Dual Modal Featuring Scheme for Learning Based Android Malware Prevention
摘要
The prevalence and evolution of Android malware pose persistent threats to various devices. Behavioral features are vital for learning-based malware detectors. Prior studies focus on either host logs or network traffic data and their concatenation. Their deep fusion and alignment on the behavioral level are rarely explored. We propose STDroid, a deep semantic alignment-based feature fusion scheme that integrates system behaviors and network traffic for Android malware detection. The scheme mainly includes a syscall-traffic graph (STG) construction algorithm, the STG2Vec model, and an attention-enhanced Graph Neural Network (GNN) designed to handle class-imbalanced nodes. The STG construction algorithm builds a novel argument-oriented host behavior feature space by aligning the semantics of system call arguments and network traffic bursts within a unified heterogeneous graph, while filtering irrelevant data for efficiency. The STG2Vec model encodes heterogeneous nodes into a shared representation space. Graph-based dual modal feature fusion is achieved through constructing a self-attention GNN model, and an incentive factor is introduced to enhance the representation of class-imbalanced nodes, ultimately enabling malware detection. The experimental results show that the malware detection rate achieves 99.12%, outperforming state-of-the-art solutions. Furthermore, 643 unseen malware samples can be identified by our scheme, demonstrating its feasibility for preventing evolving Android malware.