GHGDroid: Global heterogeneous graph-based android malware detection

Abstract

As the most popular mobile platform, Android has become the major attack target of malware, and thus there is an urgent need to effectively thwart them. Recently, the graph-based technique has been a promising solution for malware detection, which highly depends on graph structures to capture behaviors separating the malware from the benign apps. However, existing graph-based malware detection approaches still suffer from high computation cost in constructing or updating a graph for APK under detection, high false negative and false positive. To cope with these issues, we propose a novel global heterogeneous graph-based Android malware detection approach, named GHGDroid. A global heterogeneous graph (GHG) with a good updatability is first built on large-scale Android applications to characterize complex relationships among APKs and sensitive APIs. And then, using the GHG, a multi-layer graph convolutional network based embedding method is proposed to learn APK embeddings for well capturing behaviors that can separate malware from benign. Finally, using APK embeddings as well their labels, a malware classifier is trained. Experiments on real-world Android applications show that GHGDroid achieves 99.17 % F1-score, which outperforms the state-of-the-art approaches. Moreover, GHGDroid spends about 8 s on detecting an APK, which shows that it has a good potential as a practical tool for the Android malware detection task.