Convolutional Neural Network / Android Malware

This work would not have been possible without the valuable dataset offered by Security Research Lab. Cheetah Mobile, Leopard Mobile and Android apps CM Security Master (CM Security)With our approach, first we extract theAndroid Apps and transform it to a fixed-sized encoded rgb image (we haven't extract anymore feature from these Android Apps, and which is our the biggest difference with the tranditional feature engineering's machine learning algorithm)

TonTon Huang*, Chia-Mu Yu, and Hung-Yu Kao, R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections, arXiv:1705.04448v1

Convolutional Neural Network / Deceptive AdvertisingDeep Neural Network / Phone ScamsDeep Neural Network / Notification Wars: The Tenderness Awakens

R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections

TonTon Huang*
C.-M. Yu, and H.-Y. Kao
Security Research Lab., Cheetah Mobile Inc*, 
National Chung Hsing University, 
National Cheng Kung University*
TonTon (at) TWMAN.ORG*


Machine Learning (ML) has found it particularly useful in malware detection. However, as the malware evolves very fast, the stability of the feature extracted from malware serves as a critical issue in malware detection. The recent success of deep learning in image recognition, natural language processing, and machine translation indicates a potential solution for stabilizing the malware detection effectiveness. In this research, we haven't extract selected any features (e.g., the control-flow of op-code, classes, methods of functions and the timing they are invoked etc.) from Android apps. We develop our own method for translating Android apps into rgb color code and transform them to a fixed-sized encoded image. After that, the encoded image is fed to convolutional neural network (CNN) for automatic feature extraction and learning, reducing the expert's intervention. Deep learning usually involves a large number of parameters that cannot be learned from only a small dataset. In this way, we currently have collected 1500k Android apps samples, have run our system over these 800k malware samples (benign and malicious samples are roughly equal-sized), and also through our back-end (60 million monthly active users and 10k new malware samples per day), we can effectively detect the malware. We believe that our methodology and the corresponding use of deep learning malware classification can overcome the weakness, and computational cost of the common static/dynamic analysis process or machine learning-based of Android malware detection approach.

Smartphones have gained widespread popularing worldwide, among them. Android is the most commonly used operating system (OS), and is still expanding as ferritory. International Data Corporation (IDC) 2016 Q3 smartphones OS marketshare reports 86.8% of smartphones are Android phones, indicating a steady growth market share, compared to 84.3% of marketshare in 2015 Q2 (see Figure 1) [1] . Android is featured by its openness; users can choose to downloads apps from Google Play and third-party marketplace. However due to the popularing and openness, Android has attracted the attacker's attention. In purticalar malicious software (malware) can easily spread and infect benign devises. Security Report 2015/16 of AV-TEST Intitute reports that while the number of malware is increased from 17 millions in 2005 to over 600 millions in 2016, the percentage of Android malware has a significant increase from 3.19% in 2015 to 7.48% in 2016Q2. Among them, Trojans targeting at stealing user data occupy 97.49%. We can also find that Android malware has dominating percetange, 99.87% on the number of malware on mobile platform [2].

Figure 2 shows the statistic collected from our back-end system during January 2017., where for countries such as US, UK, France, etc., more than 50000 users are infected everyday. Moreover, from our experience, the number of Android malware is sharply increased from 1000000 in 2012 to 2.8 million in 2014.  Due to the serious security problem caused by Android malware, we propose, color-inspired convolutional neural networks (CNN)-based Android malware detection, R2-D2, to detect Android malware. Different from the existing solution, our propose R2-D2 detection is featured by its end-to-end learning process. More specifically, in contrast to the prior solutions that require manual process of feature selection and parameter configuration, our proposed R2-D2 detection takes as input the training samples and outputs the malware detection model without the human interrelation.

We particularly note that the malware may have different rariants and mutations, depending on the factors such as the cellpone model, Android version, and the orographic regions. Thus Figure 2 shows the basis for our classification depending on malware family and malware behavior. Figure 3 shows the trend of different malware families particularly in China and India. Figure 4 shows the market shares for different cellphone models. Based on the above statistic, we can confirm that even the same malware family will exhibit different behaviours in different geographic regions.

Figure 1 / Figure 2

Figure 3 / Figure 4

As mentioned above, the majority of the malware detection still relies on the state analysis of source code and the dynamic analysis through monitoring the execution of malware. However, these approaches are known to have better detection accuracy for the same family of malware only. In reality, Android malware has dramatically growth in numbers and mutates with fast speed and with various anti-analysis techniques. All of these characteristics make the accurate detection extremely difficult. Thus, we attempt to find out the hidden relationship between the program execution logic and the order of function calls behind the malware by taking advantauge of the deep learning in order to accurately detect known and even unknown malware.

In fact, a huge amount of human labor will instead perform feature engineering and model before the detection model built. To ease the model training, we adopt deep learning to construct an end-to-end learning-based Android malware detection, which is termed as R2-D2 (R2-D2: ColoR-inspired Convolutional NeuRal Network (CNN)-based AndroiD Malware Detections). Figure 5 is our system architecture. 

Figure 5
    Our proposed R2-D2 possesses the following advantages:
  • R2-D2 translates the Android apps, into RGB color images, without modifying the original Android apps and without extracting features from apps. Finally, we will reach a color image (show as follow), and the images are feed to CNN.
  • In our experiments, only 0.4 seconds suffice to translate an apps into a color image, such translation is also featured by the fact that more information in apps can be preserved in the color image compared to the grayscale image.
  • Though the fully connected layer of DNN can be used to handle the fast mutation, the CNN in R2-D2 (see Fig. 6)  actually is more suitable for capturing the malware, because of its features such as local receptive fields and shared weights that can not only significantly reduce the number of model parameters nut also represent the complex structure of Android malware.

Figure 6 / Figure 7

Figure 8

Based on our collected data, we evaluate the detection accuracy and performance with different model optimization techniques. Note that the model optimization techniques are stochastic gradient descent (SGD), Nesterov Accelerated Gradient (NAG), AdaDelta and AdaGrad. From our experiment, we find that SGD is best suitable for our use. In particular, it results in the sharpest increase in accuracy and sharpest decrease in loss. At the end, we reach 98.4225% and 97.7081% accuracy (see Figure 9, Figure 10, Figure 11 and Figure 12).

Figure 9 / Figure 10

 Google Play Sample Analysis Results | VirusTotal Benign Sample Analysis Results | CM Security Benign Sample Analysis Results

 Google Play Sample Analysis Results | VirusTotal Malware Sample Analysis Results | CM Security Malware Sample Analysis Results


Figure 11 / Figure 12

The evaluation metrics in our experiment include True Positive (TP), False Positive (FP), False Negative (FN), True Negative (TN), Accucarcy (Acc), Precision (Prec), Recall (Detection Rate, DR), False Positive Rate (FPR) and F1-score (F-measure). The  evaluation results are shown in Figure 13. 

Figure 13