Android malware detection method based on operation code graph
By constructing an opcode graph and combining prior knowledge and word frequency features, an improved DGCNN model is used to detect Android malware, solving the problem of poor detection performance in existing technologies and achieving efficient malware identification.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NANJING UNIV OF SCI & TECH
- Filing Date
- 2020-10-15
- Publication Date
- 2026-06-09
AI Technical Summary
Existing technologies struggle to effectively detect Android malware by directly analyzing opcode sequences, especially when faced with code obfuscation and repackaging, and they also consume significant computational resources.
An opcode graph is constructed. By combining prior knowledge features and word frequency features of opcode instructions, the edge weights of the opcode graph are generated using a 2-gram model. An improved DGCNN model is used for detection. Features are extracted through graph convolutional layers and sorting pooling layers. Finally, a multilayer perceptron is used for classification.
It achieves high accuracy in detecting Android malware, reaching 91.97% accuracy, 92.08% precision, and 91.97% recall, thus improving the robustness and efficiency of detection.
Smart Images

Figure CN114372266B_ABST
Abstract
Description
Technical Field
[0001] This invention belongs to the field of mobile platform information security, and specifically a method for detecting Android malware based on opcode graphs. Background Technology
[0002] Currently, malware detection methods on the Android platform are mainly divided into static analysis and dynamic analysis. Static analysis analyzes the application's own data without running the application. Static analysis typically extracts and analyzes signatures, permission requests, application programming interface (API) calls, opcode sequences, and control flow within the application. In dynamic analysis, a given Android application is executed in a virtual environment, such as a virtual machine or sandbox, to simulate how it actually runs on the device, and the running process or dynamic data within that process is analyzed. Common dynamic analysis methods include dynamic staining analysis and network traffic analysis. Static analysis is simple and fast, and does not require an additional virtual environment, making it suitable for rapid detection of a large number of applications, but it is susceptible to techniques such as code obfuscation. Dynamic analysis can effectively resist techniques such as repackaging and code obfuscation, but it also requires a virtual environment to simulate the actual execution of the application and consumes significant computational resources during the analysis process. Opcode sequences are extracted from the application's decompiled files, and these sequences are typically very long. Although the opcode dimension of malware is smaller than that of public samples of benign software, it is difficult to obtain very good results by directly analyzing and studying opcode sequences using current mainstream machine learning and deep learning methods. Therefore, static analysis of malware based on opcode sequences remains a challenging problem. Summary of the Invention
[0003] The purpose of this invention is to provide an Android malware detection method based on opcode graphs.
[0004] The technical solution to achieve the purpose of this invention is: an Android malware detection method based on opcode graphs, comprising the following steps:
[0005] Step 1: Construct the application dataset: Download benign applications from the Android platform to form a benign software set, and download malicious applications to form a malicious software set, thereby constructing the application dataset used in the experiment;
[0006] Step 2: Extract the opcode sequence: Use the decompilation tool apktool to decompile the Android application software and extract the opcode sequence from the disassembled file smail;
[0007] Step 3, Opcode Feature Vectorization: Construct an initial opcode feature vector using the prior knowledge features of the opcode instruction itself; then combine it with the word frequency features of the opcode in the benign sample dataset and the malicious sample dataset to construct the final opcode node feature vector;
[0008] Step 4: Construct the opcode graph: Take each non-repeating opcode in the opcode sequence of each sample as a node in the opcode graph, and use the 2-gram model and opcode sequence pairs to construct the edges of the opcode graph, where the weight of the edge is the counting probability of the corresponding 2-gram opcode pair.
[0009] Step 5: Application detection: Using the constructed opcode graph as input, the improved DGCNN model is used for learning to obtain the detection result of the application software: benign or malicious.
[0010] Compared with existing technologies, the significant advantages of this invention are: 1) It combines the prior knowledge features of the opcode instruction itself with the word frequency features of the opcode in benign and malicious sample datasets to construct the feature vector of the opcode node, which combines the characteristics of the opcode itself and provides a better vectorized representation of the opcode; 2) It uses the association counting probability as the edge weight to improve the robustness of the opcode graph; 3) It constructs the opcode graph and uses the improved DGCNN model to detect Android malware, obtaining better detection results. Attached Figure Description
[0011] Figure 1 This is a flowchart of the Android malware detection method based on opcode graphs according to the present invention.
[0012] Figure 2 This is a schematic diagram illustrating the construction of the opcode feature vector of the present invention.
[0013] Figure 3 This is a schematic diagram of the construction of the opcode graph adjacency matrix of the present invention. Detailed Implementation
[0014] The present invention will now be described in further detail with reference to the accompanying drawings and embodiments.
[0015] Combination Figure 1 The present invention provides an Android malware detection method based on opcode graphs, comprising the following steps:
[0016] Step 1: Construct the application dataset: Download benign applications from the Xiaomi App Store to form a benign software collection, and download malicious applications from the malware collection website virusshare.com to form a malware collection, thereby constructing the application dataset used in the experiment;
[0017] Step 2: Extract the opcode sequence: Use the decompilation tool apktool to decompile the Android application software and extract the opcode sequence from the disassembled file smail;
[0018] Step 3, Opcode Feature Vectorization: Construct an initial opcode feature vector using the prior knowledge features of the opcode instruction itself; then combine it with the word frequency features of the opcode in the benign sample dataset and the malicious sample dataset to construct the final opcode node feature vector;
[0019] Step 4: Construct the opcode graph: Take each non-repeating opcode in the opcode sequence of each sample as a node in the opcode graph, and use the 2-gram model and opcode sequence pairs to construct the edges of the opcode graph, where the weight of the edge is the counting probability of the corresponding 2-gram opcode pair.
[0020] Step 5, Application Detection: Using the constructed opcode graph as input, the improved Deep Graph Convolutional Neural Network (DGCNN) model is used for learning to obtain the detection result of the application software: benign or malicious.
[0021] Furthermore, in one embodiment, step 3 utilizes the prior knowledge features of the opcode instruction itself to construct an initial opcode feature vector; then, it is combined with the word frequency features of the opcode in the benign sample dataset and the malicious sample dataset to construct the final opcode node feature vector, specifically:
[0022] Step 3-1: Analyze the 218 opcodes defined in the Dalvik virtual machine. Based on their operation functions, the opcodes are divided into 14 types: move instructions, return instructions, constant instructions, monitor instructions, object operation instructions, value operation instructions, jump instructions, comparison instructions, domain operation instructions, call instructions, data conversion instructions, data operation instructions, and other instructions. Each opcode represents a specific instruction behavior.
[0023] Table 1. Operation Code Feature Information Table
[0024]
[0025] Step 3-1: Analyze the 218 opcodes defined in the Dalvik virtual machine and classify them into 14 types according to their operation functions: move instructions, return instructions, constant instructions, monitor instructions, object operation instructions, value operation instructions, jump instructions, comparison instructions, domain operation instructions, call instructions, data conversion instructions, data operation instructions, and other instructions.
[0026] Step 3-2: Analyze the data type suffixes of the opcode instructions and compile 44 different opcode data type suffixes;
[0027] Step 3-3: Through the analysis of all opcode instructions, 10 unambiguous opcode definitions are summarized;
[0028] Steps 3-4: Combine the 14 operation functions, 44 data type suffixes, and 10 disambiguation opcode definitions into a 68-dimensional opcode feature vector; if the opcode contains a feature of a certain bit, set that bit to 1; otherwise, set it to 0, thus constructing the initial opcode feature vector; the constructed initial opcode instruction feature vector is as follows: Figure 2 As shown:
[0029] Steps 3-5: Calculate the word frequency of each opcode in benign and malicious samples:
[0030]
[0031] Among them, tf op,c n represents the frequency of a single opcode in the set of opcodes for class c applications. op,c ∑n represents the count of a single opcode in the set of opcodes of type c. ops,c This is the total count of all opcodes in the set of opcodes of type c.
[0032] Steps 3-6: Multiply the initial opcode feature vector by the word frequency features of the opcode in both the benign and malicious sample datasets to construct the final opcode node feature vector.
[0033] x opcode =tf op,c ·x op_ins
[0034] Where, x opcode For the final feature vector representation of a single opcode, x op_ins This refers to the initial opcode feature vector constructed based on prior knowledge of the opcode as described in steps 3-4.
[0035] Furthermore, in one embodiment, the step 4 of establishing the opcode diagram based on the opcode sequence specifically involves:
[0036] Step 4-1: Define the opcode diagram G op =(V op E op V op ={v1,v2,......,v n} is a set of nodes, E opLet be a set of edges; each opcode represents a Dalvik opcode in the opcode sequence, and each edge in the edge set represents a relationship between two nodes, and the edges are directed; edges Represents node v i In front, on the side This represents node v. j to node v i ;
[0037] Step 4-2: Construct the opcode adjacency matrix, where each non-zero element represents an edge in the graph; use a 2-gram model to generate opcode pairs from the opcode sequence, where each opcode pair represents an edge between nodes; count the opcode pairs in each file and use the count as the initial weight of the edge between opcodes to construct the initial opcode adjacency matrix.
[0038] Step 4-3: Using row normalization, calculate the association count probability to generate new edge weights, and construct the final opcode adjacency matrix; the final opcode adjacency matrix is as follows. Figure 3 As shown:
[0039] Furthermore, in one embodiment, step 5 involves detecting the application based on the improved Deep Graph Convolutional Neural Network (DGCNN) model, specifically as follows:
[0040] 1) Graph convolutional layers update the representation of their own nodes by aggregating the representations of their neighbors:
[0041]
[0042] Among them, H i H is the feature matrix of the input nodes. i+1 W is the node feature matrix output by the i-th layer. i For the convolution kernel of the i-th layer, It is an adjacency matrix. Let f be the degree matrix of the adjacency matrix, and f be the nonlinear activation function.
[0043] Ignoring the self-loops in the opcode graph itself, add self-loops to all vertices and redefine the adjacency matrix of the graph:
[0044]
[0045] degree matrix of adjacency matrix The matrix is normalized by incorporating structural information, and a nonlinear activation function f is applied to the graph convolutional layer to obtain the final output.
[0046] 2) The sorting pooling layer predicts the entire graph by sorting the feature descriptors of the nodes. This layer uses the WL color of the last graph convolutional layer, which defines a graph topology-based sorting to rank the nodes. Nodes with similar graph structures in two graphs will be represented in the same position. The sorting pooling layer addresses the issue of different numbers of nodes in the graph data by outputting graph data matrices of the same size.
[0047] 3) Directly use a Multilayer Perceptron (MLP) for classification. This MLP classifier consists of four fully connected layers and one softmax layer. The activation function of the four fully connected layers is the ReLU function, and each ReLU function is followed by a dropout layer.
[0048] By utilizing the opcode graph constructed above and inputting these features into an improved depth graph convolutional network for learning, an Android malware detection model based on the opcode graph is generated.
[0049] In summary, this invention utilizes opcode diagrams to characterize Android application software and leverages prior knowledge of opcodes and word frequency features to vectorize opcode features, achieving the following results in Android malware detection: accuracy 91.97%, precision 92.08%, recall 91.97%, and F1 91.96%.
Claims
1. A method for detecting Android malware based on opcode graphs, characterized in that, Includes the following steps: Step 1: Construct the application dataset: Download benign applications from the Android platform to form a benign software set, and download malicious applications to form a malicious software set, thereby constructing the application dataset used in the experiment; Step 2: Extract the opcode sequence: Use the decompilation tool apktool to decompile the Android application software and extract the opcode sequence from the disassembled file smail; Step 3, Opcode Feature Vectorization: Construct an initial opcode feature vector using the prior knowledge features of the opcode itself; then combine it with the word frequency features of the opcode in the benign sample dataset and the malicious sample dataset to construct the final opcode node feature vector; Specifically: Step 3-1: Analyze the 218 opcodes defined in the Dalvik virtual machine and classify them into 13 types according to their operation functions: move instructions, return instructions, constant instructions, monitor instructions, object operation instructions, value operation instructions, jump instructions, comparison instructions, domain operation instructions, call instructions, data conversion instructions, data operation instructions, and other instructions. Step 3-2: Analyze the data type suffixes of the opcodes and compile 44 different opcode data type suffixes; Step 3-3: Through the analysis of all opcodes, 10 unambiguous opcode definitions are summarized; Steps 3-4: Combine the 13 operation functions, 44 data type suffixes, and 10 disambiguation opcode definitions into a 68-dimensional opcode feature vector; if the opcode contains bit features, set that bit to 1, otherwise set it to 0, thus constructing the initial opcode feature vector; Steps 3-5: Calculate the word frequency of each opcode in benign and malicious samples: ; in, The frequency of a single opcode within the set of opcodes for class C applications. This represents the count of a single opcode in the set of opcodes of type c. This is the total count of all opcodes in the set of opcodes of type c. Steps 3-6: Multiply the initial opcode feature vector by the word frequency features of the opcode in both the benign and malicious sample datasets to construct the final opcode node feature vector. ; in, The final feature vector representation of a single opcode. The initial opcode feature vector is constructed based on the prior knowledge of the opcode in steps 3-4; Step 4: Construct the opcode graph: Treat each non-repeating opcode in the opcode sequence of each sample as a node in the opcode graph, and construct the edges of the opcode graph using a 2-gram model and opcode sequence pairs, where the weight of each edge is the counting probability of the corresponding 2-gram opcode pair; specifically: Step 4-1: Define the opcode diagram , For a set of nodes, Let be a set of edges; each opcode represents a Dalvik opcode in the opcode sequence, and each edge in the edge set represents a relationship between two nodes, and the edges are directed; edges Represents a node To the node ,side This represents a node. To the node ; Step 4-2: Construct the opcode adjacency matrix, where each non-zero element represents an edge in the graph; use a 2-gram model to generate opcode pairs from the opcode sequence, where each opcode pair represents an edge between nodes; count the opcode pairs in each file and use the count as the initial weight of the edge between opcodes to construct the initial opcode adjacency matrix. Step 4-3: Using row normalization, calculate the association count probability to generate new edge weights and construct the final opcode adjacency matrix; Step 5: Application detection: Using the constructed opcode graph as input, the improved DGCNN model is used for detection to obtain the detection result of the application software: benign or malicious.
2. The Android malware detection method based on opcode graphs according to claim 1, characterized in that, Step 2, which involves extracting the opcode sequence from the disassembled file smail, specifically includes: The sample's smail file is read line by line. The data segment between the .method field and the .end method field is selected. The opcode mapping table is used to match and filter out the opcodes in each line of the data segment, thus constructing the opcode sequence corresponding to the sample.
3. The Android malware detection method based on opcode graphs according to claim 1, characterized in that, Step 5, which involves using the improved DGCNN model for detection, specifically includes: 1) Graph convolutional layers update the representation of their own nodes by aggregating the representations of their neighbors, as shown in the following formula: ; in, It is the feature matrix of the input node. It is the node feature matrix output by the i-th layer. For the convolution kernel of the i-th layer, It is an adjacency matrix. Let be the degree matrix of the adjacency matrix. It is a non-linear activation function; Ignoring the self-loops in the opcode graph itself, add self-loops to all vertices and redefine the adjacency matrix of the graph: ; degree matrix of adjacency matrix Normalizing the matrix by incorporating structural information, and using a nonlinear activation function. The final output is obtained by applying it to a graph convolutional layer. 2) The sorting pool layer predicts the entire graph by sorting the feature descriptors of the nodes; this layer uses the WL color of the last graph convolutional layer, which defines a graph topology-based sorting to sort the nodes, and nodes with the same graph structure in two graphs will be represented in the same position. 3) Classification is performed using a multilayer perceptron (MLP), which consists of four fully connected layers and one softmax layer; the activation function of the four fully connected layers is the ReLU function, and each ReLU function is followed by a dropout layer; By utilizing the opcode graph constructed above and inputting these features into the improved DGCNN for learning, an Android malware detection model based on the opcode graph is generated.