DCEL: classifier fusion model for Android malware detection

doi:10.23919/JSEE.2024.000018

Journal of Systems Engineering and Electronics ›› 2024, Vol. 35 ›› Issue (1): 163-177.doi: 10.23919/JSEE.2024.000018

• SYSTEMS ENGINEERING • Previous Articles

DCEL: classifier fusion model for Android malware detection

Xiaolong XU¹^,*(), Shuai JIANG²(), Jinbo ZHAO²(), Xinheng WANG³()

¹ Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
² School of Computer Science, Nanjing University of Posts and Telecommunications, Nanjing 210023, China
³ School of Computing and Engineering, University of West London, London W5 5RF, UK

Received:2021-12-16 Online:2024-02-18 Published:2024-03-05
Contact: Xiaolong XU E-mail:xuxl@njupt.edu.cn;1018041226@njupt.edu.cn;2021070705@njupt.edu.cn;xinheng.wang@uwl.ac.uk
About author:
XU Xiaolong was born in 1977. He received his B.S. degree in computer and its applications, M.S. degree in computer software and theories and Ph.D. degree in communications and information systems at Nanjing University of Posts & Telecommunications, Nanjing, China, in 1999, 2002 and 2008, respectively. He worked as a postdoctoral researcher at Station of Electronic Science and Technology, Nanjing University of Posts & Telecommunications from 2011 to 2013. He is currently a professor in College of Computer, Nanjing University of Posts & Telecommunications. His current research interests include cloud computing and big data and information security. E-mail: xuxl@njupt.edu.cn

JIANG Shuai was born in 1995. He received his B.E. degree in computer science and technology from Nanjing University of Posts and Telecommunications, Nanjing, China, in 2018. He is currently working as a researcher for Jiangsu Key Laboratory of Big Data Security & Intelligent Processing, Nanjing, China. His research interests include big data mining and information security. E-mail: 1018041226@njupt.edu.cn

ZHAO Jinbo was born in 1999. He received his B.E. degree in Internet of Things engineering from Nanjing University of Posts and Telecommunications, Nanjing, China, in 2021. He is currently working for his Ph.D. degree in information network at Nanjing University of Posts and Telecommunications. His research interests include artificial intelligence and its application. E-mail: 2021070705@njupt.edu.cn

WANG Xinheng was born in 1968. He received his B.E. and M.S. degrees in electrical engineering from Xi’an Jiaotong University, Xi’an, China, in 1991 and 1994, respectively, and Ph.D. degree in computing and electronics from Brunel University, Uxbridge, U.K., in 2001. He is currently a professor of networks with the School of Computing and Engineering, University of West London, London, U.K. His current research interests include wireless networks, Internet of Things, converged indoor positioning, cloud computing, and applications of wireless and computing technologies for health care. E-mail: xinheng.wang@uwl.ac.uk
Supported by:
This work was supported by the National Natural Science Foundation of China (62072255).

Abstract

Abstract:

The rapid growth of mobile applications, the popularity of the Android system and its openness have attracted many hackers and even criminals, who are creating lots of Android malware. However, the current methods of Android malware detection need a lot of time in the feature engineering phase. Furthermore, these models have the defects of low detection rate, high complexity, and poor practicability, etc. We analyze the Android malware samples, and the distribution of malware and benign software in application programming interface (API) calls, permissions, and other attributes. We classify the software’s threat levels based on the correlation of features. Then, we propose deep neural networks and convolutional neural networks with ensemble learning (DCEL), a new classifier fusion model for Android malware detection. First, DCEL preprocesses the malware data to remove redundant data, and converts the one-dimensional data into a two-dimensional gray image. Then, the ensemble learning approach is used to combine the deep neural network with the convolutional neural network, and the final classification results are obtained by voting on the prediction of each single classifier. Experiments based on the Drebin and Malgenome datasets show that compared with current state-of-art models, the proposed DCEL has a higher detection rate, higher recall rate, and lower computational cost.

Key words: Android malware detection, deep learning, ensemble learning, model fusion

Xiaolong XU, Shuai JIANG, Jinbo ZHAO, Xinheng WANG. DCEL: classifier fusion model for Android malware detection[J]. Journal of Systems Engineering and Electronics, 2024, 35(1): 163-177.

Figures/Tables 22

Fig 1

Table 1

Table 2

Fig 2

Fig 3

Fig 4

Table 3

Table 4

Table 5

Table 6

Fig 5

Fig 6

Table 7

Table 8

Fig 7

Fig 8

Fig 9

Fig 10

Fig 11

Table 9

Fig 12

Table 10

References 31

1	AJMA B, ADDAB C Research-supported mobile applications and internet-based technologies to mediate the psychological effects of infertility: a review. Reproductive BioMedicine Online, 2021, 42 (3): 679- 685. doi: 10.1016/j.rbmo.2020.12.004
2	ZHANG T, BAI Y, SONG M Y, et al Research on test methods for AI industrial application capabilities of smart mobile terminals. Journal of Computer and Communications, 2021, 9 (12): 106- 115.
3	IDC. Smartphone market share. https://www.idc.com/promo/smartphone-market-share/os.
4	WANG H Y, LIU Z, LIANG J Y, et al. Beyond google play: a large-scale comparative study of chinese Android app markets. Proc. of the Internet Measurement Conference, 2018: 293−307.
5	360 Lab. 2019 Android malware annual report. http://zt.360.cn/1101061855.php?dtid=1101062360&did=211012248.
6	CEN L, GATES C S, SI L, et al A probabilistic discriminative model for Android malware detection with decompiled source code. IEEE Trans. on Dependable and Secure Computing, 2015, 12 (4): 400- 412. doi: 10.1109/TDSC.2014.2355839
7	KOUMARAS H, MAKROPOULOS G, BATISTATOS M, et al 5G-enabled UAVs with command and control software component at the edge for supporting energy efficient opportunistic networks. Energies, 2021, 14 (5): 1480. doi: 10.3390/en14051480
8	ELAYAN O N, MUSTAFA A M Android malware detection using deep learning. Procedia Computer Science, 2021, 184 (2): 847- 852.
9	BAKOUR K, UNVER H M DeepVisDroid: Android malware detection by hybridizing image-based features with deep learning techniques. Neural Computing and Applications, 2021, 33, 11499- 11516.
10	KHARIWAL K, GUPTA R, SINGH J, et al R-MFdroid: Android malware detection using ranked manifest file components. International Journal of Innovative Technology and Exploring Engineering, 2021, 10 (7): 55- 64. doi: 10.35940/ijitee.G8951.0510721
11	ONWUZURIKE L, MARICONTI E, ANDRIOTIS P, et al MaMaDroid: detecting Android malware by building Markov chains of behavioral models. ACM Transactions on Privacy and Security, 2019, 22 (2): 1- 34.
12	MARIN G, CASAS P, CAPDEHOURAT G. Deep in the dark-deep learning-based malware traffic detection without expert knowledge. Proc. of the IEEE Security and Privacy Workshops, 2019: 36−42.
13	YERIMA S Y, SEZER S Droidfusion: a novel multilevel classifier fusion approach for Android malware detection. IEEE Trans. on Systems, Man, and Cybernetics, 2019, 49 (2): 453- 466.
14	ARP D , SPREITZENBARTH M , HUBNER M, et al. Drebin: effective and explainable detection of Android malware in your pocket. Proc. of the Network and Distributed System Security Symposium, 2014: 23−26.
15	ZHOU Y J, JIANG X X Dissecting android malware: characterization and evolution. Proc. of the IEEE Symposium on Security and Privacy, 2012, 95- 109.
16	YAO H, WANG Y, YANG Y X Range estimation of few-shot underwater sound source in shallow water based on transfer learning and residual CNN. Journal of Systems Engineering and Electronics, 2023, 34 (4): 839- 850.
17	KULEVOME D K B, WANG H, WANG X G Deep neural network based classification of rolling element bearings and health degradation through comprehensive vibration signal analysis. Journal of Systems Engineering and Electronics, 2022, 33 (1): 233- 246.
18	LIU X Y, WENG J, ZHANG Y, et al Android malicious application detection based on APK signature information feedback. Journal of Communications, 2017, 38 (5): 190- 198.
19	ZHENG M, SUN M S, LUI J C S. DroidAnalytics: a signature based analytic system to collect, extract, analyze and associate android malware. Proc. of the 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, 2013: 163−171.
20	YAN Y Research on Android malware detection based on permission correlation. Science & Technology, Economy, Market, 2017, (9): 10- 11.
21	SATO R, CHIBA D, GOTO S. Detecting Android malware by analyzing manifest files. Proceedings of the Asia Pacific Advanced Network, 2013, 36: 23−31.
22	DU Y, WANG J F, LI Q An Android malware detection approach using community structures of weighted function call graphs. IEEE Access, 2017, 5, 17478- 17486. doi: 10.1109/ACCESS.2017.2720160
23	ZHANG J X, QIN Z, ZHANG K H, et al Dalvik opcode graph based Android malware variants detection using global topology features. IEEE Access, 2018, 6, 51964- 51974. doi: 10.1109/ACCESS.2018.2870534
24	BURGUERA I, ZURUTUZA U, NADJM-TEHRANI S. Crowdroid: behavior-based malware detection system for android. Proc. of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile devices, 2011: 15−26.
25	SINGH A K, WADHWA G, AHUJA M, et al Android malware detection using LSI-based reduced opcode feature vector. Procedia Computer Science, 2020, 173, 291- 298. doi: 10.1016/j.procs.2020.06.034
26	ROY A, JAS D S, JAGGI G, et al Android malware detection based on vulnerable feature aggregation. Procedia Computer Science, 2020, 173, 345- 353. doi: 10.1016/j.procs.2020.06.040
27	UNVER H M, BAKOUR K Android malware detection based on image-based features and machine learning techniques. SN Applied Sciences, 2020, 2, 1299.
28	COPTY F, DANOS M, EDELSTEIN O, et al. Accurate malware detection by extreme abstraction. Proc. of the 34th Annual Computer Security Applications Conference, 2018: 101−111.
29	MACHIRY A, REDINI N, GUSTAFSON E, et al. Using loops for malware classification resilient to feature-unaware perturbations. Proc. of the 34th Annual Computer Security Applications Conference, 2018: 112−123.
30	KIM T G, KANG B J, RHO M, et al A multimodal deep learning method for android malware detection using various features. IEEE Trans. on Information Forensics and Security, 2019, 14 (3): 773- 788. doi: 10.1109/TIFS.2018.2866319
31	GUO F H, XU B W, ZHANG W A Training deep neural network for optimal power allocation in islanded microgrid systems: a distributed learning-based approach. IEEE Trans. on Neural Networks and Learning Systems, 2022, 33 (5): 2057- 2069.

Static characteristics	Category
SEND_SMS	Manifest permission
READ_PHONE_STATE	Manifest permission
Ljava.net.URLDecoder	API call signature
Android.content.pm.Signature	API call signature
Android.intent.action.PACKAGE_REPLACED	Intent
Android.intent.action.SEND_MULTIPLE	Intent
remount	Commands signature
/system/app	Commands signature

Malware threat level	Threat level	Related attribute
High risk	A	Transact,onServiceConnected,bindService,SEND_SMS,READ_PHONE_STATE,···
Danger	B	WRITE_HISTORY_BOOKMARKS,TelephonyManager.getSubscriberId,WRITE_SYNC_SETTINGS,···
Slight danger	C	READ_CALL_LOG,Android.intent.action.PACKAGE_ADDED,ACCESS_NETWORK_STATE,···
Ordinary	D	TelephonyManager.getNetworkOperator,Android.intent.action.SENDTO,SET_ALARM,···
Safety	E	ACCESS_SURFACE_FLINGER,Android.intent.action.ACTION_POWER_CONNECTED,···

Layer(type)	Output shape	Parameter
Conv2d_3(Conv2D)	(None, 12, 12, 32)	320
Max_pooling2d_3(MaxPooling2D)	(None, 6, 6, 32)	0
Conv2d_4(Conv2D)	(None, 4, 4, 64)	18496
Max_pooling2d_4(MaxPooling2D)	(None, 2, 2, 64)	0
Flatten_2(Flatten)	(None, 256)	0
Dense_3(Dense)	(None, 512)	131584
Dense_4(Dense)	(None, 1)	513

Hardware environment	Software environment
CPU 2.11GHz Intel Core i5 GPU NVIDIA GeForce MX250 RAM 16GB 2667Mhz DDR4	OS Windows 10 Python 3.6.4 Pytorch 1.4.0 Sklearn 0.19.1 Pandas 0.22.0 Numpy 1.14.2

Parameter	Malgenome-215	Drebin-215
Number of malware	1260	5560
Number of benign	2539	9476
Total number	3799	15036
Number of features	215	215

DCEL: classifier fusion model for Android malware detection

RichHTML

PDF (PC)

Knowledge

Abstract

Cite this article

Share this article

Figures/Tables 22

References 31

Related Articles 12

Recommended Articles

Metrics

Comments

Type and number of features	Feature
Manifest Permission(113)	SEND_SMS, READ_SMS, RECEIVE_SMS, READ_PHONE_STATE, WRITE_SMS, ···
API call signature(73)	Transact, onServiceConnected, bindService, attachInterface, Ljava.lang.Class.getField, ···
Intent(23)	Android.intent.action.BOOT_COMPLETED, Android.intent.action.SEND_MULTIPLE, ···
Commands signature(6)	Remount, chown, /system/bin, /system/app, ···

Algorithm	Accuracy	Error rate	Recall rate	Precision	F-measure	AUC	Time/s
K-means	0.716994	0.283006	0.915674	0.568259	0.701299	0.759768	0.06
DT	0.979381	0.020619	0.983820	0.983820	0.983820	0.977703	0.03
LR	0.979049	0.020951	0.985908	0.981299	0.983598	0.976455	0.02
SVM	0.977719	0.022281	0.983299	0.981761	0.982529	0.975609	0.03
Gaussian NB	0.708015	0.291985	0.552192	0.981447	0.706747	0.766930	0.1
AdaBoost	0.963086	0.036914	0.977557	0.964967	0.971221	0.957615	0.23
RF	0.983705	0.016295	0.971586	0.983302	0.977409	0.981096	0.31
DroidFusion[13]	0.984	0.016	0.984	0.992	0.988	None	None
DCEL	0.990772	0.009228	0.991127	0.989578	0.990352	0.995831	0.15

Malware threat level	Number of Manifest Permission	Number of API call signature	Number of Intent	Number of commands signature
A	11	31	1	0
B	17	17	3	2
C	25	12	4	2
D	27	10	5	2
E	33	3	10	0

[1]	Yuyuan ZHANG, Wenjun YAN, Limin ZHANG, Qing LING. FOLMS-AMDCNet: an automatic recognition scheme for multiple-antenna OFDM systems [J]. Journal of Systems Engineering and Electronics, 2023, 34(2): 307-323.
[2]	Wei FENG, Yijun LONG, Shuo WANG, Yinghui QUAN. A review of addressing class noise problems of remote sensing classification [J]. Journal of Systems Engineering and Electronics, 2023, 34(1): 36-46.
[3]	Siting LYU, Xiaohui LI, Tao FAN, Jiawen LIU, Mingli SHI. Deep learning for fast channel estimation in millimeter-wave MIMO systems [J]. Journal of Systems Engineering and Electronics, 2022, 33(6): 1088-1095.
[4]	Haifen YANG, Hao ZHANG, Houjun WANG, Zhengyang GUO. A novel approach for unlabeled samples in radiation source identification [J]. Journal of Systems Engineering and Electronics, 2022, 33(2): 354-359.
[5]	Tao YE, Zongyang ZHAO, Jun ZHANG, Xinghua CHAI, Fuqiang ZHOU. Low-altitude small-sized object detection using lightweight feature-enhanced convolutional neural network [J]. Journal of Systems Engineering and Electronics, 2021, 32(4): 841-853.
[6]	Zhao SUN, Chao MA, Liang WANG, Ran MENG, Shanshan PEI. A deep learning-based binocular perception system [J]. Journal of Systems Engineering and Electronics, 2021, 32(1): 7-20.
[7]	Hongyin SHI, Yue LIU, Jianwen GUO, Mingxin LIU. ISAR autofocus imaging algorithm for maneuvering targets based on deep learning and keystone transform [J]. Journal of Systems Engineering and Electronics, 2020, 31(6): 1178-1185.
[8]	Chuan LIN, Qing CHANG, Xianxu LI. Uplink NOMA signal transmission with convolutional neural networks approach [J]. Journal of Systems Engineering and Electronics, 2020, 31(5): 890-898.
[9]	Liangkui LIN, Shaoyou WANG, Zhongxing TANG. Using deep learning to detect small targets in infrared oversampling images [J]. Journal of Systems Engineering and Electronics, 2018, 29(5): 947-952.
[10]	Chongsheng Zhang, Pengyou Wang, Ke Chen, and Joni-Kristian K¨am¨ ar¨ainen. Identity-aware convolutional neural networks for facial expression recognition [J]. Systems Engineering and Electronics, 2017, 28(4): 784-.
[11]	Chang Tiantian, Liu Hongwei & Zhou Shuisheng. Large scale classification with local diversity AdaBoost SVM algorithm [J]. Journal of Systems Engineering and Electronics, 2009, 20(6): 1344-1350.
[12]	Fang Min. Novel ensemble learning based on multiple section distribution in distributed environment [J]. Journal of Systems Engineering and Electronics, 2008, 19(2): 377-380.

Algorithm	Accuracy	Error rate	Recall rate	Precision	F-measure	AUC
DNN1	0.987695	0.012305	0.989562	0.988530	0.989045	0.984698
DNN2	0.982042	0.017958	0.984821	0.967544	0.976106	0.986398
CNN	0.984037	0.015963	0.973660	0.982585	0.978102	0.992325
DECL	0.990772	0.009228	0.991127	0.989578	0.990352	0.995831

Algorithm	Accuracy	Error rate	Recall rate	Precision	F-measure	AUC	Time/s
DNN1	0.990789	0.009211	0.991379	0.978723	0.985011	0.999004	0.005
DNN2	0.989474	0.010526	0.984127	0.984127	0.984127	0.988126	0.011
CNN	0.988158	0.011842	0.978448	0.982684	0.980562	0.999339	0.028
DCEL	0.994737	0.005263	0.991379	0.991379	0.991379	0.999371	0.051