Research On Classification Of Android Malware Family Based On Knowledge Graph

With the popularization of smart terminal devices,various types of Android phones have gradually penetrated into people’s daily work and study.While facilitating people’s lives,the growth rate of Android malware has also shown a clear upward trend.Such rapid growth has brought huge challenges to malware analysis.In order to cope with this severe growth trend of malware,newly acquired malware is often first classified into groups with similar functions,and then further research is carried out.Therefore,this article analyzes and studies the classification of Android malware.First of all,to address the problem of selecting static features of Android malware in classification tasks,this paper proposes a malicious feature selection method based on knowledge graphs.This method organizes official Android API document information to construct an API knowledge graph to ensure the availability of APIs.At the same time,it organizes API document information in a more structured manner,and then starts with Android dangerous permissions to filter suitable features.Compared with expert-based and statistical-based methods,this method attempts to get rid of the dependence of malware feature selection on expert knowledge and data sets in order to pursue better flexibility and stability.Secondly,based on the Siamese network,this paper calculates the semantic similarity of the function description part between different APIs to further improve the map and screen more suitable APIs as features.Furthermore,in order to verify the effect of the selected features,a large number of family classification experiments were carried out based on three well-known Android malware data sets(GENOME,Drebin,AMD)to prove its usability from a practical point of view.Finally,this article aims at the problem of unbalanced distribution of samples in the malware data set,and adds a small sample learning method based on the previous article to design and implement a tool that can automate the classification of Android malware families and improve the efficiency of malware classification tasks.The results of a large number of classification experiments have proved that the malware feature selection architecture and classification method proposed in this article can well characterize Android malware and perform excellent classification results on three large data sets(GENOME reaches 0.960 F1 value,Drebin reached an F1 value of 0.931,and AMD reached an F1 value of 0.984).At the same time,it provides a good reference value for the combination of Android malware research and knowledge graph.