ArgusDroid: detecting Android malware variants by mining permission-API knowledge graph

Malware family variants make minor and relevant changes of behaviors based on the original malware. To analyze and detect family variants, security experts must not only understand malware behaviors but also further observe the correlation between the features of these behaviors. However, the recent data-driven based behavior features are too independent and sometimes too general to obtain a comprehensive profile of the changeable malicious behaviors of family variants derived from the original malware. Those features additionally suffer from limited semantic knowledge which narrows the comprehension of family variants. To this end, in this paper, we propose ArgusDroid that takes advantage of the knowledge graph (KG) to construct a permission-API knowledge graph based on the official Android document. Because each permission or API in the document is described by a specific sentence, we can easily acquire and comprehend the relationship between different features via the hyperlink in sentences or sentence similarity. ArgusDroid also extracts various feature sets from the knowledge graph and validates the detection performance on Android malware family variants based on these features. Extensive experiments by using machine learning and neural network classifiers for variant identification have been carried out. The experimental results demonstrate the effectiveness and usefulness of our obtained feature sets based on ArgusDroid, especially when using the classifiers convolutional neural network (CNN) and multi-layer perception (MLP). Furthermore, when compared to similar feature sets that aim to present relationships across different feature types, such as Axplorer, ArgusDroid generates the feature set which significantly improves malware variant detection by 0.3575 average F1.