NSDroid: Efficient Multi-classification of Android Malware using Neighborhood Signature in Local Function Call Graphs
International Journal of Information Security
With the rapid development of mobile Internet, Android applications are used more and more in people's daily life. While bringing convenience and making people's life smarter, Android applications also face much serious security and privacy issues, e.g., information leakage and monetary loss caused by malware. Detection and classification of malware have thus attracted much research attention in recent years. Most current malware detection and classification approaches are based on graph-based similarity analysis (e.g., subgraph isomorphism), which is well known to be time-consuming, especially for large graphs. In this paper, we propose NSDroid, a time-efficient malware multi-classification approach based on neighborhood signature in local function call graphs (FCGs). NSDroid uses a approach based on neighborhood signature to calculate the similarity of different applications' FCGs, which is significantly faster than traditional approaches based on subgraph isomorphism. For each node in the FCGs, NSDroid uses a fixed-length neighborhood signature to capture the caller-callee relationship between different functions and combines neighborhood signatures of all nodes to form a vector that characterizes the function call relationship in the whole application. The generated signature vector is fed into a SVM-based classifier to determine which family the malware belongs to. Experimental results on large-scale benchmarks show that, compared with state-of-the-art solutions, NSDroid reduces average detection latency by nearly 20x, and meanwhile improves many evaluation index such as recall rate and others.
Liu, Pengfei; Wang, Weiping; Luo, Xi; Wang, Haodong; and Liu, Chushu, "NSDroid: Efficient Multi-classification of Android Malware using Neighborhood Signature in Local Function Call Graphs" (2020). Electrical Engineering & Computer Science Faculty Publications. 460.
This work is partially supported by the National Natu-ral Science Foundation of China under Grant No. 61672543, the Open Research Fund of Hunan Provincial Key Laboratory of Network Inves-tigational Technology, Grant No. 2017WLZC002, the Fundamental Research Funds for the Central Universities of Central South University,Grant No. 2018zzts175.