TUM Logo

Hybroid: Toward Android Malware Detectionand Categorization with Program Code and Network Traffic

Android malicious applications have become so sophisticated that they can bypass endpoint protection measures. Therefore, it is safe to admit that traditional anti-malware techniques have become cumbersome, thereby raising the need to develop efficient ways to detect Android malware. In this paper, we present Hybroid, a hybrid Android malware detection and categorization solution that utilizes program code structures as static behavioral features and network traffic as dynamic behavioral features for detection (binary classification) and categorization (multi-label classification). For static analysis, we introduce a natural language processing-inspired technique based on function call graph embeddings and design a graph neural network-based approach to convert the whole graph structure of an Android app to a vector. In dynamic analysis, we extract network flow features from the raw network traffic by capturing each application's network flow. Finally, Hybroid utilizes the network flow features combined with the graphs' vectors to detect and categorize the malware. Our solution demonstrates 97.0% accuracy on average for malware detection and 94.0% accuracy for malware categorization. Also, we report outstanding results in terms of different performance metrics such as F1-score, precision, recall, and AUC.

Hybroid: Toward Android Malware Detectionand Categorization with Program Code and Network Traffic

Authors: Mohammad Reza Norouzian, Peng Xu, Claudia Eckert, and Apostolis Zarras
Year/month: 2021/
Booktitle: International Security Conference (ISC 2021)
Fulltext: ISC__Hybroid.pdf

Abstract

Android malicious applications have become so sophisticated that they can bypass endpoint protection measures. Therefore, it is safe to admit that traditional anti-malware techniques have become cumbersome, thereby raising the need to develop efficient ways to detect Android malware. In this paper, we present Hybroid, a hybrid Android malware detection and categorization solution that utilizes program code structures as static behavioral features and network traffic as dynamic behavioral features for detection (binary classification) and categorization (multi-label classification). For static analysis, we introduce a natural language processing-inspired technique based on function call graph embeddings and design a graph neural network-based approach to convert the whole graph structure of an Android app to a vector. In dynamic analysis, we extract network flow features from the raw network traffic by capturing each application's network flow. Finally, Hybroid utilizes the network flow features combined with the graphs' vectors to detect and categorize the malware. Our solution demonstrates 97.0% accuracy on average for malware detection and 94.0% accuracy for malware categorization. Also, we report outstanding results in terms of different performance metrics such as F1-score, precision, recall, and AUC.

Bibtex:

@conference {
author = { Mohammad Reza Norouzian and Peng Xu and Claudia Eckert and Apostolis Zarras },
title = { Hybroid: Toward Android Malware Detectionand Categorization with Program Code and Network Traffic },
year = { 2021 },
booktitle = { International Security Conference (ISC 2021) },
url = {https://www.sec.in.tum.de/i20/publications/hybroid-toward-android-malware-detectionand-categorization-with-program-code-andnetwork-traffic/@@download/file/ISC__Hybroid.pdf}
}