Interpretable Automatic Detection of Android Malware Based on Graph Embedding

The geometric growth of Android malware has driven the development of Android malware detection. Some work analyzed Android malware from the perspective of interpretability, and obtained the characteristics of the greatest impact through analyzing the model, which provided certain interpretability for the deep learning model. These methods, based on the strong assumption that features are independent of each other, only consider the influence of features on the model, while in practice there is always coupling between features. Considering only the influence of a single feature on the model, it is difficult to reflect the coupling effect and cannot describe the combination pattern of sensitive API in different types of software. To solve this problem, Android software is depicted as a graph, and combining the structure information of the graph and the information inside the graph node, a method based on graph embedding is proposed to detect Android malware. This method learns the low dimensional dense embedded representation of Android software through the attention mechanism. Experimental results show that using the learned embedded representation for malware detection not only has a higher classification accuracy, but also can find the patterns affecting model decision-making and locate the sensitive API sequences involved in malicious behavior by analyzing the path with a large attention score. © 2024 Journal of Computer Engineering and Applications Beijing Co., Ltd.; Science Press. All rights reserved.