Android Malware Detection Based on Feature Selection

doi:10.3778/j.issn.1002-8331.2206-0408

Abstract

Abstract: With the rapid development of the mobile Internet and the Android operating system, applications running on the Android system have also grows rapidly, but malware hidden in them poses a serious threat to users’ property and privacy. Because of the excessive number of Android application features, which affects the efficiency and accuracy of malware detection. Droid-TF-IDF, an Android malware detection approach based on feature selection, select representative features in benign application and malware according to difference of TF-IDF, is proposed. Firstly, APK files are statically analyzed to extract three types of features：permission, API, and opcode to compose a set of features. Then, the Droid-TF-IDF values of different features are calculated and ranked. Finally, a subset of features with greater Droid-TF-IDF values are selected from the feature set to build models such as random forest, support vector machine（SVM） and convolutional neural networks（CNN） to detect Android malware. A prototype tool is implemented based on the proposed approach, and experiments are carried on 3?006 Android applications. The experimental results show that Droid-TF-IDF can be used for three types of features：permission, API, and opcode, and effectively reduce the dimension of features and improve the performances and efficiency of malware detection. After feature selection, the F1 value for detecting Android malware increased by 0.6 percentage points at most, and the time consumption decreased by 35% at most.

Key words: Android application, static analysis, feature extraction, feature selection, malware detection

摘要： 随着移动互联网和Android操作系统的快速发展，运行于Android系统的应用程序同样发展迅速，但隐藏在其中的恶意应用对用户的财产和隐私安全带来了严重威胁。针对Android应用特征数量过多，影响检测效率和精度的问题，提出一种基于特征选择的恶意Android应用检测方法Droid-TF-IDF，根据TF-IDF差值选择良性应用和恶意应用的代表性特征。静态分析APK文件，提取应用权限、API和操作码3类特征，形成特征集；分别计算各类特征的Droid-TF-IDF值，并进行排名；在特征集合中选择Droid-TF-IDF值较高的特征子集，构建随机森林、支持向量机（SVM）和卷积神经网络（CNN）等模型检测恶意Android应用。基于所提出的方法实现了原型工具，并在3?006个Android应用样本上进行了对比实验，实验结果表明，Droid-TF-IDF适用于权限、API和操作码3类特征，可在有效减少特征维度的同时，提升恶意应用检测的性能和效率。经特征选择后，检测恶意Android应用的F1值最高提升了0.6个百分点，时间消耗最多减少了35%。

关键词: Android应用, 静态分析, 特征提取, 特征选择, 恶意应用检测

PAN Jianwen, ZHANG Zhihua, LIN Gaoyi, CUI Zhanqi. Android Malware Detection Based on Feature Selection[J]. Computer Engineering and Applications, 2023, 59(21): 287-295.

潘建文, 张志华, 林高毅, 崔展齐. 基于特征选择的恶意Android应用检测方法[J]. 计算机工程与应用, 2023, 59(21): 287-295.

References

[1] IDC Corporate.Smartphone market share[EB/OL].（2021-05-17）[2021-11-03].https：//www.idc.com/promo/smartphone-market-share/os.
[2] National Internet Emergency Center.2020 China Internet cybersecurity report[EB/OL].（2021?07?21）[2021?11?09].https：//www.cert.org.cn/publish/main/upload/File/2020%20Annual%20Report.pdf.
[3] HASAN H，LADANI B T，ZAMAN B.MEGDroid：a model-driven event generation framework for dynamic android malware analysis[J].Information and Software Technology，2021，135：106569.
[4] ALZAYLAEE M K，YERIMA S Y，SEZER S.DL-Droid：deep learning based android malware detection using real devices[J].Computers & Security，2020，89：101663.
[5] KIM T G，KANG B J，RHO M，et al.A multimodal deep learning method for android malware detection using various features[J].IEEE Transactions on Information Forensics and Security，2018，14（3）：773-788.
[6] LI X，WANG Y，RUIZ R.A survey on sparse learning models for feature selection[J].IEEE Transactions on Cybernetics，2022，52（3）：1642-1660.
[7] CAI J，LUO J，WANG S，et al.Feature selection in machine learning：a new perspective[J].Neurocomputing，2018，300：70-79.
[8] 范铭，刘烃，刘均，等.安卓恶意软件检测方法综述[J].中国科学：信息科学，2020，50（8）：1148-1177.
FAN M，LIU T，LIU J，et al.Android malware detection：a survey[J].SCIENTIA SINICA Informationis，2020，50（8）：1148-1177.
[9] ARORA A，PEDDOJU S K，CONTI M.Permpair：Android malware detection using permission pairs[J].IEEE Transactions on Information Forensics and Security，2019，15：1968-1982.
[10] AMER E.Permission-based approach for android malware analysis through ensemble-based voting model[C]//2021 International Mobile，Intelligent，and Ubiquitous Computing Conference（MIUCC），2021：135-139.
[11] ILHAM S，ABDERRAHIM G，ABDELHAKIM B A.Permission based malware detection in Android devices[C]//Proceedings of the 3rd International Conference on Smart City Applications，Tetouan Morocco，Oct 10-11，2018.New York：ACM，2018：1-6.
[12] SCALAS M，MAIORCA D，MERCALDO F，et al.On the effectiveness of system API-related information for Android ransomware detection[J].Computers & Security，2019，86：168-182.
[13] 邵舒迪，虞慧群，范贵生.基于权限和API特征结合的Android恶意软件检测方法[J].计算机科学，2017，44（4）：135-139.
SHAO S D，YU H Q，FAN G S.Detecting malware by combining API and permision features[J].Computer Science，2017，44（4）：135-139.
[14] ZHANG X H，ZHANG Y，ZHONG M，et al.Enhancing state-of-the-art classifiers with API semantics to detect evolved android malware[C]//Proceedigns of the 2020 ACM SIGSAC Conference on Computer and Communications Security，Virtual Event USA，Nov 9-13，2020.New York：ACM，2020：757-770.
[15] XU J，LI Y，DENG R，et al.SDAC：a slow-aging solution for Android malware detection using semantic distance based API clustering[J].IEEE Transactions on Dependable and Secure Computing，2022，19（2）：1149-1163.
[16] 徐开勇，肖警续，郭松，等.基于改进人工蜂群算法的Android恶意应用检测[J].计算机科学，2019，46（S2）：421-427.
XU K Y，XIAO J X，GUO S，et al.Android malicious application detection based on improved artificial be colony algorithms[J].Computer Science，2019，46（S2）：421-427.
[17] PEYNIRCI G，EMINA?AO?LU M，KARABULUT K.Feature selection for malware detection on the Android platform based on differences of IDF values[J].Journal of Computer Science and Technology，2020，35（4）：946-962.
[18] MCLAUGHLIN N，MARTINEZ D R J，KANG B J，et al.Deep android malware detection[C]//Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy，Scottsdale Arizona USA，Mar 22-24，2017.New York：ACM，2017：301-308.
[19] XIAO X.An image-inspired and CNN-based Android malware detection approach[C]//2019 34th IEEE/ACM International Conference on Automated Software Engineering（ASE），San Diego，Nov 11-15，2019.Piscataway，NJ：IEEE，2019：1259-1261.
[20] YUAN B，WANG J，LIU D，et al.Byte-level malware classification based on Markov images and deep learning[J].Computers & Security，2020，92（5）：101740.
[21] QIU J，HAN Q L，LUO W，et al.Cyber code intelligence for Android malware detection[J].IEEE Transactions on Cybernetics，2022.
[22] GAO H，CHENG S，ZHANG W.GDroid：Android malware detection and classification with graph convolutional network[J].Computers & Security，2021，106：102264.