TY - JOUR
T1 - Obfuscation-Resilient Android Malware Analysis Based on Complementary Features
AU - Gao, Cuiying
AU - Cai, Minghui
AU - Yin, Shuijun
AU - Huang, Gaozhun
AU - Li, Heng
AU - YUAN, Wei
AU - Luo, Xiapu
PY - 2023/8
Y1 - 2023/8
N2 - Existing Android malware detection methods are usually hard to simultaneously resist various obfuscation techniques. Therefore, bytecode-based code obfuscation becomes an effective means to circumvent Android malware analysis. Building obfuscation-resilient Android malware analysis methods is a challenging task, due to the fact that various obfuscation techniques have vastly different effects on code and detection features. To mitigate this problem, we propose combining multiple features that are complementary in combating code obfuscation. Accordingly, we develop an obfuscation-resilient Android malware analysis method CorDroid, based on two new features: Enhanced Sensitive Function Call Graph (E-SFCG) and Opcode-based Markov transition Matrix (OMM). The first describes sensitive function call relationships, while the second reflects transition probabilities among opcodes. Combining E-SFCG and OMM can well characterize the runtime behavior of Android apps from different perspectives, hence increasing the difficulty of misleading malware analysis through using code obfuscation to affect detection features. To evaluate CorDroid, we generate 74, 138 obfuscated samples with 14 different obfuscation techniques, and compare CorDroid with the state-of-the-art detection methods (e.g., MaMaDroid, RevealDroid and APIGraph). In terms of average F1-Score, CorDroid is 29.69% higher than MaMaDroid, 21.80% higher than APIGraph, and 9.71% higher than RevealDroid, respectively. Experiments also validate the complementarity between E-SFCG and OMM, and exhibit the high execution efficiency of CorDroid.
AB - Existing Android malware detection methods are usually hard to simultaneously resist various obfuscation techniques. Therefore, bytecode-based code obfuscation becomes an effective means to circumvent Android malware analysis. Building obfuscation-resilient Android malware analysis methods is a challenging task, due to the fact that various obfuscation techniques have vastly different effects on code and detection features. To mitigate this problem, we propose combining multiple features that are complementary in combating code obfuscation. Accordingly, we develop an obfuscation-resilient Android malware analysis method CorDroid, based on two new features: Enhanced Sensitive Function Call Graph (E-SFCG) and Opcode-based Markov transition Matrix (OMM). The first describes sensitive function call relationships, while the second reflects transition probabilities among opcodes. Combining E-SFCG and OMM can well characterize the runtime behavior of Android apps from different perspectives, hence increasing the difficulty of misleading malware analysis through using code obfuscation to affect detection features. To evaluate CorDroid, we generate 74, 138 obfuscated samples with 14 different obfuscation techniques, and compare CorDroid with the state-of-the-art detection methods (e.g., MaMaDroid, RevealDroid and APIGraph). In terms of average F1-Score, CorDroid is 29.69% higher than MaMaDroid, 21.80% higher than APIGraph, and 9.71% higher than RevealDroid, respectively. Experiments also validate the complementarity between E-SFCG and OMM, and exhibit the high execution efficiency of CorDroid.
M3 - Journal article
SN - 1556-6013
VL - 18
SP - 5056
EP - 5068
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
ER -