Predicting Android malware combining permissions and API call sequences

Predicting Android malware combining permissions and API call sequences

Malware detection is an important task in software maintenance. It can effectively protect user information from the attack of malicious developers. Existing studies mainly focus on leveraging permission information and API call information to identify malware. However, many studies pay attention to...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:Software quality journal 2023-09, Vol.31 (3), p.655-685
Hauptverfasser: Chen, Xin, Yu, Haihua, Yu, Dongjin, Chen, Jie, Sun, Xiaoxiao
Format: Artikel
Sprache:eng
Schlagworte:
Algorithms
Application programming interface
Artificial neural networks
Classifiers
Compilers
Computer Science
Data Structures and Information Theory
Interpreters
Machine learning
Malware
Mobile operating systems
Neural networks
Operating Systems
Programming Languages
Software Engineering/Programming and Operating Systems
Online-Zugang:Volltext
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 685
container_issue 3
container_start_page 655
container_title Software quality journal
container_volume 31
creator Chen, Xin
Yu, Haihua
Yu, Dongjin
Chen, Jie
Sun, Xiaoxiao
description Malware detection is an important task in software maintenance. It can effectively protect user information from the attack of malicious developers. Existing studies mainly focus on leveraging permission information and API call information to identify malware. However, many studies pay attention to the API call without considering the role of API call sequences. In this study, we propose a new method by combining both the permission information and the API call sequence information to distinguish malicious applications from benign applications. First, we extract features of permission and API call sequence with a decompiling tool. Then, one-hot encoding and Word2Vec are adopted to represent the permission feature and the API call sequence feature for each application, respectively. Based on this, we leverage Random Forest (RF) and Convolutional Neural Networks (CNN) to train a permission-based classifier and an API call sequence-based classifier, respectively. Finally, we design a linear strategy to combine the outputs of these two classifiers to predict the labels of newly arrived applications. By an evaluation with 15,198 malicious applications and 15,129 benign applications, our approach achieves 98.84% in terms of precision, 98.17% in terms of recall, 98.50% in terms of F1-score, and 98.52% in terms of accuracy on average, and outperforms the state-of-art method Malscan by 2.12%, 0.27%, 1.20%, and 1.24%, respectively. In addition, we demonstrate that the method combining two features achieves better performance than the methods based on a single feature.
doi_str_mv 10.1007/s11219-022-09602-4
format Article
fullrecord <record><control><sourceid>proquest_cross</sourceid><recordid>TN_cdi_proquest_journals_2859387640</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>2859387640</sourcerecordid><originalsourceid>FETCH-LOGICAL-c319t-37cac599ec4e3ec9c19c6509ed47ef66630cd306882ec8dd8ef77939de0844583</originalsourceid><addsrcrecordid>eNp9kEtLAzEUhYMoWKt_wNWA62hek8eyFK2Fgl3oOozJnZIyk6nJFPHfmzqCO1cX7j3fOdyD0C0l95QQ9ZApZdRgwhgmRhKGxRma0VpxTLlU52hWthwbTsUlusp5T8gJEzO02ibwwY0h7qpF9GkIvuqb7rNJULmhfw_xdDlA6kPOYYi5aqKvFtt15ZquqzJ8HCE6yNfoom26DDe_c47enh5fl89487JaLxcb7Dg1I-bKNa42BpwADs44apysiQEvFLRSSk6c50RqzcBp7zW0ShluPBAtRK35HN1Nvoc0lOg82v1wTLFEWqZrw7WSghQVm1QuDTknaO0hhb5JX5YSe_rcToXZUpj9KcyKAvEJykUcd5D-rP-hvgF_P22s</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2859387640</pqid></control><display><type>article</type><title>Predicting Android malware combining permissions and API call sequences</title><source>SpringerLink Journals</source><creator>Chen, Xin ; Yu, Haihua ; Yu, Dongjin ; Chen, Jie ; Sun, Xiaoxiao</creator><creatorcontrib>Chen, Xin ; Yu, Haihua ; Yu, Dongjin ; Chen, Jie ; Sun, Xiaoxiao</creatorcontrib><description>Malware detection is an important task in software maintenance. It can effectively protect user information from the attack of malicious developers. Existing studies mainly focus on leveraging permission information and API call information to identify malware. However, many studies pay attention to the API call without considering the role of API call sequences. In this study, we propose a new method by combining both the permission information and the API call sequence information to distinguish malicious applications from benign applications. First, we extract features of permission and API call sequence with a decompiling tool. Then, one-hot encoding and Word2Vec are adopted to represent the permission feature and the API call sequence feature for each application, respectively. Based on this, we leverage Random Forest (RF) and Convolutional Neural Networks (CNN) to train a permission-based classifier and an API call sequence-based classifier, respectively. Finally, we design a linear strategy to combine the outputs of these two classifiers to predict the labels of newly arrived applications. By an evaluation with 15,198 malicious applications and 15,129 benign applications, our approach achieves 98.84% in terms of precision, 98.17% in terms of recall, 98.50% in terms of F1-score, and 98.52% in terms of accuracy on average, and outperforms the state-of-art method Malscan by 2.12%, 0.27%, 1.20%, and 1.24%, respectively. In addition, we demonstrate that the method combining two features achieves better performance than the methods based on a single feature.</description><identifier>ISSN: 0963-9314</identifier><identifier>EISSN: 1573-1367</identifier><identifier>DOI: 10.1007/s11219-022-09602-4</identifier><language>eng</language><publisher>New York: Springer US</publisher><subject>Algorithms ; Application programming interface ; Artificial neural networks ; Classifiers ; Compilers ; Computer Science ; Data Structures and Information Theory ; Interpreters ; Machine learning ; Malware ; Mobile operating systems ; Neural networks ; Operating Systems ; Programming Languages ; Software Engineering/Programming and Operating Systems</subject><ispartof>Software quality journal, 2023-09, Vol.31 (3), p.655-685</ispartof><rights>The Author(s), under exclusive licence to Springer Science+Business Media, LLC, part of Springer Nature 2022. Springer Nature or its licensor holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c319t-37cac599ec4e3ec9c19c6509ed47ef66630cd306882ec8dd8ef77939de0844583</citedby><cites>FETCH-LOGICAL-c319t-37cac599ec4e3ec9c19c6509ed47ef66630cd306882ec8dd8ef77939de0844583</cites><orcidid>0000-0001-8919-1613</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktopdf>$$Uhttps://link.springer.com/content/pdf/10.1007/s11219-022-09602-4$$EPDF$$P50$$Gspringer$$H</linktopdf><linktohtml>$$Uhttps://link.springer.com/10.1007/s11219-022-09602-4$$EHTML$$P50$$Gspringer$$H</linktohtml><link.rule.ids>314,776,780,27901,27902,41464,42533,51294</link.rule.ids></links><search><creatorcontrib>Chen, Xin</creatorcontrib><creatorcontrib>Yu, Haihua</creatorcontrib><creatorcontrib>Yu, Dongjin</creatorcontrib><creatorcontrib>Chen, Jie</creatorcontrib><creatorcontrib>Sun, Xiaoxiao</creatorcontrib><title>Predicting Android malware combining permissions and API call sequences</title><title>Software quality journal</title><addtitle>Software Qual J</addtitle><description>Malware detection is an important task in software maintenance. It can effectively protect user information from the attack of malicious developers. Existing studies mainly focus on leveraging permission information and API call information to identify malware. However, many studies pay attention to the API call without considering the role of API call sequences. In this study, we propose a new method by combining both the permission information and the API call sequence information to distinguish malicious applications from benign applications. First, we extract features of permission and API call sequence with a decompiling tool. Then, one-hot encoding and Word2Vec are adopted to represent the permission feature and the API call sequence feature for each application, respectively. Based on this, we leverage Random Forest (RF) and Convolutional Neural Networks (CNN) to train a permission-based classifier and an API call sequence-based classifier, respectively. Finally, we design a linear strategy to combine the outputs of these two classifiers to predict the labels of newly arrived applications. By an evaluation with 15,198 malicious applications and 15,129 benign applications, our approach achieves 98.84% in terms of precision, 98.17% in terms of recall, 98.50% in terms of F1-score, and 98.52% in terms of accuracy on average, and outperforms the state-of-art method Malscan by 2.12%, 0.27%, 1.20%, and 1.24%, respectively. In addition, we demonstrate that the method combining two features achieves better performance than the methods based on a single feature.</description><subject>Algorithms</subject><subject>Application programming interface</subject><subject>Artificial neural networks</subject><subject>Classifiers</subject><subject>Compilers</subject><subject>Computer Science</subject><subject>Data Structures and Information Theory</subject><subject>Interpreters</subject><subject>Machine learning</subject><subject>Malware</subject><subject>Mobile operating systems</subject><subject>Neural networks</subject><subject>Operating Systems</subject><subject>Programming Languages</subject><subject>Software Engineering/Programming and Operating Systems</subject><issn>0963-9314</issn><issn>1573-1367</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><sourceid>8G5</sourceid><sourceid>BENPR</sourceid><sourceid>GUQSH</sourceid><sourceid>M2O</sourceid><recordid>eNp9kEtLAzEUhYMoWKt_wNWA62hek8eyFK2Fgl3oOozJnZIyk6nJFPHfmzqCO1cX7j3fOdyD0C0l95QQ9ZApZdRgwhgmRhKGxRma0VpxTLlU52hWthwbTsUlusp5T8gJEzO02ibwwY0h7qpF9GkIvuqb7rNJULmhfw_xdDlA6kPOYYi5aqKvFtt15ZquqzJ8HCE6yNfoom26DDe_c47enh5fl89487JaLxcb7Dg1I-bKNa42BpwADs44apysiQEvFLRSSk6c50RqzcBp7zW0ShluPBAtRK35HN1Nvoc0lOg82v1wTLFEWqZrw7WSghQVm1QuDTknaO0hhb5JX5YSe_rcToXZUpj9KcyKAvEJykUcd5D-rP-hvgF_P22s</recordid><startdate>20230901</startdate><enddate>20230901</enddate><creator>Chen, Xin</creator><creator>Yu, Haihua</creator><creator>Yu, Dongjin</creator><creator>Chen, Jie</creator><creator>Sun, Xiaoxiao</creator><general>Springer US</general><general>Springer Nature B.V</general><scope>AAYXX</scope><scope>CITATION</scope><scope>3V.</scope><scope>7SC</scope><scope>7WY</scope><scope>7WZ</scope><scope>7XB</scope><scope>87Z</scope><scope>8AL</scope><scope>8AO</scope><scope>8FD</scope><scope>8FE</scope><scope>8FG</scope><scope>8FK</scope><scope>8FL</scope><scope>8G5</scope><scope>ABUWG</scope><scope>AFKRA</scope><scope>ARAPS</scope><scope>AZQEC</scope><scope>BENPR</scope><scope>BEZIV</scope><scope>BGLVJ</scope><scope>CCPQU</scope><scope>DWQXO</scope><scope>FRNLG</scope><scope>F~G</scope><scope>GNUQQ</scope><scope>GUQSH</scope><scope>HCIFZ</scope><scope>JQ2</scope><scope>K60</scope><scope>K6~</scope><scope>K7-</scope><scope>L.-</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>M0C</scope><scope>M0N</scope><scope>M2O</scope><scope>MBDVC</scope><scope>P5Z</scope><scope>P62</scope><scope>PQBIZ</scope><scope>PQBZA</scope><scope>PQEST</scope><scope>PQQKQ</scope><scope>PQUKI</scope><scope>Q9U</scope><orcidid>https://orcid.org/0000-0001-8919-1613</orcidid></search><sort><creationdate>20230901</creationdate><title>Predicting Android malware combining permissions and API call sequences</title><author>Chen, Xin ; Yu, Haihua ; Yu, Dongjin ; Chen, Jie ; Sun, Xiaoxiao</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c319t-37cac599ec4e3ec9c19c6509ed47ef66630cd306882ec8dd8ef77939de0844583</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>Algorithms</topic><topic>Application programming interface</topic><topic>Artificial neural networks</topic><topic>Classifiers</topic><topic>Compilers</topic><topic>Computer Science</topic><topic>Data Structures and Information Theory</topic><topic>Interpreters</topic><topic>Machine learning</topic><topic>Malware</topic><topic>Mobile operating systems</topic><topic>Neural networks</topic><topic>Operating Systems</topic><topic>Programming Languages</topic><topic>Software Engineering/Programming and Operating Systems</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Chen, Xin</creatorcontrib><creatorcontrib>Yu, Haihua</creatorcontrib><creatorcontrib>Yu, Dongjin</creatorcontrib><creatorcontrib>Chen, Jie</creatorcontrib><creatorcontrib>Sun, Xiaoxiao</creatorcontrib><collection>CrossRef</collection><collection>ProQuest Central (Corporate)</collection><collection>Computer and Information Systems Abstracts</collection><collection>ABI/INFORM Collection</collection><collection>ABI/INFORM Global (PDF only)</collection><collection>ProQuest Central (purchase pre-March 2016)</collection><collection>ABI/INFORM Global (Alumni Edition)</collection><collection>Computing Database (Alumni Edition)</collection><collection>ProQuest Pharma Collection</collection><collection>Technology Research Database</collection><collection>ProQuest SciTech Collection</collection><collection>ProQuest Technology Collection</collection><collection>ProQuest Central (Alumni) (purchase pre-March 2016)</collection><collection>ABI/INFORM Collection (Alumni Edition)</collection><collection>Research Library (Alumni Edition)</collection><collection>ProQuest Central (Alumni Edition)</collection><collection>ProQuest Central UK/Ireland</collection><collection>Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest Central Essentials</collection><collection>ProQuest Central</collection><collection>Business Premium Collection</collection><collection>Technology Collection (ProQuest)</collection><collection>ProQuest One Community College</collection><collection>ProQuest Central Korea</collection><collection>Business Premium Collection (Alumni)</collection><collection>ABI/INFORM Global (Corporate)</collection><collection>ProQuest Central Student</collection><collection>Research Library Prep</collection><collection>SciTech Premium Collection</collection><collection>ProQuest Computer Science Collection</collection><collection>ProQuest Business Collection (Alumni Edition)</collection><collection>ProQuest Business Collection</collection><collection>Computer Science Database</collection><collection>ABI/INFORM Professional Advanced</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>ABI/INFORM Global</collection><collection>Computing Database</collection><collection>Research Library</collection><collection>Research Library (Corporate)</collection><collection>Advanced Technologies &amp; Aerospace Database</collection><collection>ProQuest Advanced Technologies &amp; Aerospace Collection</collection><collection>ProQuest One Business</collection><collection>ProQuest One Business (Alumni)</collection><collection>ProQuest One Academic Eastern Edition (DO NOT USE)</collection><collection>ProQuest One Academic</collection><collection>ProQuest One Academic UKI Edition</collection><collection>ProQuest Central Basic</collection><jtitle>Software quality journal</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Chen, Xin</au><au>Yu, Haihua</au><au>Yu, Dongjin</au><au>Chen, Jie</au><au>Sun, Xiaoxiao</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Predicting Android malware combining permissions and API call sequences</atitle><jtitle>Software quality journal</jtitle><stitle>Software Qual J</stitle><date>2023-09-01</date><risdate>2023</risdate><volume>31</volume><issue>3</issue><spage>655</spage><epage>685</epage><pages>655-685</pages><issn>0963-9314</issn><eissn>1573-1367</eissn><abstract>Malware detection is an important task in software maintenance. It can effectively protect user information from the attack of malicious developers. Existing studies mainly focus on leveraging permission information and API call information to identify malware. However, many studies pay attention to the API call without considering the role of API call sequences. In this study, we propose a new method by combining both the permission information and the API call sequence information to distinguish malicious applications from benign applications. First, we extract features of permission and API call sequence with a decompiling tool. Then, one-hot encoding and Word2Vec are adopted to represent the permission feature and the API call sequence feature for each application, respectively. Based on this, we leverage Random Forest (RF) and Convolutional Neural Networks (CNN) to train a permission-based classifier and an API call sequence-based classifier, respectively. Finally, we design a linear strategy to combine the outputs of these two classifiers to predict the labels of newly arrived applications. By an evaluation with 15,198 malicious applications and 15,129 benign applications, our approach achieves 98.84% in terms of precision, 98.17% in terms of recall, 98.50% in terms of F1-score, and 98.52% in terms of accuracy on average, and outperforms the state-of-art method Malscan by 2.12%, 0.27%, 1.20%, and 1.24%, respectively. In addition, we demonstrate that the method combining two features achieves better performance than the methods based on a single feature.</abstract><cop>New York</cop><pub>Springer US</pub><doi>10.1007/s11219-022-09602-4</doi><tpages>31</tpages><orcidid>https://orcid.org/0000-0001-8919-1613</orcidid></addata></record>
fulltext fulltext
identifier ISSN: 0963-9314
ispartof Software quality journal, 2023-09, Vol.31 (3), p.655-685
issn 0963-9314
1573-1367
language eng
recordid cdi_proquest_journals_2859387640
source SpringerLink Journals
subjects Algorithms
Application programming interface
Artificial neural networks
Classifiers
Compilers
Computer Science
Data Structures and Information Theory
Interpreters
Machine learning
Malware
Mobile operating systems
Neural networks
Operating Systems
Programming Languages
Software Engineering/Programming and Operating Systems
title Predicting Android malware combining permissions and API call sequences
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-06T04%3A41%3A14IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Predicting%20Android%20malware%20combining%20permissions%20and%20API%20call%20sequences&rft.jtitle=Software%20quality%20journal&rft.au=Chen,%20Xin&rft.date=2023-09-01&rft.volume=31&rft.issue=3&rft.spage=655&rft.epage=685&rft.pages=655-685&rft.issn=0963-9314&rft.eissn=1573-1367&rft_id=info:doi/10.1007/s11219-022-09602-4&rft_dat=%3Cproquest_cross%3E2859387640%3C/proquest_cross%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2859387640&rft_id=info:pmid/&rfr_iscdi=true