Learning features from enhanced function call graphs for Android malware detection

Analyzing the runtime behaviors of Android apps is crucial for malware detection. In this paper, we attempt to learn the behavior level features of an app from function calls. The challenges of this task are twofold. First, the absence of function attributes hinders the understanding of app behaviors. Second, the graphical representation of function calls cannot be directly processed by classical machine learning algorithms. In this paper, we develop two methods to overcome these challenges. Based on function embedding, we first propose the concept of enhanced function call graphs (E-FCGs) to characterize app runtime behaviors. We then develop a Graph Convolutional Network (GCN) based algorithm to obtain vector representations of E-FCGs. Extensive experiments show that the features learned by our method can achieve surprisingly high detection performance on a variety of classifiers (e.g., LR, DT, SVM, KNN, RF, MLP and CNN), significantly outperforming the traditional static features. (C) 2020 Elsevier B.V. All rights reserved.

Automated summary

This paper aims to learn behavior level features of Android apps from function calls, using enhanced function call graphs (E-FCGs) and a Graph Convolutional Network (GCN) based algorithm. Experimental results show that the method outperforms traditional static features in malware detection.