Since the Internet of Things (IoT) is widely adopted using Android applications, detecting malicious Android apps is essential. In recent years, Android graph-based deep learning research has proposed many approaches to extract relationships from applications as graphs to generate graph embeddings. First, we demonstrate the effectiveness of graph-based classification using a Graph Neural Network (GNN)-based classifier to generate API graph embeddings. The graph embeddings are combined with Permission and Intent features to train multiple machine learning and deep learning models for Android malware detection. The proposed classification approach achieves an accuracy of 98.33 percent on the CICMaldroid dataset and 98.68 percent on the Drebin dataset. However, graph-based deep learning models are vulnerable, as attackers can add fake relationships to evade detection by the classifier. Second, we propose a Generative Adversarial Network (GAN)-based attack algorithm named VGAE-MalGAN targeting graph-based GNN Android malware classifiers. The VGAE-MalGAN generator produces adversarial malware API graphs, while the VGAE-MalGAN substitute detector attempts to mimic the target detector. Experimental results show that VGAE-MalGAN can significantly reduce the detection rate of GNN-based malware classifiers. Although the model initially fails to detect adversarial malware, retraining with generated adversarial samples improves robustness and helps mitigate adversarial attacks.
Deep Dive into IoT-based Android Malware Detection Using Graph Neural Network With Adversarial Defense.
Since the Internet of Things (IoT) is widely adopted using Android applications, detecting malicious Android apps is essential. In recent years, Android graph-based deep learning research has proposed many approaches to extract relationships from applications as graphs to generate graph embeddings. First, we demonstrate the effectiveness of graph-based classification using a Graph Neural Network (GNN)-based classifier to generate API graph embeddings. The graph embeddings are combined with Permission and Intent features to train multiple machine learning and deep learning models for Android malware detection. The proposed classification approach achieves an accuracy of 98.33 percent on the CICMaldroid dataset and 98.68 percent on the Drebin dataset. However, graph-based deep learning models are vulnerable, as attackers can add fake relationships to evade detection by the classifier. Second, we propose a Generative Adversarial Network (GAN)-based attack algorithm named VGAE-MalGAN targe
In the recent years there has been an increase in the usage of IoT devices to improve the quality of our lives. IoT device utility can range from smart homes to industrial automation. These devices must interact with the user for data exchange or communication. One of the most common ways to control these IoT devices is through applications installed on a smartphone. Through these applications, the users can communicate with various IoT devices, say, through monitoring the the room's temperature, live video feed, heart rate, the water level in agricultural settings, etc., as shown in Fig. 1. The applications used to control this device holds critical and valuable information, which is very lucrative for attackers. For example, an attacker who has access to the application can monitor the CCTV camera or access the health information stored on a smartphone. Malware on IoT Rahul Yumlembam, Biju Issac, and Longzhi Yang are with the Department of Computer and Information Sciences, Northumbria University, Newcastle, UK (email: rahul.yumlembam@northumbria.ac.uk, bissac@ieee.org, longzhi.yang@northumbria.ac.uk). Corresponding author: Biju Issac Seibu Mary Jacob is with the School of Computing, Engineering & Digital Technologies, Teesside University, Middlesbrough, UK (email: s.jacob@tees.ac.uk). applications can significantly violate the privacy of any IoT user. Malicious Android applications can therefore act as a gateway to attack IoT devices. These malicious IoT based Android apps can get installed accidentally through user lapses in judgment or from the apps installed from unknown sources. According to Nokia Threat Intelligence Report 2020, Android [1] accounts for 26.64% of infections across all platforms and IoT devices are now responsible for 32.72% of all infections observed in mobile networks, up from 16.17% in the previous year.
Android malware is a malicious application that steals sensitive information, violates user privacy, or performs any action the user did not authorize. According to AV-test [5], in 2021, 3.39 million malware emerged in the market. It is crucial to identify applications that can harm users. In 2021, Kaspersky Android mobile products and technologies detected 3,464,756 malicious installation packages, 97,661 new mobile banking trojans and 17,372 new mobile ransomware trojans [34].
There are two kinds of malware detection analysis: static analysis and dynamic analysis. In the static analysis, the static features of the application, such as permission, intents, signature etc., are analyzed. In dynamic analysis, the dynamic features of the application, such as network flow information, app actions sequence etc., are analyzed.
We have opted for static analysis, since every possible branch of the code must execute for effective dynamic feature generation. With the rapid pace of malware generation, the development of different techniques for identifying and analyzing them is a critical requirement.
In recent years, Android graph-based deep learning research has proposed many approaches to extract relationships from the application as a graph to generate graph embedding. For example, Hindroid [7] extracts API relationships based on Code block and API-Invoke method, whereas MalScan [8] extracts function call graph. Similarly, in DroidMiner [9], a component dependency graph and a component behaviour graph are constructed. The extracted graphs need to exist in a format suitable for the downstream task. To this end, recent papers have proposed to use GNN in [10] and [11]. In this work, we first demonstrate the effectiveness of the graphbased technique by using API graph embedding along with Permission and Intent as features for classification. The API graph is generated based on code block id [6] [7]. The edges between the nodes (API) in the API graph represent relationships between different APIs. Centrality measures can express this relationship by measuring a node’s importance relative to all the other nodes in the graph. Different centrality measures are extracted from the API graph to train a GNN [12], [13] to generate graph embedding of each Android Application. The generated graph embedding is combined with Permission, Intent and used to train multiple machine learning and deep learning algorithms. The trained GNN malware classifier acts as a model where no gradient information is accessible. We then propose an adversarial architecture named VGAE-MalGAN to attack graph-based Android malware classifier.
Although recent works to extract graph embedding from relationship graphs have proven resilient against malware attacks, there has been little study on how dummy relationship contamination can fool an Android malware classifier. The recent work in [38] proposed an algorithm called Grabnel to attack GNN model. Although this algorithm can successfully attack the model, it has no mechanism to preserve the original semantics of the malware API graph as in our attack. We aim to address t
…(Full text truncated)…
This content is AI-processed based on ArXiv data.
