Android dominates the global mobile ecosystem, while malware poses a serious security threat to ordinary users. Previous research has focused more on the bytecode features of target Android malware and less on analyzing features from various other sources such as resource files and native code. Furthermore, single-modal features lack the utilization of feature files after reverse engineering of applications. To address these limitations, we propose a Residual-Gated Multimodal Network (RGMN) that adaptively fuses configuration text with grayscale image features derived from binary byte streams for Android malware detection. First, we extract basic configuration text features such as permissions and configurations from AndroidManifest.xml. Then, our framework extracts underlying code logic, resource configurations, and auxiliary runtime components by mapping binary data from classes.dex, resource files, and .so files into three-channel grayscale image representations. Compared with previous fusion strategies, our multimodal feature fusion strategy can better resolve modal conflicts between configuration text and binary byte stream images. Our multimodal feature fusion method does not require complex dynamic and static code analysis, making it applicable to a wider range of scenarios.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

RGMN: Residual-Gated Multimodal Network for Android Malware Detection via Configuration Text and Three-Channel Image

  • Junwei Tang,
  • Qiang Fang,
  • Tao Peng,
  • Fei Zhu,
  • Xiaomei Tian

摘要

Android dominates the global mobile ecosystem, while malware poses a serious security threat to ordinary users. Previous research has focused more on the bytecode features of target Android malware and less on analyzing features from various other sources such as resource files and native code. Furthermore, single-modal features lack the utilization of feature files after reverse engineering of applications. To address these limitations, we propose a Residual-Gated Multimodal Network (RGMN) that adaptively fuses configuration text with grayscale image features derived from binary byte streams for Android malware detection. First, we extract basic configuration text features such as permissions and configurations from AndroidManifest.xml. Then, our framework extracts underlying code logic, resource configurations, and auxiliary runtime components by mapping binary data from classes.dex, resource files, and .so files into three-channel grayscale image representations. Compared with previous fusion strategies, our multimodal feature fusion strategy can better resolve modal conflicts between configuration text and binary byte stream images. Our multimodal feature fusion method does not require complex dynamic and static code analysis, making it applicable to a wider range of scenarios.