<p>Android malware detection approaches commonly use APIs and permissions as features for classifying malware. However, since the release of the first Android operating system in 2008, the Android framework has undergone numerous version updates. The evolution of the Android framework over time has led to changes in APIs and permissions, including deprecations and replacements. These changes can result in inaccurate characterization of Android malware, thereby affecting performance of malware detectors. There is a lack of methods to mitigate the impact of Android framework evolution on malware detection. To fill this gap, we conduct a systematic study of the impact of Android framework evolution on APIs and permissions. We then propose a new representation of APIs and permissions that is robust against framework evolution. This new representation characterizes deprecated APIs / permissions and their corresponding replacements. Additionally, for class-level replacements, due to the absence of corresponding API replacement information, we use a LLM to assist in mining deprecation-replacement relationships. We also explore how to better utilize the LLM by applying it to the mining of deprecation-replacement pairs in framework evolution. We consider APIs / permissions with deprecation-replacement relationships as the same feature, as they typically perform the same or similar functions. We apply our proposed representation to improve the performance of four popular Android malware detectors, namely Drebin, Mamadroid, Xmal, and FAMCF. Our experiments focus on evaluating the performance of these malware detectors in the context of framework evolution, more specifically, over API levels 9 to 24. The results indicate that malware detectors utilizing <span>Func</span> features achieve statistically better F1 scores according to Wilcoxon rank-sum tests.</p>

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Func: reducing the impact of Android framework evolution on malware detection

  • Hailong Yu,
  • Tiantian Wang,
  • Lwin Khin Shar,
  • Hanmeng Li,
  • David Lo

摘要

Android malware detection approaches commonly use APIs and permissions as features for classifying malware. However, since the release of the first Android operating system in 2008, the Android framework has undergone numerous version updates. The evolution of the Android framework over time has led to changes in APIs and permissions, including deprecations and replacements. These changes can result in inaccurate characterization of Android malware, thereby affecting performance of malware detectors. There is a lack of methods to mitigate the impact of Android framework evolution on malware detection. To fill this gap, we conduct a systematic study of the impact of Android framework evolution on APIs and permissions. We then propose a new representation of APIs and permissions that is robust against framework evolution. This new representation characterizes deprecated APIs / permissions and their corresponding replacements. Additionally, for class-level replacements, due to the absence of corresponding API replacement information, we use a LLM to assist in mining deprecation-replacement relationships. We also explore how to better utilize the LLM by applying it to the mining of deprecation-replacement pairs in framework evolution. We consider APIs / permissions with deprecation-replacement relationships as the same feature, as they typically perform the same or similar functions. We apply our proposed representation to improve the performance of four popular Android malware detectors, namely Drebin, Mamadroid, Xmal, and FAMCF. Our experiments focus on evaluating the performance of these malware detectors in the context of framework evolution, more specifically, over API levels 9 to 24. The results indicate that malware detectors utilizing Func features achieve statistically better F1 scores according to Wilcoxon rank-sum tests.