GDroid: Android malware detection and classification with graph convolutional network

The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The general idea is to map apps and Android APIs into a large heterogeneous graph, converting the original problem into a node classification task. We build the App-API and API-API edges based on the invocation relationship and the API usage patterns, respectively. The heterogeneous graph is then fed into the GCN model, iteratively generating node embeddings that incorporate topological structure and node features. Eventually, the unlabeled apps are classified by their final embeddings. To our knowledge, this paper is the first study to explore the application of graph neural network in the field of malware classification. We develop a prototype system named GDroid. Experiments show that GDroid can effectively detect 98.99% of Android malware with a low false positive rate of less than 1%, outperforming the existing approaches. It also achieves an average accuracy of almost 97% in the malware familial classification task with surpassing the baselines. Additionally, we cooperate with QI-ANXIN Technology Research Institute to evaluate its real world impact, and GDroid also maintains satisfactory performance in real-world scenarios. (c) 2021 Elsevier Ltd. All rights reserved.

Automated summary

The paper introduces a novel approach for Android malware detection and familial classification based on Graph Convolutional Network (GCN). Through experiments, GDroid system shows promising results in detecting Android malware and classifying malware families, outperforming existing methods.