Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting Android Malware by Visualizing App Behaviors from Multiple Complementary Views

Zhaoyi Meng, Jiale Zhang, Jiaqi Guo, Wansen Wang, Wenchao Huang, Jie Cui, Hong Zhong, Yan Xiong

TL;DR

LensDroid is proposed and implemented, a novel technique that detects Android malware by visualizing app behaviors from multiple complementary views that validate the complementarity of the views and demonstrate that the multi-view fusion in LensDroid enhances Android malware detection.

Abstract

Deep learning has emerged as a promising technology for achieving Android malware detection. To further unleash its detection potentials, software visualization can be integrated for analyzing the details of app behaviors clearly. However, facing increasingly sophisticated malware, existing visualization-based methods, analyzing from one or randomly-selected few views, can only detect limited attack types. We propose and implement LensDroid, a novel technique that detects Android malware by visualizing app behaviors from multiple complementary views. Our goal is to harness the power of combining deep learning and software visualization to automatically capture and aggregate high-level features that are not inherently linked, thereby revealing hidden maliciousness of Android app behaviors. To thoroughly comprehend the details of apps, we visualize app behaviors from three related but distinct views of behavioral sensitivities, operational contexts and supported environments. We then extract high-order semantics based on the views accordingly. To exploit semantic complementarity of the views, we design a deep neural network based model for fusing the visualized features from local to global based on their contributions to downstream tasks. A comprehensive comparison with five baseline techniques is performed on datasets of more than 51K apps in three real-world typical scenarios, including overall threats, app evolution and zero-day malware. The experimental results show that the overall performance of LensDroid is better than the baseline techniques. We also validate the complementarity of the views and demonstrate that the multi-view fusion in LensDroid enhances Android malware detection.

Detecting Android Malware by Visualizing App Behaviors from Multiple Complementary Views

TL;DR

LensDroid is proposed and implemented, a novel technique that detects Android malware by visualizing app behaviors from multiple complementary views that validate the complementarity of the views and demonstrate that the multi-view fusion in LensDroid enhances Android malware detection.

Abstract

Deep learning has emerged as a promising technology for achieving Android malware detection. To further unleash its detection potentials, software visualization can be integrated for analyzing the details of app behaviors clearly. However, facing increasingly sophisticated malware, existing visualization-based methods, analyzing from one or randomly-selected few views, can only detect limited attack types. We propose and implement LensDroid, a novel technique that detects Android malware by visualizing app behaviors from multiple complementary views. Our goal is to harness the power of combining deep learning and software visualization to automatically capture and aggregate high-level features that are not inherently linked, thereby revealing hidden maliciousness of Android app behaviors. To thoroughly comprehend the details of apps, we visualize app behaviors from three related but distinct views of behavioral sensitivities, operational contexts and supported environments. We then extract high-order semantics based on the views accordingly. To exploit semantic complementarity of the views, we design a deep neural network based model for fusing the visualized features from local to global based on their contributions to downstream tasks. A comprehensive comparison with five baseline techniques is performed on datasets of more than 51K apps in three real-world typical scenarios, including overall threats, app evolution and zero-day malware. The experimental results show that the overall performance of LensDroid is better than the baseline techniques. We also validate the complementarity of the views and demonstrate that the multi-view fusion in LensDroid enhances Android malware detection.
Paper Structure (42 sections, 6 equations, 9 figures, 8 tables, 1 algorithm)

This paper contains 42 sections, 6 equations, 9 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Motivation
  3. Design of LensDroid
  4. Overview
  5. Multi-view Feature Extraction and Representation
  6. Feature of Abstract API Callgraphs
  7. Feature of Opcode-gram-based Matrices
  8. Feature of Binary-transformed Images
  9. Multi-view Vectorial Fusion
  10. Malware Classification
  11. Experimental Evaluation
  12. Experimental Setup
  13. Implementation
  14. Datasets
  15. Baselines
  16. ...and 27 more sections

Figures (9)

  • Figure 1: The overall architecture of LensDroid.
  • Figure 2: An example for abstracting three similar APIs.
  • Figure 3: A conversion from an opcode sequence to an opcode-gram-based matrix where the length of the sliding window is 2 and the step length is 1.
  • Figure 4: The structures of three types of artifacts, where the white sections are preserved and the gray sections are regarded as noise.
  • Figure 5: A neural network model for fusing feature vectors from three different views with a stepwise strategy.
  • ...and 4 more figures