Android malware detection via an app similarity graph

Tatiana Frenklach; Dvir Cohen; Asaf Shabtai; Rami Puzis

doi:10.1016/j.cose.2021.102386

Android malware detection via an app similarity graph

Tatiana Frenklach
, Dvir Cohen
, Asaf Shabtai
, Rami Puzis

Research output: Contribution to journal › Article › peer-review

44 Scopus citations

Abstract

Due to the ever-increasing number of Android applications and constant advances in software development techniques, there is a need for scalable and flexible malware detectors that can efficiently address big data challenges. Motivated by large-scale recommender systems, we propose a static Android application analysis method which relies on an app similarity graph (ASG). We believe that the key to classifying app's behavior lies in their common reusable building blocks, e.g. functions, in contrast to expert based features. We demonstrate our method on the Drebin benchmark in both balanced and unbalanced settings, on a brand new VTAz dataset from 2020, and on a dataset of approximately 190K applications provided by VirusTotal, achieving an accuracy of 0.975 in balanced settings, and AUC score of 0.987. The analysis and classification time of the proposed methods are notably lower than in the reviewed research (from 0.08 to 0.153 sec/app).

Original language	English
Article number	102386
Journal	Computers and Security
Volume	109
DOIs	https://doi.org/10.1016/j.cose.2021.102386
State	Published - 1 Oct 2021

Keywords

Android
Graph representations
Machine learning
Malware detection
Matrix factorization
Node embedding
Recommender system
Static analysis

ASJC Scopus subject areas

General Computer Science
Law

Access to Document

10.1016/j.cose.2021.102386

Cite this

@article{db0fabf060b148ea9eebdd365851a5d7,

title = "Android malware detection via an app similarity graph",

abstract = "Due to the ever-increasing number of Android applications and constant advances in software development techniques, there is a need for scalable and flexible malware detectors that can efficiently address big data challenges. Motivated by large-scale recommender systems, we propose a static Android application analysis method which relies on an app similarity graph (ASG). We believe that the key to classifying app's behavior lies in their common reusable building blocks, e.g. functions, in contrast to expert based features. We demonstrate our method on the Drebin benchmark in both balanced and unbalanced settings, on a brand new VTAz dataset from 2020, and on a dataset of approximately 190K applications provided by VirusTotal, achieving an accuracy of 0.975 in balanced settings, and AUC score of 0.987. The analysis and classification time of the proposed methods are notably lower than in the reviewed research (from 0.08 to 0.153 sec/app).",

keywords = "Android, Graph representations, Machine learning, Malware detection, Matrix factorization, Node embedding, Recommender system, Static analysis",

author = "Tatiana Frenklach and Dvir Cohen and Asaf Shabtai and Rami Puzis",

note = "Publisher Copyright: {\textcopyright} 2021 Elsevier Ltd",

year = "2021",

month = oct,

day = "1",

doi = "10.1016/j.cose.2021.102386",

language = "English",

volume = "109",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Ltd.",

}

TY - JOUR

T1 - Android malware detection via an app similarity graph

AU - Frenklach, Tatiana

AU - Cohen, Dvir

AU - Shabtai, Asaf

AU - Puzis, Rami

PY - 2021/10/1

Y1 - 2021/10/1

N2 - Due to the ever-increasing number of Android applications and constant advances in software development techniques, there is a need for scalable and flexible malware detectors that can efficiently address big data challenges. Motivated by large-scale recommender systems, we propose a static Android application analysis method which relies on an app similarity graph (ASG). We believe that the key to classifying app's behavior lies in their common reusable building blocks, e.g. functions, in contrast to expert based features. We demonstrate our method on the Drebin benchmark in both balanced and unbalanced settings, on a brand new VTAz dataset from 2020, and on a dataset of approximately 190K applications provided by VirusTotal, achieving an accuracy of 0.975 in balanced settings, and AUC score of 0.987. The analysis and classification time of the proposed methods are notably lower than in the reviewed research (from 0.08 to 0.153 sec/app).

AB - Due to the ever-increasing number of Android applications and constant advances in software development techniques, there is a need for scalable and flexible malware detectors that can efficiently address big data challenges. Motivated by large-scale recommender systems, we propose a static Android application analysis method which relies on an app similarity graph (ASG). We believe that the key to classifying app's behavior lies in their common reusable building blocks, e.g. functions, in contrast to expert based features. We demonstrate our method on the Drebin benchmark in both balanced and unbalanced settings, on a brand new VTAz dataset from 2020, and on a dataset of approximately 190K applications provided by VirusTotal, achieving an accuracy of 0.975 in balanced settings, and AUC score of 0.987. The analysis and classification time of the proposed methods are notably lower than in the reviewed research (from 0.08 to 0.153 sec/app).

KW - Android

KW - Graph representations

KW - Machine learning

KW - Malware detection

KW - Matrix factorization

KW - Node embedding

KW - Recommender system

KW - Static analysis

UR - https://www.scopus.com/pages/publications/85109427904

U2 - 10.1016/j.cose.2021.102386

DO - 10.1016/j.cose.2021.102386

M3 - Article

AN - SCOPUS:85109427904

SN - 0167-4048

VL - 109

JO - Computers and Security

JF - Computers and Security

M1 - 102386

ER -

Android malware detection via an app similarity graph

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this