CN115391778A - Android malicious program detection method and device based on special-pattern attention network - Google Patents

Android malicious program detection method and device based on special-pattern attention network Download PDF

Info

Publication number
CN115391778A
CN115391778A CN202210983464.3A CN202210983464A CN115391778A CN 115391778 A CN115391778 A CN 115391778A CN 202210983464 A CN202210983464 A CN 202210983464A CN 115391778 A CN115391778 A CN 115391778A
Authority
CN
China
Prior art keywords
android
application program
graph
attention network
android application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210983464.3A
Other languages
Chinese (zh)
Inventor
凌捷
殷丹丽
罗玉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong University of Technology
Original Assignee
Guangdong University of Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangdong University of Technology filed Critical Guangdong University of Technology
Priority to CN202210983464.3A priority Critical patent/CN115391778A/en
Publication of CN115391778A publication Critical patent/CN115391778A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/561Virus type analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/53Decompilation; Disassembly
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • Computing Systems (AREA)
  • Molecular Biology (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The invention provides an android malicious program detection method based on an heteromorphic image attention network, which comprises the following steps of: s1: downloading APP and labeling; s2: decompiling the APK, and extracting to obtain a plurality of key characteristic entities; s3: constructing an attention network of the abnormal composition graph, converting the attention network of the abnormal composition graph into a plurality of element structures, and calculating to obtain an adjacency matrix of each element structure; s4: acquiring low-dimensional vector embedding; s5: training a logistic regression model, and acquiring node embedding of an android application program to be detected; s6: and obtaining a detection result. The invention further provides an android malicious program detection device based on the heteromorphic image attention network, which is used for realizing the android malicious program detection method based on the heteromorphic image attention network. The invention provides an android malicious program detection method and device based on an abnormal graph attention network, and solves the problem that the existing malicious program detection technology cannot effectively classify and detect android malicious applications.

Description

Android malicious program detection method and device based on special-pattern attention network
Technical Field
The invention relates to the technical field of information security, in particular to an android malicious program detection method and device based on an attention network of an abnormal graph.
Background
Under the drive of the high-speed development of internet services, mobile applications have entered various aspects of mass life, such as communication, finance, travel, entertainment and the like, android is the largest operating system platform in the global smartphone market at present, and the threats and attacks of various malicious programs are faced by users due to the expansibility and openness of the android platform, including privacy invasion, data leakage, junk advertisements, some transaction payment operations related to personal property security of the users and the like, so that the research on identification and detection methods of the android malicious programs has important application value.
The traditional android malicious program detection method aims at static analysis of an APK file, carries out feature characterization on an item list, a code file and a resource file in the APK file, and judges whether the APK file is malicious or not through similarity comparison.
Therefore, the existing malicious program detection technology cannot effectively perform classification detection on android malicious applications.
Disclosure of Invention
The invention provides an android malicious program detection method and device based on an heteromorphic graph attention network, aiming at overcoming the technical defect that the existing malicious program detection technology cannot effectively perform classification detection on android malicious applications.
In order to solve the technical problems, the technical scheme of the invention is as follows:
an android malicious program detection method based on an abnormal graph attention network comprises the following steps:
s1: downloading an android application program APP and carrying out labeling to obtain an android application program set; the android application programs comprise a benign android application program and a malicious android application program;
s2: decompiling the installation package APK of the android application program, and extracting various key characteristic entities from the decompiled files;
s3: constructing an abnormal composition graph attention network according to the relationship between the android application program and the key feature entity, converting the abnormal composition graph attention network into a plurality of element structures, and calculating to obtain an adjacency matrix of each element structure;
s4: acquiring low-dimensional vector embedding of the existing nodes according to the adjacent matrix of the element structure;
s5: utilizing low-dimensional vector embedding and labels of existing nodes to train a logistic regression model to obtain a trained logistic regression model and obtain node embedding of an android application program to be detected;
s6: and embedding the nodes of the android application program to be detected into the trained logistic regression model for detection to obtain a detection result that the android application program to be detected is malicious or benign.
According to the scheme, firstly, multiple key feature entities are obtained through decompiling and extracting APK, the heteromorphic image attention network is built according to the relation between the android application program and the key feature entities, the heteromorphic image attention network is converted into a plurality of element structures, then the low-dimensional vector embedding of the existing nodes is obtained through the adjacency matrix of the element structures, the logistic regression model is trained by utilizing the low-dimensional vector embedding and the labels, finally the node embedding of the android application program to be detected is obtained, the trained logistic regression model is input for detection, and the detection result that the android application program to be detected is malicious or benign is obtained.
Preferably, the key feature entities include APIs, rights types, classes, interfaces, and so files.
Preferably, the in-graph relationship matrix Rl is formed according to the relationship between the android application program and the key feature entity in ,l∈[1,6](ii) a Wherein, R1 in Representing the relationship between App and API, R2 in Representing the relationship between App and Authority, R3 in Indicating the type of authority to which App belongs, R4 in Representing the relationship between App and class, R5 in Representing the relationship between App and interface, R6 in Representing the relationship between App and so files.
Preferably, the heterogeneous graph attention network is graph G = (V, E, a, R), the types of nodes include APP, API, authority type, class, interface, and so file, and the types of edges include R1 in 、R2 in 、R3 in 、R4 in 、R5 in And R6 in (ii) a Wherein V represents a set of nodes, E represents a set of edges, A represents a set of types of nodes, R represents a set of types of edges, | A | + | R |>2。
Preferably, the meta structure is a meta path or a meta graph, the meta path is a path defined on the heterogeneous graph attention network, the source object and the target object are located at two ends of the path, and if there are multiple meta paths between the source object and the target object, the meta graph is formed.
Preferably, the adjacency matrix set { Ψ) is composed of K element-structured adjacency matrices M1 ,...,Ψ Mk ,...,Ψ MK An adjacency matrix of the element structure is an adjacency matrix of the element path or an adjacency matrix of the element diagram,
wherein, the calculation formula of the adjacency matrix of the element path is as follows:
Ψ MP =R A1A2 ·...·R AiA(i+1) ·...·R A(n-1)An
the adjacency matrix calculation formula of the metagraph is as follows:
Ψ RG =Ψ MP1 ⊙...⊙Ψ MPj ⊙...⊙Ψ MPm
therein, Ψ Mk A adjacency matrix representing the k-th element structure, R AiA(i+1) Represents a relationship matrix between the ith node and the (i + 1) th node, i =1,2 MPj Represents the jth Ψ MP By ` indicating a Hadamard product, m indicates Ψ MP The number of the cells.
Preferably, step S4 includes the steps of:
s41: coding each node in a one-hot vector form to obtain a matrix H, combining the H with an adjacent matrix of a given element structure Mk, and obtaining the adjacent matrix of the internal nodes of the element structure through normalization operation:
Ψ Mk’ =Normalize(H·H T ⊙Ψ Mk )
GAT model updating element structure Mk internal node embedding phi induced by edge weight perception Mk =GAT(H;Ψ Mk’ );
S42: learning the weight beta of each element structure Mk in fusion by using a multilayer perceptron Mk
M1 ,...,β Mk ,...,β MK )=softmax(NN(Φ M1 ),...,NN(Φ Mk ),...,NN(Φ MK ))
Wherein NN is a native neural network that maps a given matrix to a value,
thus obtaining the low-dimensional vector embedding of the existing nodes:
Figure BDA0003801122490000031
preferably, in step S5, the node embedding of the android application to be detected is obtained through the following steps:
s51: forming an out-of-graph relation matrix Rl according to the relation between the to-be-detected android application program and the key feature entity out ,l∈[1,6];
S52: incremental segment forming a node adjacency matrix
Figure BDA0003801122490000032
In the form of a matrix of j rows and columns, j representing the number of nodes in the graph, the jth row number of the matrix
Figure BDA0003801122490000033
Representing new nodes and nodes v in the graph j The number of meta structures;
s53: using a pair of top-k algorithms
Figure BDA0003801122490000041
Sorting is carried out, and the first t graph nodes with larger numerical values are selected as graph neighbor nodes v s S =1, 2.. And t, aggregating vectors of the new node and the neighbor nodes in the graph to obtain the node embedding of the android application program to be detected:
Figure BDA0003801122490000042
Figure BDA0003801122490000043
wherein,
Figure BDA0003801122490000044
denotes v s The weight on the meta-path Mk,
Figure BDA0003801122490000045
representing new and in-graph neighbor nodes v s The number of meta structures.
Preferably, the output of the logistic regression model is predicted as follows:
Figure BDA0003801122490000046
wherein, b represents an offset parameter, w represents a weight of the image,
Figure BDA0003801122490000047
the method comprises the steps of representing node embedding of an android application program to be detected;
and when the predicted value a output by the logistic regression model is larger than 0.5, the detection result is malicious, otherwise, the detection result is benign.
An android malicious program detection device based on an heteromorphic image attention network is used for realizing the android malicious program detection method based on the heteromorphic image attention network, and comprises the following steps:
the characteristic engineering module is used for labeling the APP, decompiling the APK and extracting a key characteristic entity;
the graph building module is used for building the heteromorphic graph attention network in a point and edge mode according to the relationship between the android application program and the key feature entity; the method is also used for converting the attention network of the heteromorphic image into a plurality of element structures and calculating an adjacency matrix of each element structure;
the node aggregation module is used for acquiring node embedding of an android application program and acquiring low-dimensional vector embedding of the nodes according to the adjacent matrix of the element structure;
and the detection module is used for detecting according to the node embedding of the android application program to be detected and outputting the detection result that the android application program to be detected is malicious or benign.
Compared with the prior art, the technical scheme of the invention has the beneficial effects that:
the invention provides an android malicious program detection method and device based on an abnormal composition image attention network.
Drawings
FIG. 1 is a flow chart of the steps for implementing the technical solution of the present invention;
FIG. 2 is a schematic structural diagram of a heteromorphic image attention network of the present invention;
FIG. 3 is a schematic diagram of the meta path of the present invention;
FIG. 4 is a schematic diagram of the meta-diagram of the present invention.
Detailed Description
The drawings are for illustrative purposes only and are not to be construed as limiting the patent;
for the purpose of better illustrating the embodiments, certain features of the drawings may be omitted, enlarged or reduced, and do not represent the size of an actual product;
it will be understood by those skilled in the art that certain well-known structures in the drawings and descriptions thereof may be omitted.
The technical solution of the present invention is further described below with reference to the accompanying drawings and examples.
Example 1
As shown in fig. 1, an android malicious program detection method based on an heteromorphic graph attention network includes the following steps:
s1: downloading an android application program APP and carrying out labeling to obtain an android application program set; the android application programs comprise a benign android application program and a malicious android application program;
s2: decompiling the installation package APK of the android application program, and extracting various key characteristic entities from the decompiled files;
s3: constructing an abnormal composition graph attention network according to the relationship between the android application program and the key feature entity, converting the abnormal composition graph attention network into a plurality of element structures, and calculating to obtain an adjacency matrix of each element structure;
s4: acquiring low-dimensional vector embedding of the existing nodes according to the adjacent matrix of the element structure;
s5: utilizing low-dimensional vector embedding and labels of existing nodes to train a logistic regression model to obtain a trained logistic regression model, and obtaining node embedding of an android application program to be detected;
s6: and embedding the nodes of the android application program to be detected into the trained logistic regression model for detection to obtain a detection result that the android application program to be detected is malicious or benign.
In the specific implementation process, firstly, multiple key feature entities are obtained through APK decompilation and extraction, a heteromorphic image attention network is built according to the relation between the android application program and the key feature entities, the heteromorphic image attention network is converted into a plurality of element structures, then low-dimensional vector embedding of existing nodes is obtained through an adjacency matrix of the element structures, a logistic regression model is trained by using the low-dimensional vector embedding and labels, finally, the node embedding of the android application program to be detected is obtained, the trained logistic regression model is input for detection, and the detection result that the android application program to be detected is malicious or benign is obtained.
Example 2
An android malicious program detection method based on an abnormal graph attention network comprises the following steps:
s1: downloading an android application program APP and carrying out labeling to obtain an android application program set; the android application programs comprise a benign android application program and a malicious android application program, wherein the label of the benign android application program is 0, and the label of the malicious android application program is 1; benign applications are downloaded from the Google Play store, malicious applications are downloaded from virusshare.
S2: decompiling the installation package APK of the android application program by using a decompiling tool apktool, and extracting various key characteristic entities from the decompiled files;
s3: constructing an abnormal composition graph attention network according to the relationship between the android application program and the key feature entity, converting the abnormal composition graph attention network into a plurality of element structures, and calculating to obtain an adjacency matrix of each element structure;
s4: acquiring low-dimensional vector embedding of the existing nodes according to the adjacent matrix of the element structure;
s5: utilizing low-dimensional vector embedding and labels of existing nodes to train a logistic regression model to obtain a trained logistic regression model and obtain node embedding of an android application program to be detected;
s6: and embedding the nodes of the android application program to be detected into the trained logistic regression model for detection to obtain a detection result that the android application program to be detected is malicious or benign.
More specifically, the key feature entities include APIs, rights types, classes, interfaces, and so files.
2-4, wherein A represents an API, application programming interface; p represents a right specifying an operation performed by an application; t represents the type of authority; c represents a class, abstracting common attributes and behaviors into relatively complex data types; i denotes an interface, which is an abstract data structure used to define a specification; s represents a so file, which is a dynamic link library of an android; wherein A, C and I are derived from a decompiled smali file, P and T are derived from a decompiled android xml file, and S is derived from a decompiled lib file.
More specifically, an intra-graph relationship matrix Rl is formed from the relationships between the android application and the key feature entities in ,l∈[1,6](ii) a Wherein, R1 in Representing the relationship between App and API, R2 in Representing the relationship between App and Authority, R3 in Indicating the type of authority to which App belongs, R4 in Representing the relationship between App and class, R5 in Representing the relationship between App and interface, R6 in Representing the relationship between App and so files.
In the practice, for R1 in With a of ij E (0, 1) represents App i Whether or not it contains an API j If so, then a ij =1, otherwise, a ij =0; for R2 in By P ij E (0, 1) represents App i Whether it contains the right j, if so, then P ij =1, otherwise, P ij =0; for R3 in By T ij E (0, 1) indicates whether the permission i belongs to type j, and if so, T ij =1, otherwise, T ij =0; for R4 in By C ij E (0, 1) represents App i Whether class j is contained, if so, then C ij =1, otherwise, C ij =0; for R5 in By use of I ij E (0, 1) represents App i Whether there is an interface j, if so, then I ij =1, otherwise, I ij =0; for R6 in By S ij E (0, 1) represents App i If so, then S ij =1, otherwise, S ij =0。
More specifically, the heterogeneous graph attention network is graph G = (V, E, a, R), the types of nodes include APP, API, authority type, class, interface, and so file, and the types of edges include R1 in 、R2 in 、R3 in 、R4 in 、R5 in And R6 in (ii) a Wherein V represents a set of nodes, E represents a set of edges, A represents a set of types of nodes, R represents a set of types of edges, | A | + | R |>2。
More specifically, the meta structure is a meta path or a meta graph, the meta path is a path defined on the heterogeneous graph attention network, the source object and the target object are located at two ends of the path, and if a plurality of meta paths exist between the source object and the target object, the meta graph is formed.
More specifically, the adjacency matrix set { Ψ) is composed of K element-structured adjacency matrices M1 ,...,Ψ Mk ,...,Ψ MK An adjacency matrix of the element structure is an adjacency matrix of the element path or an adjacency matrix of the element diagram,
wherein, the calculation formula of the adjacency matrix of the element path is as follows:
Ψ MP =R A1A2 ·...·R AiA(i+1) ·...·R A(n-1)An
the adjacency matrix calculation formula of the metagraph is as follows:
Ψ MG =Ψ MP1 ⊙...⊙Ψ MPj ⊙...⊙Ψ MPm
therein, Ψ Mk A adjacency matrix representing the k-th element structure, R AiA(i+1) Represents a relationship matrix between the ith node and the (i + 1) th node, i =1,2 MPj Represents the jth Ψ MP By ` indicating a Hadamard product, m indicates Ψ MP The number of the cells.
More specifically, step S4 includes the steps of:
s41: coding each node in a one-hot vector form to obtain a matrix H, combining the H with an adjacency matrix of a given element structure Mk, and obtaining the adjacency matrix of the node in the element structure through normalization operation:
Ψ Mk’ =Normalize(H·H T ⊙Ψ Mk )
GAT model updating element structure Mk internal node embedding phi induced by edge weight perception Mk =GAT(H;Ψ Mk’ );
S42: learning the weight beta of each meta-structure Mk in fusion by using a multi-layer perceptron Mk
M1 ,...,β Mk ,...,β MK )=softmax(NN(Φ M1 ),...,NN(Φ Mk ),...,NN(Φ MK ))
Wherein NN is a native neural network that maps a given matrix to a value,
thus obtaining the low-dimensional vector embedding of the existing nodes:
Figure BDA0003801122490000081
more specifically, in step S5, the node embedding of the android application to be detected is obtained through the following steps:
s51: forming an out-of-graph relation matrix Rl according to the relation between the android application program to be detected and the key feature entity out ,l∈[1,6];
S52: incremental segment forming a node adjacency matrix
Figure BDA0003801122490000082
In the form of a matrix of j rows and columns, j representing the number of nodes in the graph, the jth row number of the matrix
Figure BDA0003801122490000083
Representing new nodes and nodes v within the graph j The number of meta structures;
s53: using top-k algorithm pairs
Figure BDA0003801122490000084
Sorting is carried out, and the first t graph nodes with larger numerical values are selected as graph neighbor nodes v s S =1, 2.. And t, aggregating vectors of the new node and the neighbor nodes in the graph to obtain the node embedding of the android application program to be detected:
Figure BDA0003801122490000085
Figure BDA0003801122490000086
wherein,
Figure BDA0003801122490000087
denotes v s The weight on the meta-path Mk,
Figure BDA0003801122490000088
representing new and in-graph neighbor nodes v s The number of meta structures.
More specifically, the output of the logistic regression model is predicted as:
Figure BDA0003801122490000089
where b denotes an offset parameter, w denotes a weight,
Figure BDA0003801122490000091
representing node embedding of the android application program to be detected;
and when the predicted value a output by the logistic regression model is more than 0.5, the obtained detection result is malicious, otherwise, the obtained detection result is benign.
Example 3
An android malicious program detection device based on an heteromorphic image attention network is used for realizing the android malicious program detection method based on the heteromorphic image attention network, and comprises the following steps:
the characteristic engineering module is used for labeling the APP, decompiling the APK and extracting a key characteristic entity;
the graph building module is used for building the heteromorphic graph attention network in a point and edge mode according to the relationship between the android application program and the key feature entity; the method is also used for converting the attention network of the heteromorphic image into a plurality of element structures and calculating an adjacency matrix of each element structure;
the node aggregation module is used for acquiring node embedding of an android application program and acquiring low-dimensional vector embedding of the nodes according to the adjacent matrix of the element structure;
and the detection module is used for detecting according to the node embedding of the android application program to be detected and outputting the detection result that the android application program to be detected is malicious or benign.
It should be understood that the above-described embodiments of the present invention are merely examples for clearly illustrating the present invention, and are not intended to limit the embodiments of the present invention. Other variations and modifications will be apparent to persons skilled in the art in light of the above description. And are neither required nor exhaustive of all embodiments. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the claims of the present invention.

Claims (10)

1. An android malicious program detection method based on an abnormal graph attention network is characterized by comprising the following steps:
s1: downloading an android application program APP and carrying out labeling to obtain an android application program set; the android application programs comprise a benign android application program and a malicious android application program;
s2: decompiling the installation package APK of the android application program, and extracting various key characteristic entities from the decompiled files;
s3: constructing an abnormal composition graph attention network according to the relationship between the android application program and the key feature entity, converting the abnormal composition graph attention network into a plurality of element structures, and calculating to obtain an adjacency matrix of each element structure;
s4: acquiring low-dimensional vector embedding of the existing nodes according to the adjacent matrix of the element structure;
s5: utilizing low-dimensional vector embedding and labels of existing nodes to train a logistic regression model to obtain a trained logistic regression model and obtain node embedding of an android application program to be detected;
s6: and embedding the nodes of the android application program to be detected into the trained logistic regression model for detection to obtain a detection result that the android application program to be detected is malicious or benign.
2. The method according to claim 1, wherein the key feature entities include APIs, permissions, permission types, classes, interfaces, and so files.
3. The heterogeneous graph attention network-based android malware detection method of claim 2, wherein an intra-graph relationship matrix Rl is formed according to relationships between android applications and key feature entities in ,l∈[1,6](ii) a Wherein, R1 in Representing the relationship between App and API, R2 in Representing the relationship between App and Authority, R3 in Indicating the type of authority to which App belongs, R4 in Representing the relationship between App and class, R5 in Representing the relationship between App and interface, R6 in Representing the relationship between App and so files.
4. The android malware detection method based on heterogeneous graph attention network of claim 3, wherein the heterogeneous graph attention network is graph G = (V, E, A, R), the types of nodes comprise APP, API, authority type, class, interface and so file, the types of edges comprise R1 in 、R2 in 、R3 in 、R4 in 、R5 in And R6 in (ii) a Where V represents a set of nodes, E represents a set of edges, and A representsType set of nodes, R represents type set of edges, | A | + | R calving>2。
5. The heterogeneous graph attention network-based android malware detection method of claim 1, wherein the meta structure is a meta path or a meta graph, the meta path is a path defined on the heterogeneous graph attention network, a source object and a target object are located at two ends of the path, and if multiple meta paths exist between the source object and the target object, the meta graph is formed.
6. The heterogeneous graph attention network based android malware detection method of claim 5,
adjacent matrix set { psi formed by K adjacent matrixes of element structure M1 ,...,Ψ Mk ,...,Ψ MK },
The adjacency matrix of the meta-structure is an adjacency matrix of a meta-path or an adjacency matrix of a meta-map,
wherein, the calculation formula of the adjacency matrix of the element path is as follows:
Ψ MP =R A1A2 ·...·R AiA(i+1) ·...·R A(n-1)An
the adjacency matrix calculation formula of the metagraph is as follows:
Ψ MG =Ψ MP1 ⊙...⊙Ψ MPj ⊙...⊙Ψ MPm
therein, Ψ Mk Adjacency matrix representing the kth element structure, R AiA(i+1) Represents a relationship matrix between the ith node and the (i + 1) th node, i =1,2 MPj Denotes the jth Ψ MP By ` indicating a Hadamard product, m indicates Ψ MP The number of the cells.
7. The method for detecting the android malicious programs based on the heteromorphic graph attention network according to claim 6, wherein the step S4 comprises the following steps:
s41: coding each node in a one-hot vector form to obtain a matrix H, combining the H with an adjacent matrix of a given element structure Mk, and obtaining the adjacent matrix of the internal nodes of the element structure through normalization operation:
Ψ Mk’ =Normalize(H·H T ⊙Ψ Mk )
GAT model updating element structure Mk internal node embedding phi induced by edge weight perception Mk =GAT(H;Ψ Mk’ );
S42: learning the weight beta of each element structure Mk in fusion by using a multilayer perceptron Mk
M1 ,...,β Mk ,...,β MK )=softmax(NN(Φ M1 ),...,NN(Φ Mk ),...,NN(Φ MK ))
Wherein NN is a native neural network that maps a given matrix to a value,
thus obtaining the low-dimensional vector embedding of the existing nodes:
Figure FDA0003801122480000021
8. the android malicious program detection method based on the heteromorphic graph attention network of claim 7, wherein in step S5, the node embedding of the android application program to be detected is obtained by the following steps:
s51: forming an out-of-graph relation matrix Rl according to the relation between the to-be-detected android application program and the key feature entity out ,l∈[1,6];
S52: incremental segment forming a node adjacency matrix
Figure FDA0003801122480000031
S53: using top-k algorithm pairs
Figure FDA0003801122480000032
The sorting is carried out, and the sorting is carried out,
Figure FDA0003801122480000033
representing new nodes and nodes v within the graph j The number of the meta-structures is selected, and the first t graph nodes with larger values are selected as graph neighbor nodes v s S =1, 2.. And t, aggregating vectors of the new node and the neighbor nodes in the graph to obtain the node embedding of the android application program to be detected:
Figure FDA0003801122480000034
Figure FDA0003801122480000035
wherein,
Figure FDA0003801122480000036
denotes v s The weight on the meta-path Mk,
Figure FDA0003801122480000037
represents the new node and the neighbor node b in the graph s The number of meta structures.
9. The android malicious program detection method based on the heteromorphic graph attention network of claim 1, wherein a predicted value output by the logistic regression model is as follows:
Figure FDA0003801122480000038
where b denotes an offset parameter, w denotes a weight,
Figure FDA0003801122480000039
representing node embedding of the android application program to be detected;
and when the predicted value a output by the logistic regression model is more than 0.5, the obtained detection result is malicious, otherwise, the obtained detection result is benign.
10. The heterogeneous graph attention network based android malware detection device of claim 1, comprising:
the characteristic engineering module is used for labeling the APP, decompiling the APK and extracting a key characteristic entity;
the graph building module is used for building the heteromorphic graph attention network in a point and edge mode according to the relationship between the android application program and the key feature entity; the method is also used for converting the attention network of the heteromorphic image into a plurality of element structures and calculating an adjacency matrix of each element structure;
the node aggregation module is used for acquiring node embedding of an android application program and acquiring low-dimensional vector embedding of the nodes according to the adjacent matrix of the element structure;
and the detection module is used for detecting according to the node embedding of the android application program to be detected and outputting the detection result that the android application program to be detected is malicious or benign.
CN202210983464.3A 2022-08-16 2022-08-16 Android malicious program detection method and device based on special-pattern attention network Pending CN115391778A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210983464.3A CN115391778A (en) 2022-08-16 2022-08-16 Android malicious program detection method and device based on special-pattern attention network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210983464.3A CN115391778A (en) 2022-08-16 2022-08-16 Android malicious program detection method and device based on special-pattern attention network

Publications (1)

Publication Number Publication Date
CN115391778A true CN115391778A (en) 2022-11-25

Family

ID=84121404

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210983464.3A Pending CN115391778A (en) 2022-08-16 2022-08-16 Android malicious program detection method and device based on special-pattern attention network

Country Status (1)

Country Link
CN (1) CN115391778A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074092A (en) * 2023-02-07 2023-05-05 电子科技大学 Attack scene reconstruction system based on heterogram attention network
CN117708821A (en) * 2024-02-06 2024-03-15 山东省计算中心(国家超级计算济南中心) Method, system, equipment and medium for detecting Lesu software based on heterogeneous graph embedding

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116074092A (en) * 2023-02-07 2023-05-05 电子科技大学 Attack scene reconstruction system based on heterogram attention network
CN116074092B (en) * 2023-02-07 2024-02-20 电子科技大学 Attack scene reconstruction system based on heterogram attention network
CN117708821A (en) * 2024-02-06 2024-03-15 山东省计算中心(国家超级计算济南中心) Method, system, equipment and medium for detecting Lesu software based on heterogeneous graph embedding
CN117708821B (en) * 2024-02-06 2024-04-30 山东省计算中心(国家超级计算济南中心) Method, system, equipment and medium for detecting Lesu software based on heterogeneous graph embedding

Similar Documents

Publication Publication Date Title
Jiang et al. Anomaly detection with graph convolutional networks for insider threat and fraud detection
Cai et al. Structural temporal graph neural networks for anomaly detection in dynamic graphs
Berman et al. A survey of deep learning methods for cyber security
Bindu et al. Mining social networks for anomalies: Methods and challenges
CN115391778A (en) Android malicious program detection method and device based on special-pattern attention network
Nahmias et al. Deep feature transfer learning for trusted and automated malware signature generation in private cloud environments
Joyce et al. Motif: A malware reference dataset with ground truth family labels
Zhao et al. Maldeep: A deep learning classification framework against malware variants based on texture visualization
Chen et al. Improved crack detection and recognition based on convolutional neural network
Zhang et al. Multicriteria decision and machine learning algorithms for component security evaluation: library‐based overview
CN116010947A (en) Android malicious software detection method based on heterogeneous network
Meenakshi et al. A review on security attacks and protective strategies of machine learning
Xu et al. I2DS: interpretable intrusion detection system using autoencoder and additive tree
CN113468527A (en) Malicious code family classification method based on feature expression enhancement
CN115080756A (en) Attack and defense behavior and space-time information extraction method oriented to threat information map
Al-Boghdady et al. iDetect for vulnerability detection in internet of things operating systems using machine learning
Gyamfi et al. Malware detection using convolutional neural network, a deep learning framework: comparative analysis
Wass et al. Prediction of cyber attacks during coronavirus pandemic by classification techniques and open source intelligence
Cao et al. Cheating your apps: Black‐box adversarial attacks on deep learning apps
CN113259369B (en) Data set authentication method and system based on machine learning member inference attack
Dai et al. [Retracted] Anticoncept Drift Method for Malware Detector Based on Generative Adversarial Network
Shrestha et al. High-performance classification of phishing URLs using a multi-modal approach with MapReduce
Li et al. A Novel RNN Model with Enhanced Behavior Semantic for Network User Profile
Krithika et al. Malware and benign detection using convolutional neural network
Anwar et al. Human Elements in Machine Learning-Based Solutions to Cybersecurity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination