detecting and categorizing android malware with graph
TRANSCRIPT
Peng Xu1, Claudia Eckert1, Apostolis Zarras2
{Peng,eckert}sec.in.tum.de
[email protected] Technical University of Munich2 Delft University of Technology
Detecting and Categorizing Android Malware with Graph Neural Networks
2Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
https://securelist.com/mobile-malware-evolution-2020/101029/
3Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
G DATA Mobile Malware Report 2019: New high for malicious Android apps
4Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
1. permission-based Android Malware Detection systems (DREBIN, FM)2. API-call-based Android Malware Detection systems (DroidNative)
https://developer.android.com/reference/android/Manifest.permissionOpCode-Level Function Call Graph Based Android Malware Classification Using Deep Learning
String, Opcode(word)
5Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
String ObfuscationString(permission), API Call(word)
• Class Encryption
• String Encryption
• Reflection• replace each invoke instruction with specific
bytecode
• Trivial Obfuscation• Only affects string, not bytecode
• Trivial + String Encryption
• Trivial + StringEnc + Reflection
Obfuscation
• Trivial + StringEnc + Reflection + ClassEnc
6Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
https://www.microsoft.com/security/
7Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
DroidOL: Android malware detection based on online machine learning
8Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
Adagio: Structural Detection of Android Malware using Embedded Call-GraphMANIS: evading malware detection system on graph structure
9Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
Neural Network-based Graph Embedding for Cross-Platform Binary Code Similarity Detection
10Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Motivation
11Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Overview
APK fileFunction call graph
with opcodeembedding
Function call graphwith functionembedding
GraphEmbedding
Function callgraph
2-layer MLPMalware detection
2-layer MLPMalware classification
Benign
Malware
Plankton
FakeInstaller
DroidKungFu
...
MLP
12Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Function Call Graph
Androguard to get Function call graph(e.g, Adagio, MANIS)
• Instruction: Opcode + Operands• Why only consider Opcode?
• Other works: Address, Register are replaced by specificsymbols
• Move Instruction: move-wide vA, vB[04 12x], move-wide/from16 vAA, vBBBB[05 22x]
• Invoke Instruction: invoke-super, invoke-direct, invoke-static, and invoke-interface
• Word Embedding
13Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Opcode Embedding
• Weighted Mean Function Embedding
• SIF-Invoked Function Embedding • SIF: A simple but tough-to-beat baseline for sentence embeddings.
14Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
Function Embedding
15Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Graph Embedding
16Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security, Technical University of Munich
MLP Classifier
• Malware Classification:
• Malware Categorization:
17Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation
18Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Various learning rate
19Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Various training Epoch
20Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Various training Epoch
21Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Various n-hop neighbors
22Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Obfuscated Application
23Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Obfuscated Application
24Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Evaluation – Categorization/Family Classification
25Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Question?Thanks!
26Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Backup
27Peng Xu, Claudia Eckert, Apsotlis Zarras | IT Security | Technical University of Munich
Backup – Structure2vec