Android Malware Detection Methods Based On Call Relationship Of API Function Classes

In recent years,the increasing number of android malwares have posed a huge threat to user’s private data,property and personal safety.At present,android malware detection schemes are mainly divided into two categories: static detection and dynamic detection.The static detection methods face the challenges of decompilation caused by technologies such as code obfuscation,dynamic loading,and packing;The dynamic detection methods usually use dynamic API call sequences as input data,due to the large size of API call sequences,such methods are usually inefficient.Therefore,this paper focuses on the efficient detection of Android malicious applications using dynamic API call sequences.The main work and contributions are as follows:1.We build a dynamic API call sequence capture tool Dy APICapture(Dynamic API Capture),which can be deployed on real Android devices to capture API calls in the running process of an application,and conduct automate testing on applications through the integrated tool APE.In this paper,we run a 5-minute automated test on each of the 3950 malicious applications and 4219 benign applications,and collect API calls during operation to build a dynamic API call sequence dataset.2.This paper proposes an Android malware detection framework FGL＿Droid(Fusion GCN and LR)based on graph neural network.The framework transforms a dynamic API call sequence into a function call graph,to reduce the data size.Then,the two-layer graph convolutional network is used to extract behavioral features of an application from its function call graph,and the logistic regression algorithm is used to determine the maliciousness of the application based on behavioral features and Permission features.Experimental results show that the FGL＿Droid detection framework proposed in this paper can detect malicious applications efficiently and accurately,with a detection accuracy of 0.975 and an average detection time of 0.141 milliseconds.3.This paper proposes an android malware detection framework SCP＿Droid(Specific Call Path)based on specific call path.The framework filters out the call paths with high repetition rate in malicious applications but rarely in benign applications as specific call paths from the function call graph corresponding to an application.We verified the effectiveness of using specific call paths as features to detect android application maliciousness through multiple classifier algorithms,and the highest detection accuracy reached 0.986.