Android Malware Analysis and Benchmarking with Deep Learning

Yıl 2021, Cilt: 9 Sayı: 6 - ICAIAME 2021, 289 - 302, 31.12.2021

Taylan Kural Yusuf Sönmez Murat Dener

https://doi.org/10.29130/dubited.1015654

Öz

Android operating system has been widely used in mobile phones, televisions, smart watches, cars and other Internet of Things applications with its open source structure and wide application market. This widespread use and open-source nature make this operating system and its devices easy and lucrative targets for cyber attackers. One of the most used methods often preferred by attackers is to install malware applications on user devices. As the number of malware programs is increasing, the traditional methods can be insufficient in detecting. Machine learning-based and deep learning-based methods have achieved promising results in malware detection and classification. Deep learning-based methods have an increasing use in malware detection, thanks to the low need for domain expertise and their feature extracting capabilities. Convolutional neural networks (CNN) are popular deep learning methods that are widely used in visual analysis of malware by transforming them to images. In this study, a batch fine-tune transfer learning method was proposed and used on popular CNN models, Xception, ResNet, VGG, Inception, MobileNet, DenseNet, NasNet, EfficientNet. According to the results, the models were analyzed and compared with metrics like accuracy, specificity, recall, precision, F1-score.

Anahtar Kelimeler

Deep learning, Android malware analysis, Image analysis

Derin Öğrenmeyle Android Kötücül Yazılım Analizi ve Kıyaslanması

Öz

Android işletim sistemi, açık kaynak olan yapısı, geniş uygulama marketiyle telefonlarda, televizyonlarda, saatlerde, arabalarda ve diğer nesnelerin interneti uygulamalarında yaygın olarak kullanılmaktadır. Bu yaygın kullanım ve açık kaynak yapısı, kötücül niyet barındıran saldırganlar için bu işletim sistemini ve sahip olduğu cihazları kolay ve kazançlı hedefler haline getirmektedir. Saldırganlar tarafından sıklıkla tercih edilen bir yöntem de kötücül yazılım uygulamalarının kullanıcı cihazlarına yüklenmesidir. Bu yazılımların sayıları gün geçtikçe artmakta, kötücül yazılımları tespitinde geleneksel yöntemler yetersiz kalabilmektedir. Kötücül yazılım tespitinde makine öğrenmesi ve derin öğrenme tabanlı yöntemler umut veren sonuçlar elde etmişlerdir. Özellikle derin öğrenme tabanlı yöntemler, alan uzmanlık bilgisi gereksiniminin azlığı ve kendi kendine özellik çıkarabilen yapıları sayesinde, kötücül yazılım tespitinde artan bir kullanıma sahiptirler. Kötücül yazılımların görsel imajlara dönüştürülerek bu imajlar üzerinde CNN tabanlı derin öğrenme modelleriyle görsel kötücül yazılım analizleri gerçekleştirilmektedir. Çalışmada, popüler CNN modelleri olan Xception, ResNet, VGG, Inception, MobileNet, DenseNet, NasNet, EfficientNet sunulan toplu ince ayar öğrenim aktarma yöntemiyle eğitilmiş ve elde edilen sonuçlara göre modeller doğruluk, kesinlik, geri çağırma, hassaslık, F1 skoru metriklerine göre kıyaslanmıştır.

Anahtar Kelimeler

Derin öğrenme, Android kötücül yazılım analizi, Görsel analiz

Kaynakça

• [1] S. Mahdavifar, A. F. Abdul Kadir, R. Fatemi, D. Alhadidi and A. A. Ghorbani, "Dynamic Android Malware Category Classification using Semi-Supervised Deep Learning," 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), 2020, pp. 515-522.
• [2] T. Kural, Y. Sönmez and M. Dener. (2021, September 5). DroidMalImg Dataset [Online]. Available:https://drive.google.com/drive/folders/1b70zhVMEnlfv2UC_56Q9PzwXUhSXw58u?usp=sharing.
• [3] Kaspersky. (2010, August 9). First SMS trojan detected for smartphones running Android [Online]. Available: https://www.kaspersky.com/about/press-releases/2010_first-sms-trojan-detected-for-smartphones-running-android.
• [4] Malwarebytes. (2021). State of Malware [Online]. Available: https://go.malwarebytes.com/rs/805-USG-300/images/MWB_StateOfMalwareReport2021.pdf.
• [5] A. Cranz. (2021, May 18). There are over 3 billion active Android devices [Online]. Available: https://www.theverge.com/2021/5/18/22440813/android-devices-active-number-smartphones-google-2021.
• [6] Google. (2021). Google transparency report [Online]. Available: https://transparencyreport.google.com/.
• [7] S. O'Dea. (2021, Jun 30). Mobile Android version share Worldwide 2018-2021 [Online]. Available: https://www.statista.com/statistics/921152/mobile-android-version-share-worldwide/.
• [8] A. Krizhevsky, I. Sutskever, and G. E. Hinton, “ImageNet classification with deep convolutional neural networks,” Advances in Neural Information Processing Systems (NIPS), Lake Tahoe, NV, United States, 2012, pp. 1097-1105.
• [9] J. Deng, W. Dong, R. Socher, L. Li, Kai Li and Li Fei-Fei, "ImageNet: A large-scale hierarchical image database," 2009 IEEE Conference on Computer Vision and Pattern Recognition, Miami, FL, United States, 2009, pp. 248-255.
• [10] Y. Lecun, L. Bottou, Y. Bengio and P. Haffner, "Gradient-based learning applied to document recognition," Proceedings of the IEEE, vol. 86, no. 11, pp. 2278-2324, 1998.
• [11] S. Hou, A. Saas, L. Chen and Y. Ye, "Deep4MalDroid: A Deep Learning Framework for Android Malware Detection Based on Linux Kernel System Call Graphs," 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW), Omaha, NE, United States, 2016, pp. 104-111.
• [12] E. M. B. Karbab, M. Debbabi, A. Derhab, and D. Mouheb, “MalDozer: Automatic framework for Android malware detection using deep learning,” Digital Investigation, vol. 24, pp. S48-59, 2018.
• [13] T. H. Huang and H. Kao, "R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections," 2018 IEEE International Conference on Big Data (Big Data), Seattle, WA, United States, 2018, pp. 2633-2642.
• [14] M. Al-Fawa'reh, A. Saif, M. T. Jafar and A. Elhassan, "Malware Detection by Eating a Whole APK," 2020 15th International Conference for Internet Technology and Secured Transactions (ICITST), London, United Kingdom, 2020, pp. 1-7.
• [15] D. Vasan, M. Alazab, S. Wassan, H. Naeem, B. Safaei, and Q. Zheng, “IMCFN: Image-based Malware classification using fine-tuned convolutional neural network architecture,” Computer Networks, vol. 171, p. 107138, 2020.
• [16] A. Ignatov, R. Timofte, A. Kulik, S. Yang, K. Wang, F. Baum, M. Wu, L. Xu, and L. Van Gool, "AI Benchmark: All About Deep Learning on Smartphones in 2019," 2019 IEEE/CVF International Conference on Computer Vision Workshop (ICCVW), Seoul, Korea, 2019, pp. 3617-3635.
• [17] F. Chollet, “Xception: Deep learning with depthwise separable convolutions,” 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, United States, 2017, pp. 1800-1807.
• [18] K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” The 3rd International Conference on Learning Representations (ICLR2015), San Diego, CA, United States, 2015, pp. 1-14.
• [19] K. He, X. Zhang, S. Ren, and J. Sun, “Identity mappings in deep residual networks,” European conference on computer vision (ECCV), Amsterdam, The Netherlands, 2016, pp. 630–645.
• [20] C. Szegedy, V. Vanhoucke, S. Ioffe, J. Shlens, and Z. Wojna, “Rethinking the Inception architecture for computer vision,” 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Las Vegas, NV, United States, 2016, pp. 2818-2826.
• [21] C. Szegedy, S. Ioffe, V. Vanhoucke, and A. A. Alemi, “Inception-v4, inception-resnet and the impact of residual connections on learning,” In Thirty-First AAAI Conference on Artificial Intelligence, San Francisco, CA, United States, 2017, pp. 4278-4284.
• [22] A. G. Howard, M. Zhu, B. Chen, D. Kalenichenko, W. Wang, T. Weyand, M. Andreetto, and H. Adam, “Mobilenets: Efficient convolutional neural networks for mobile vision applications,”arXiv preprint arXiv:1704.04861, 2017.
• [23] G. Huang, Z. Liu, L. Van Der Maaten, and K. Q. Weinberger, “Densely connected convolutional networks,” 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), Honolulu, HI, United States, 2017, pp. 4700-4708.
• [24] B. Zoph, V. Vasudevan, J. Shlens, and Q. V. Le, “Learning transferable architectures for scalable image recognition,” 2018 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Salt Lake City, UT, United States, 2018, pp. 8697-8710.
• [25] M. Tan and Q. V Le, “EfficientNet: Rethinking model scaling for convolutional neural networks,” International Conference on Machine Learning (PMLR), Long Beach, CA, United States, 2019, pp. 6105-6144.