S3Feature: A static sensitive subgraph-based feature for android malware detection

Abstract

As the most popular mobile platform, Android has become the major attack target of malware, and thus there is an urgent need to effectively thwart them. Recently, the machine learning-based technique has been a promising solution for malware detection, which highly depends on distinguishing features to separate the malware from the benign apps. Although hundreds of features are available for machine learning-based malware detectors, adversaries can also utilize feature-related knowledge to develop variants of malware to evade detection. Therefore, a key role of the Android security community is to continuously propose new features that can characterize malicious behaviors.In this paper, we propose a novel static sensitive subgraph-based feature for Android malware detection, named S3Featrue. First, to represent Android applications with high-level characteristics, we develop a sensitive function call graph (SFCG) by extending a function call graph (FCG) through tagging sensitive nodes on it. A malicious score is evaluated to identify sensitive nodes. Second, a large number of sensitive subgraphs (SSGs) and their neighbor subgraphs (NSGs) are mined from a SFCG to characterize suspicious behaviors of applications. Finally, after removing repetitive or isomorphic subgraphs, the remaining SSGs and NSGs are encoded into a feature vector to represent each application. For malware detection, S3Featrue achieves 97.04% F1-score, which performs better than other well-studied features. And a combination of S3Featrue and other features achieves 97.71% F1-score, which shows that S3Feature is a good potential feature in improving the performance of malware detection approaches or tools.