Multi-class Malware Detection via Deep Graph Convolutional Networks Using TF-IDF-Based Attributed Call Graphs

Irshad Khan, Young Woo Kwon

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

1 Scopus citations

Abstract

The proliferation of malware in the Android ecosystem poses significant security risks and financial losses for enterprises and developers. Malware constantly evolves, exhibiting dynamic behavior and complexity, thus making it challenging to develop robust defense mechanisms. Traditional methods, such as signature-based and battery-monitoring approaches, struggle to detect emerging malware variants effectively. Recent advancements in deep learning have shown promising results in Android malware detection. However, most existing approaches focus on binary classification and need more insights into the model’s generality across different types of malware. This study presents a novel approach to address Android malware detection by integrating TF-IDF (Term Frequency-Inverse Document Frequency) features into the call graph structure. By attributing each node in the call graph with TF-IDF-based feature vectors extracted from the opcode sequences of each method using an opcode list, we present a more thorough representation that encapsulates the complex traits of the malware samples. We employ state-of-the-art graph-based deep learning models to classify malware families, including Graph Convolutional Networks (GCN), SAGEConv, Graph Attention Networks (GAT), and Graph Isomorphism Networks (GIN). By incorporating high-level structural information from the call graphs and TF-IDF-based raw features, our approach aims to enhance the accuracy and generality of the malware detection models. We identify an optimal model for the Android malware family classification task through extensive evaluation and comparison of the above-mentioned models. The findings of this study contribute to advancing the field of Android malware detection and provide insights into the effectiveness of graph-based deep learning models for combating evolving malware threats.

Original languageEnglish
Title of host publicationInformation Security Applications - 24th International Conference, WISA 2023, Jeju Island, South Korea, August 23–25, 2023, Revised Selected Papers
EditorsHowon Kim, Jonghee Youn
PublisherSpringer Science and Business Media Deutschland GmbH
Pages188-200
Number of pages13
ISBN (Print)9789819980239
DOIs
StatePublished - 2024
Event24th International Conference on Information Security Applications, WISA 2023 - Jeju Island, Korea, Republic of
Duration: 23 Aug 202325 Aug 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14402 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference24th International Conference on Information Security Applications, WISA 2023
Country/TerritoryKorea, Republic of
CityJeju Island
Period23/08/2325/08/23

Keywords

  • call graph
  • graph convolutional model
  • Malware
  • TF-IDF

Fingerprint

Dive into the research topics of 'Multi-class Malware Detection via Deep Graph Convolutional Networks Using TF-IDF-Based Attributed Call Graphs'. Together they form a unique fingerprint.

Cite this