新方向，但这些检测方法往往是基于单个模型或组合的相似模型构建的，很难从多个视角提取不同层次的语义信息，最终限制了检测效果。针对这一问题，文章提出了一种基于多视角多任务学习的Android恶意软件检测模型。首先，系统调用信息被输入梯度提升树模型以挖掘频次视角信息，然后调用信息还会被转化为灰度图并输入到基于视觉图神经网络、卷积神经网络的学习器以学习共现和关联特征。最后，文章还引入了基于层次标签的多任务学习方法完成模型训练，实现了针对Android恶意软件的多视角特征提取和分析。在来自UNB的细粒度公开数据集上的实验结果表明，该方法总体上优于传统基于单视角的检测方法，具备较好的准确率和可靠性。

关键词: Android恶意软件, 多视角学习, 多任务学习, 图神经网络

Abstract:

In recent years, there is a dramatic increase in malware targeting the Android platform, which brings great challenges to the anti-malware field. Although the current detection methods based on machine learning provide a new direction to make up for the shortcomings of traditional detection technology. These methods are often based on an individual model or a combination of similar models. It is difficult to extract semantic information at different levels from multi-view, which ultimately limits the detection effect. To address this vulnerability, this paper proposed an Android malware detection model based on multi-view and multi-task learning. First of all, the system call information was input into the gradient boosting decision tree model to mine the frequency view features. Then, the system call information was also transformed into a grayscale image and input to the learner based on a vision graph neural network and a convolutional neural network to learn co-occurrence and association features. Finally, the paper also introduced a multi-task learning method based on hierarchical labeling to complete model training, and achieved multi-view feature extraction and analysis for Android malware. Experimental results on the fine-grained public dataset from UNB show that this method is generally superior to the traditional method based on a single view, with better accuracy and reliability.

Key words: Android malware, multi-view learning, multi-task learning, graph neural network

中图分类号:

TP309

仝鑫, 金波, 王靖亚, 杨莹. 一种面向Android恶意软件的多视角多任务学习检测方法[J]. 信息网络安全, 2022, 22(10): 1-7.

TONG Xin, JIN Bo, WANG Jingya, YANG Ying. A Multi-View and Multi-Task Learning Detection Method for Android Malware[J]. Netinfo Security, 2022, 22(10): 1-7.

图/表 5

图1

图2

表1

图3

表2

参考文献 27

[1]	JIN Bo, WU Songyang, XIONG Xiong, et al. Research on Digital Forensics of Smart Devices[J]. Journal of Cyber Security, 2016, 1(3): 37-51.
	金波, 吴松洋, 熊雄, 等. 新型智能终端取证技术研究[J]. 信息安全学报, 2016, 1(3): 37-51.
[2]	ENCK W, ONGTANG M, MCDANIEL P. On Lightweight Mobile Phone Application Certification[C]// ACM.Proceedings of the 16th ACM Conference on Computer and Communications Security. New York Illinois: ACM, 2009: 235-245.
[3]	ENCK W, GILBERT P, HAN S, et al. Taintdroid: An information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones[J]. ACM Transactions on Computer Systems (TOCS), 2014, 32(2): 1-29.
[4]	ARZT S, RASTHOFER S, FRITZ C, et al. Flowdroid: Precise Context, Flow, Field, Object-Sensitive and Lifecycle-Aware Taint Analysis for android Apps[J]. Acm Sigplan Notices, 2014, 49(6): 259-269.
[5]	ZHANG Chaoqin, HU Guangwu, WANG Zhenlong, et al. A Novel SVM-Based Detection Method for Android Malware[J]. Computer Applications and Software, 2018, 35(10): 292-298.
	张超钦, 胡光武, 王振龙, 等. 一种基于支持向量机的安卓恶意软件新型检测方法[J]. 计算机应用与软件, 2018, 35(10): 292-298.
[6]	QU Jun, GU Liujun. Research on Android Malware Detection Based on Naive Bayes[J]. Netinfo Security, 2020(S1): 27-30.
	瞿俊, 顾刘军. 基于朴素贝叶斯的安卓恶意软件检测研究[J]. 信息网络安全, 2020(S1): 27-30.
[7]	LI Jianghua, QIU Chen. Android Malware Detection Method Based on Meta-Information[J]. Application Research of Computers, 2019, 36(10): 3058-3062.
	李江华, 邱晨. 一种基于元信息的Android恶意软件检测方法[J]. 计算机应用研究, 2019, 36(10): 3058-3062.
[8]	ZHU Huijuan, JIANG Tonghai, MA Bo, et al. HEMD: A Highly Efficient Random Forest-Based Malware Detection Framework for Android[J]. Neural Computing and Applications, 2018, 30(11): 3353-3361.
[9]	XIONG Jian, QIN Renchao, HE Mengyi, et al. Application of Improved Random Forest Algorithm in Android Malware Detection[J]. Computer Engineering and Applications, 2021, 57(3): 130-136.
	熊健, 覃仁超, 何梦乙, 等. 改进随机森林在Android恶意软件检测中的应用[J]. 计算机工程与应用, 2021, 57(3): 130-136.
[10]	ZHAO Yuxin, NURBOL, AI Zhuang. Android Malware Detection Based on Ensemble Learning Voting Algorithm[J]. Computer Engineering and Applications, 2020, 56(22): 74-82.
	赵宇鑫, 努尔布力, 艾壮. 基于集成学习投票算法的Android恶意应用检测[J]. 计算机工程与应用, 2020, 56(22): 74-82.
[11]	GAO Yangchen, FANG Yong, LIU Liang, et al. Android Malware Detection Technology Based on Deep Convolutional Neural Network[J]. Journal of Sichuan University (Natural Science Edition), 2020, 57(4): 673-680.
	高杨晨, 方勇, 刘亮, 等. 基于卷积神经网络的Android恶意软件检测技术研究[J]. 四川大学学报(自然科学版), 2020, 57(4): 673-680.
[12]	VINAYAKUMAR R, SOMAN K P, POORNACHANDRAN P, et al. Detecting Android Malware Using Long Short-Term Memory (LSTM)[J]. Journal of Intelligent & Fuzzy Systems, 2018, 34(3): 1277-1288.
[13]	YUE Ziwei, FANG Yong, ZHANG Lei. Android Malware Detection Based on Graph Attention Networks[J]. Journal of Sichuan University (Natural Science Edition), 2022, 59(5): 88-95.
	岳子巍, 方勇, 张磊. 基于图注意力网络的安卓恶意软件检测[J]. 四川大学学报(自然科学版), 2022, 59(5): 88-95.
[14]	WANG Wei, ZHAO Mengxue, WANG Jigang. Effective Android Malware Detection with a Hybrid Model Based on Deep Autoencoder and Convolutional Neural Network[J]. Journal of Ambient Intelligence and Humanized Computing, 2019, 10(8): 3035-3043.
[15]	RENJITH G, LAUDANNA S, AJI S, et al. GANG-MAM: GAN Based enGine for Modifying Android Malware[EB/OL]. (2022-02-17)[2022-07-06]. https://www.softxjournal.com/article/S2352-7110(22)00003-6/fulltext.
[16]	HAN Kai, WANG Yunhe, GUO Jianyuan, et al. Vision GNN: An Image is Worth Graph of Nodes[EB/OL]. (2022-07-05)[2022-09-03]. https://arxiv.org/abs/2206.00272.
[17]	HE Kaiming, ZHANG Xiangyu, REN Shaoqing, et al. Deep Residual Learning for Image Recognition[C]// IEEE.Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2016: 770-778.
[18]	KE Guolin, MENG Qi, FINLEY T, et al. LightGBM: A Highly Efficient Gradient Boosting Decision Tree[C]// NIPS. Proceedings of the 31st International Conference on Neural Information Processing Systems. West Chester: Curran Associates, 2017: 3147-3155.
[19]	MAHDAVIFAR S, ALHADIDI D, GHORBANi A. Effective and Efficient Hybrid Android Malware Classification Using Pseudo-Label Stacked Auto-Encoder[J]. Journal of Network and Systems Management, 2022, 30(1): 1-34.
[20]	DOSOVITSKIY A, BEYER L, KOLESNIKOV A, et al. An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale[EB/OL]. (2021-06-03)[2022-07-06]. https://arxiv.org/abs/2010.11929.
[21]	SIMONYAN K, ZISSERMAN A. Very Deep Convolutional Networks for Large-Scale Image Recognition[EB/OL]. (2015-04-10) [2022-07-06]. https://arxiv.org/abs/1409.1556.
[22]	HUANG Gao, LIU Zhuang, MAATEN L, et al. Densely Connected Convolutional Networks[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2017: 4700-4708.
[23]	SANDLER M, HOWARD A, ZHU M, et al. Mobilenetv2: Inverted Residuals and Linear Bottlenecks[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE Computer Society, 2018: 4510-4520.
[24]	ZHANG Xiangyu, ZHOU Xinyu, LIN Mengxiao, et al. Shufflenet: An Extremely Efficient Convolutional Neural Network for Mobile Devices[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2018: 6848-6856.
[25]	XIE Saining, GIRSHICK R, DOLLÁR P, et al. Aggregated Residual Transformations for Deep Neural Networks[C]// IEEE. Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2017: 1492-1500.
[26]	LI Heng, ZHOU Shiyao, YUAN Wei, et al. Adversarial-Example Attacks toward Android Malware Detection System[J]. IEEE Systems Journal, 2019, 14(1): 653-656.
[27]	ZHI Yongbo, XI Ning, LIU Yuanqing, et al. A Lightweight Android Malware Detection Framework Based on Knowledge Distillation[C]// Springer. International Conference on Network and System Security. Berlin:Springer, 2021: 116-130.

方法	模型	Accuracy	Precision	Recall	F1 Score
机器学习方法	NB	64.15	69.99	64.15	62.21
	DT	90.05	89.95	90.05	89.96
	RF	91.30	91.33	91.30	91.26
	SVM	67.85	67.43	67.85	66.56
	KNN	83.05	82.93	83.05	82.77
	LightGBM	92.10	92.09	92.10	92.06
深度学习方法	VGG 11	88.10	88.02	88.10	88.01
	VGG 13	86.00	86.28	86.00	86.06
	ResNet18	85.65	86.33	85.65	85.68
	ResNet34	88.65	88.63	88.65	88.62
	ResNet50	86.15	86.94	86.15	86.21
	DenseNet121	85.75	85.78	85.75	85.75
	ResNext50	87.65	88.32	87.65	87.82
	ShuffleNet v2	80.55	81.02	80.55	80.66
	MobileNet v2	85.50	86.20	85.50	85.69
	ViG	88.90	89.13	88.90	88.96
	MVMTM(ours)	93.70	93.73	93.70	93.69

组件	细节	Accuracy	Precision	Recall	F1 Score
MVMTM		93.70	93.73	93.70	93.69
多视角	LightGBM+ResNet	0.15↓	0.16↓	0.15↓	0.17↓
	LightGBM+ViG	0.70↓	0.72↓	0.70↓	0.71↓
	ResNet+ViG	3.35↓	3.19↓	3.35↓	3.30↓
多任务	二分类辅助标签	0.35↓	0.35↓	0.35↓	0.35↓
多任务	无辅助标签	0.65↓	0.68↓	0.65↓	0.67↓
固定θ	0.1	0.20↓	0.20↓	0.20↓	0.21↓
固定θ	0.2	0.75↓	0.77↓	0.75↓	0.76↓

一种面向Android恶意软件的多视角多任务学习检测方法

A Multi-View and Multi-Task Learning Detection Method for Android Malware

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 5

参考文献 27

相关文章 3

编辑推荐

Metrics

本文评价

[1]	朱丽娜, 马铭芮, 朱东昭. 基于图神经网络和通用漏洞分析框架的C类语言漏洞检测方法[J]. 信息网络安全, 2022, 22(10): 59-68.
[2]	秦中元, 胡宁, 方兰婷. 基于免疫仿生机理和图神经网络的网络异常检测方法[J]. 信息网络安全, 2021, 21(8): 10-16.
[3]	宋鑫, 赵楷, 张琳琳, 方文波. 基于随机森林的Android恶意软件检测方法研究[J]. 信息网络安全, 2019, 19(9): 1-5.