Android malware detection method based on large heterogeneous graph representation learning
By employing large-scale heterogeneous graph representation learning and multi-model fusion strategies, this approach addresses the limitations of existing Android malware detection methods in real-time detection and segmentation, enabling real-time and accurate category identification of unknown Android software.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- SHANGHAI JIAOTONG UNIV
- Filing Date
- 2022-12-08
- Publication Date
- 2026-06-09
Smart Images

Figure CN115828242B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to a technology in the field of information security, specifically an Android malware detection method based on large heterogeneous graph representation learning. Background Technology
[0002] With the widespread adoption of smartphones, the number of Android malware has surged, causing significant harm to users. Traditional reverse engineering-based detection methods require substantial human and time resources, while existing neural network-based methods can only make judgments based on information from individual Android applications, becoming increasingly ineffective as Android malware development technologies advance. Therefore, graph neural network-based methods have been proposed to leverage the relationships between Android applications. However, existing methods cannot detect unknown Android applications in real time, and current AI-based methods cannot detect the specific category of Android malware. There is a lack of real-time, granular Android malware detection methods. Summary of the Invention
[0003] This invention addresses the shortcomings of existing technologies, such as the inability to simultaneously consider static and dynamic features, the inability to detect Android software not present in the original graph in real time (requiring retraining the model for detection of newly emerging unknown Android software), and the inability to detect specific categories of malware. It proposes an Android malware detection method based on large-scale heterogeneous graph representation learning. By extracting a mixture of static and dynamic features, the method improves the graph representation learning generation method. It avoids information loss based on a single aggregator while supporting real-time detection of unknown Android software. Furthermore, it achieves accurate detection of specific categories of Android malware through a multi-model fusion strategy, resulting in improved accuracy, real-time performance, and segmentation.
[0004] This invention is achieved through the following technical solution:
[0005] This invention relates to an Android malware detection method based on large heterogeneous graph representation learning. It extracts static and dynamic features from the metadata of the original Android application package to construct a heterogeneous graph. Semantic and structural information is obtained by sampling neighbor nodes for each Android application in the heterogeneous graph. Then, a matrix representation of each Android application is generated by inductively aggregating and scaling the information from the neighbor nodes. A detection module containing multiple sub-detectors is generated through multi-model training and model fusion. In the actual online detection stage, the trained detection module and the real-time representation of newly emerging Android applications are used to achieve real-time segmented detection of Android malware.
[0006] The original Android software includes: original Android application packages (APKs) downloaded from open-source Android malware libraries and benign software libraries of reliable Android software download platforms.
[0007] The extraction of metadata refers to: for each APK file, performing shallow parsing using the open-source tool ApkTool to obtain static and dynamic features, including: the organization to which the Android software belongs, the signature used by the Android software, the common third-party libraries used by the Android software, the common Android software development APIs called by the Android software, and the permissions requested by the Android software.
[0008] The heterogeneous graph includes six types of nodes: the Android software itself, the organization name, the signature, the third-party library name, the general API name, and the permission name, as well as the relationship path used to indicate the relationship between two Android software programs. The relationship path includes: whether the two software programs belong to the same organization, whether the two software programs have the same signature, whether the two software programs call the same API, whether the two software programs use the same third-party library, whether the two software programs request the same permission, and whether the two APIs request the same permission.
[0009] The neighbor node sampling described above differs from all previous sampling methods in that the number of neighbor hops in a single sampling is at least second-order. This means the sampling target includes not only the third-party libraries used by the software, general APIs, requested permissions, and the organization name and signature it possesses, but also other strongly related software nodes to obtain richer semantic and organizational information. A sampling method based on a restart-based random walk strategy is employed. Starting from a node, a random walk is performed. Each time a neighbor node is reached, there is an initial node with a probability range of size p. During the sampling process, the correlation score between each neighbor node and the target node is recorded, thus prioritizing the neighbor nodes with the highest correlation after the walk is completed. This allows for the acquisition of semantic and structural information strongly related to the target software.
[0010] Preferably, the total number of neighboring nodes sampled is limited during sampling to ensure that for large Android software, too many samples would introduce excessive noise. Thus, the number of samples for each type of node is limited to ensure that each of the six types of nodes can be sampled.
[0011] The inductive information aggregation and scaling mentioned above refers to: performing aggregation of the same type by category, using multiple aggregators in parallel to obtain information from different perspectives, so as to avoid information loss when using a single aggregator, while using a scaler to reduce or amplify the information after aggregation by different aggregators, so as to highlight the aggregator results that have not lost information, thereby making the generated representation more expressive, and finally obtaining the mapping between nodes and matrix representation functions. This mapping is extensible and not limited to the use of the originally constructed heterogeneous graph.
[0012] The real-time representation refers to the following: when faced with newly emerging unknown Android software, a fixed number of neighbor nodes are collected using the aforementioned neighbor sampling method. The mapping function obtained by aggregating and scaling the neighbor node information can generate a matrix representation in real time, which is then fed into the trained detector for real-time detection.
[0013] The detection module detects each category based on multiple sub-detectors, and merges the results of each sub-detector through a model fusion strategy. When the fusion result is malware, it can output one or more categories to which it belongs.
[0014] The sub-detector, based on a convolutional neural network classifier, specifically includes a convolutional layer, a pooling layer, and a fully connected layer. Finally, an output layer is generated through the Softmax function. The output layer contains two probability values indicating the probability of being 0 or 1, satisfying the condition that the sum of the two probabilities is 1. The sub-detector with the higher probability is selected as its output, and a confidence score is generated. In the final output, if an Android software belongs to multiple Android malware categories, it can be sorted according to its confidence score from high to low.
[0015] This invention relates to a system for implementing the above-mentioned Android malware detection method based on large heterogeneous graph representation learning, comprising: a data extraction and graph construction unit, a node sampling unit, a representation generation unit, and a detector unit, wherein: the data extraction and graph construction unit extracts key semantic information from each Android APK file and constructs a large heterogeneous graph to record the association information between different Android software; the node sampling unit collects strongly relevant information from all categories of associated neighbor nodes, including the Android software itself, for each target Android software and its associated information; the representation generation unit amplifies aggregators that do not suffer from information loss and reduces the results of aggregations that suffer from information loss to highlight the differences between different Android software, generating a matrix representation of the target Android software; the detector unit trains multiple sub-detectors based on convolutional neural networks and fusion strategies based on the generated matrix representation and data labeling methods, and outputs the detection results of malware and its category confidence.
[0016] Technical effect
[0017] Compared to existing methods that cannot generate real-time representations for newly emerging unknown Android software, this invention generates real-time Android software representations, enabling the acquisition of correlation information between different Android software rather than focusing solely on a single target software to be detected. This allows for the generation of real-time representations to achieve real-time detection. Furthermore, unlike previous methods, this invention collects both static and dynamic features during the mapping process. Based on a multi-model fusion strategy, this invention not only distinguishes between malicious software but also supports outputting the specific category to which the malicious software belongs, and supports outputting multiple categories for the target software. Attached Figure Description
[0018] Figure 1 This is a flowchart of the present invention;
[0019] Figure 2 This is a basic framework diagram of heterogeneous graphs;
[0020] Figure 3 This is a diagram illustrating the loss of a single aggregated piece of information.
[0021] Figure 4 This is an aggregated graph of node information of the same type;
[0022] Figure 5 Generate a schematic diagram for the scaler;
[0023] Figure 6 A diagram illustrating data annotation;
[0024] Figure 7 This is a schematic diagram of the detector structure;
[0025] Figure 8 This is a schematic diagram of the model fusion strategy. Detailed Implementation
[0026] like Figure 1 As shown in the figure, this embodiment relates to an Android malware detection method based on large heterogeneous graph representation learning, which includes the following steps:
[0027] Step 1) Feature extraction and heterogeneous graph construction, specifically including:
[0028] 1.1) Extract static and dynamic features from the original Android application package (APK), and construct a heterogeneous graph based on the extracted features. The file types contained in the APK are shown in Table 1. The specific features extracted are: permissions, third-party libraries, signatures, parent organization and APIs, and the relationship information between them. The list of requested permissions and the list of third-party libraries used can be directly extracted from the Manifest file; the signature information, organization information and corresponding certificate of the Android software can be obtained from the META-INF directory; ApkTool can be used to parse the class.dex file to obtain a list of reverse code in smali format, and the names of standard APIs called can be directly parsed from it, and the call relationship between the Android software and the API can be further obtained.
[0029] Table 1
[0030]
[0031] 1.2) Based on the five extracted features, construct the basic architecture as follows: Figure 2 The heterogeneous graph shown contains the six types of nodes mentioned above, and there are multiple paths indicating the relationships between different types of nodes. Specifically, there are six types of paths: an Android app is authenticated by a certain signature, an Android app belongs to a certain organization, an Android app requests a certain permission, an app calls a certain API, an Android app uses a certain third-party library, and an API requests a certain permission based on a mapping between a general API and permission relationships.
[0032] Based on the basic framework definition, a path of length 2 can represent information that cannot be obtained from observing a single Android software. For example, the common path software A - permission B - software C can indicate that software A and C request the same permission, thereby enabling the acquisition of potential relationship information between different Android software.
[0033] The symbols used in this embodiment and their descriptions are shown in Table 2.
[0034] Table 2
[0035]
[0036] Step 2) Use a restart-based random walk strategy to sample neighbor nodes, specifically including:
[0037] 2.1) Select any node i, and start traversing it after setting the furthest traversal order k (k is 3 in this embodiment). Randomly transfer the node i to one of its neighboring nodes with a certain probability, and iterate repeatedly until the traversal is complete. Obtain the correlation score between the two nodes, where the transfer probability is positively correlated with the edge weight, and at each step, the node i is returned to its origin i with probability p. After the iteration stabilizes, obtain r.ij This refers to the relevance score of node j with respect to node i, which ultimately yields... Where: E is the identity matrix. It is the connection weight matrix of the standardized graph. This is the initial vector for this node.
[0038] 2.2) During the sampling process, a limit K is set on the total number of neighbor nodes sampled (K is 150 in this embodiment) to avoid sampling too many neighbor nodes, especially neighbor nodes with too high hop counts, which would bring redundant information. At the same time, an upper limit is also set on the number of samples for each type of node to ensure that each type of neighbor node can be sampled. Finally, for each type of node, neighbor nodes that are strongly related to the target Android software are selected according to the correlation score from high to low to complete the neighbor node sampling.
[0039] Step 3) as Figure 5 As shown, based on the sampled neighbor nodes and the target node itself, neighbor node information is aggregated through message passing to generate the final representation of the target node, i.e., the heterogeneous graph of the target software. The initial representation of each node is generated based on Word2Vec, thus transforming words and phrases into vectors of dimension d=128, specifically including:
[0040] 3.1) Because the results of information aggregation cannot distinguish the original information of different neighboring nodes, the information loss effect of a single aggregator is as follows: Figure 3 As shown, this embodiment uses four types of aggregators to perform parallel aggregation of the same type based on the six types of neighboring nodes: mean aggregator, mean aggregator, and mean aggregator. Where: d i =|N(i)|, d i Let N(i) be the dimension of the node, and N(i) represent a neighbor of a certain type for node i; standard deviation aggregator
[0041] Where: μ(X) represents the mean of X, ∈ is a very small offset to ensure that the value under the square root is greater than 0, ReLU(x) = max(0, x) is a non-linear activation function; n-order moment aggregator
[0042] Where: n is usually taken as 3 or 4. To achieve the desired calculation formula, in this embodiment, n=3 and n=4 are both taken simultaneously, resulting in four aggregators, namely AGG. mean AGG std AGG 3m and AGG 4m .
[0043] 3.2) Based on the results obtained from different aggregators, further methods such as... Figure 4 The scaler shown assigns different weights to the results of different aggregators to amplify and reduce them. Specifically, it calculates the weight of each type of aggregator based on the vector representation generated by that type, amplifying the results of aggregators that do not suffer information loss while reducing the results of aggregators that do suffer information loss. This weight is calculated based on the Softmax function, specifically S. w =Softmax(FC(Sum(X) p ,t(v)),p=
[0044] mean, stdormn), where: t is a specific class, +Sum is the summation function, FC is a fully connected layer, and the Softmax function is as follows: Where i represents each dimension, and in this scenario C=4, a 1×4 dimensional vector is obtained to indicate the weight corresponding to each aggregator. Multiplying the weight by the corresponding vector representation completes the function of the scaler, resulting in X. p,t,s (v).
[0045] 3.3) The vectors before and after scaling are fed into the attention mechanism together. Aggregation is performed based on the attention mechanism, resulting in a one-dimensional vector for each type of neighbor node set, specifically: Where: F(v) is the union of the vector sets before and after scaling, plus the initial vector representation of the target node. Where: u is the initial parameter of the attention mechanism, LeakyReLU is the non-linear activation function; the matrix representations of each type of neighbor node set are combined into a matrix as the matrix representation H(v) of the target Android software, with a dimension of 6×d, where d is the dimension of the previously generated one-dimensional vector, i.e., 128.
[0046] Step 4) Generate training samples by using multi-label input and output for the subcategories of malware, and then use the trained detection module for real-time online detection. Specifically, this includes:
[0047] 4.1) As Figure 6 As shown, multi-label data annotation: a vector of all zeros is used to represent benign software. Once multiple dimensions of a vector are 1, it means that the Android software has been judged as multiple categories of malicious software.
[0048] 4.2) As Figure 7As shown, based on the model fusion strategy, multiple sub-detectors are trained to generate the final detection module: the matrix representation H(v) generated in step 3 is used as the input to the sub-detectors to be trained, and whether it is malware of that category is used as the label; 1 is for malware of that category, and 0 is for others. For the above data, classification is performed based on a convolutional neural network. By setting learnable filters, element-wise convolution operations are performed, and max pooling is used for downsampling. The data is then fed into a fully connected layer for information fusion to enhance information representation, and finally, the training for the binary classification task is completed based on the Softmax function.
[0049] 4.3) For example Figure 8 As shown, the detection results of the sub-detectors are fused using a fusion strategy: Based on the predefined initialization function, the Init function, the sub-categories of malware and their corresponding sub-detectors are stored in two lists in a one-to-one correspondence. For N types of malware sub-types, the output of the fused Predict function is a 2×N dimensional matrix in which the categories and 0 / 1 correspond one-to-one. The first horizontal dimension is used as the category vector, and the second horizontal dimension is used as the indicator vector, both of which are 1×N dimensional vectors. The value of each dimension of the indicator vector corresponds to the result of the detector of the corresponding sub-category in the category vector. The final returned result is the sub-category name in the category vector corresponding to the dimension with a value of 1 in the indicator vector, thus achieving multi-label output.
[0050] When only one dimension of the indicator vector is 1, the multi-label multi-output model degenerates into a simple multi-classification model; when all dimensions of the indicator vector are 0, it indicates that the detected target software is benign software.
[0051] The malicious software detection module after the fusion strategy in this embodiment is backward compatible with multiple scenarios. That is, when facing malicious software or benign software that should belong to only one category, it essentially becomes a simple multi-classification model, not limited to scenarios with multiple label outputs. However, when the target software belongs to multiple malicious software categories, the detector can also output multiple labels. At the same time, the detector does not train a sub-detector for the benign software category. That is, it will only output that the target software is benign software when all sub-detectors of malicious software categories consider it benign software. This is essentially the most common voting strategy in model fusion strategies. In the scenario of this embodiment, the reliability of the detector's judgment of benign software is improved through a strict voting strategy.
[0052] Based on specific practical experiments, the number of benign / malicious software items collected from two open-source datasets of Android malware (CCCS-CIC-AndMal-2020 and Androzoo) and domestic platforms is shown in Table 3.
[0053] Table 3
[0054]
[0055] The specific number of Android software categories and their concise representations in this embodiment are shown in Table 4:
[0056] Table 4
[0057]
[0058] This embodiment also statistically analyzes the top 5 multi-tag combinations of malicious software, as shown in Table 5:
[0059] Table 5
[0060]
[0061] When splitting the dataset, the ratio of training set to test set was 8:2. Evaluation was based on four metrics: precision, recall, F1 score, and area under the receiver operating curve (AUC). First, we tested the detection performance for malware category segmentation, which is proposed for the first time in this embodiment. The experimental data obtained are shown in Table 6:
[0062] Table 6
[0063]
[0064] Meanwhile, the effectiveness of the previous task of only detecting whether something is malware was evaluated, and the results are shown in Table 7:
[0065] Table 7
[0066]
[0067] The experimental data shows that this embodiment achieves the expected results, providing sufficient accuracy to determine whether an application is Android malware and, if so, its specific category. Actual testing showed that when a new Android application appears, the average time from parsing a single APK package to integrating it into the adjacency matrix of the heterogeneous graph, generating the corresponding matrix representation, and producing the final judgment result based on the detector is approximately 1128ms, meeting the speed requirements. Furthermore, because the judgment is based on the Softmax function, it can output the corresponding confidence score along with the classification result, and sort the sub-detector results from highest to lowest confidence.
[0068] Compared to existing technologies, this method detects malware subcategories and achieves superior performance within each subcategory, resulting in more detailed detection results. Furthermore, by employing graph representation learning to avoid information loss, all metrics for the initial malware identification task approach 1, far exceeding all existing methods. Moreover, based on the neighbor sampling strategy and graph representation learning, detection effectiveness is guaranteed, achieving real-time performance when facing newly emerging unknown Android software, a significant improvement over previous efforts.
[0069] The above-described specific implementations can be partially adjusted by those skilled in the art in different ways without departing from the principles and purpose of the present invention. The scope of protection of the present invention is defined by the claims and is not limited to the above-described specific implementations. All implementation schemes within the scope of the claims are bound by the present invention.
Claims
1. An Android malware detection method based on large heterogeneous graph representation learning, characterized in that, Static and dynamic features are extracted from the metadata of the original Android software application package to construct a heterogeneous graph. Semantic and structural information is obtained by sampling neighbor nodes for each Android software in the heterogeneous graph. Then, a matrix representation of each Android software is generated by inductive information aggregation and scaling of the neighbor nodes. A detection module containing multiple sub-detectors is generated through multi-model training and model fusion. In the actual online detection stage, the trained detection module and the real-time representation of newly emerging Android software are used to achieve real-time segmentation detection of Android malware, specifically including: Step 1) Feature extraction and heterogeneous graph construction; Step 2) Use a restart-based random walk strategy to sample neighbor nodes; Step 3) Based on the sampled neighbor nodes and the target node itself, the neighbor node information is aggregated through message passing to generate the final representation of the target node, i.e., the heterogeneous graph of the target software. The initial representation of each node is generated based on Word2Vec, thereby transforming words and sentences into a dimension of... The vectors specifically include: 3.1) Based on the six types of neighboring nodes, four types of aggregators are used to perform parallel aggregation of the same type, namely: mean aggregator. ,in: , For the dimension of the node, Represents a node A certain type of neighbor; standard deviation aggregator ,in: represent The mean, It is a very small offset to ensure that the value under the square root is greater than 0. It is a non-linear activation function; Step-moment aggregator ,in: The formula for calculating the expected value is as follows: and This ultimately results in four aggregators, namely , , and ; 3.2) Based on the results obtained from different aggregators, a scaler is used to assign different weights to the results of different aggregators for amplification and reduction. Specifically, the weight of each type of aggregator is calculated using the vector representation generated by each type of aggregator to amplify the results of aggregators that have not lost information while reducing the results of aggregators that have lost information. This weight is calculated based on the Softmax function. ,in: As a category, For the summation function, For a fully connected layer, the Softmax function is as follows: ,in: In this scenario, each latitude represents a specific dimension. Thus, a The dimension vector indicates the weight corresponding to each aggregator. Multiplying the weight by the corresponding vector representation completes the function of the scaler, yielding... ; 3.3) The vectors before and after scaling are fed into the attention mechanism together. Aggregation is performed based on the attention mechanism, resulting in a one-dimensional vector for each type of neighbor node set, specifically: ,in: The union of the vector sets before and after scaling, plus the initial vector representation of the target node. ,in: These are the initial parameters of the attention mechanism. It is a non-linear activation function; it combines the matrix representations of each type of neighbor node set into a single matrix as the matrix representation of the target Android software. Its dimensions are , The dimension of the previously generated one-dimensional vector is 128; Step 4) Generate training samples by multi-label input and output for the subcategories of malware, and use the trained detection module for real-time online detection.
2. The Android malware detection method based on large heterogeneous graph representation learning according to claim 1, characterized in that, The extraction of meta-information refers to: for each APK file, performing shallow parsing using the open-source tool ApkTool to obtain static and dynamic features, including: the organization to which the Android software belongs, the signature used by the Android software, the common third-party libraries used by the Android software, the common Android software development APIs called by the Android software, and the permissions requested by the Android software. The heterogeneous graph includes: the Android software itself, the organization name, the signature, the third-party library name, the general API name and the permission name, and the relationship path used to indicate the relationship between two Android software programs. The relationship path includes: whether the two software programs belong to the same organization, whether the two software programs have the same signature, whether the two software programs call the same API, whether the two software programs use the same third-party library, whether the two software programs request the same permission, and whether the two APIs request the same permission.
3. The Android malware detection method based on large heterogeneous graph representation learning according to claim 1, characterized in that, The neighbor node sampling targets include third-party libraries used by the software, general APIs, requested permissions, organization names and signatures, and other strongly related software nodes. A random walk sampling method based on restart is adopted, that is, starting from a node, a random walk is performed, and each time the next neighbor node is reached, there is an initial node with a probability range of size p. During the sampling process, the correlation score between each neighbor node and the target node is recorded, so as to prioritize the neighbor nodes with the highest correlation after the walk is completed, thereby obtaining semantic and structural information strongly related to the target software.
4. The Android malware detection method based on large heterogeneous graph representation learning according to claim 1, characterized in that, The inductive information aggregation and scaling mentioned above refers to: performing aggregation of the same type by category, using multiple aggregators in parallel to obtain information from different perspectives, so as to avoid information loss when using a single aggregator, while using a scaler to reduce or amplify the information after aggregation by different aggregators, so as to highlight the aggregator results that have not lost information, thereby making the generated representation more expressive, and finally obtaining the mapping between nodes and matrix representation functions. This mapping is extensible and not limited to the use of the originally constructed heterogeneous graph.
5. The Android malware detection method based on large heterogeneous graph representation learning according to claim 1, characterized in that, The real-time representation refers to the following: when faced with newly emerging unknown Android software, a fixed number of neighbor nodes are collected using the aforementioned neighbor node sampling method. The mapping function obtained by aggregating and scaling the neighbor node information can generate a matrix representation in real time, which is then fed into the trained detector for real-time detection.
6. The Android malware detection method based on large heterogeneous graph representation learning according to claim 1, characterized in that, The detection module detects each category based on multiple sub-detectors, and fuses the results of each sub-detector through a model fusion strategy. When the fusion result is malware, it can output one or more categories to which it belongs. The sub-detector, based on a convolutional neural network classifier, specifically includes a convolutional layer, a pooling layer, and a fully connected layer. Finally, an output layer is generated through the Softmax function. The output layer contains two probability values indicating the probability of being 0 or 1, satisfying the condition that the sum of the two probabilities is 1. The sub-detector with the higher probability is selected as its output, and a confidence score is generated. In the final output, if an Android software belongs to multiple Android malware categories, it can be sorted according to its confidence score from high to low.
7. The Android malware detection method based on large heterogeneous graph representation learning according to any one of claims 1-6, characterized in that, specifically include: Step 1) Feature extraction and heterogeneous graph construction, specifically including: 1.1) Extract static and dynamic features from the original Android application package (APK), and construct a heterogeneous graph based on the extracted features. The extracted features include: permissions, third-party libraries, signatures, parent organization and APIs, and the relationship information between them. Among them, the request permission list and the third-party library usage list can be directly extracted from the Manifest file; the signature information, organization information and corresponding certificate of the Android software can be obtained from the META-INF directory; ApkTool can be used to parse the class.dex file to obtain a list of reverse code in smali format, and directly parse the standard API names called from it, and further obtain the call relationship between the Android software and the API; 1.2) Based on the extracted features, construct a heterogeneous graph: This heterogeneous graph contains the above-mentioned nodes and has multiple paths indicating the relationship between different types of nodes, specifically including: 6 types of paths, namely: an Android software is certified by a certain signature, an Android software belongs to a certain organization, an Android software requests a certain permission, a software calls a certain API, an Android software uses a certain third-party library, and an API requests a certain permission based on the mapping of general API and permission relationship. Step 2) Use a restart-based random walk strategy to sample neighbor nodes, specifically including: 2.1) Select any node The furthest order it travels is set. Then, the algorithm begins its traversal, randomly transferring the node to one of its neighboring nodes with a certain probability. This process is repeated until the traversal is complete, yielding a correlation score between the two nodes. The transfer probability is positively correlated with the edge weight, and at each step, the probability is increased. Return to origin After iterative stabilization, we obtain It is a node Regarding nodes The relevance score can ultimately yield the following results. ,in: It is the identity matrix. It is the connection weight matrix of the standardized graph. This is the initial vector for that node; 2.2) Set a limit on the total number of neighboring nodes to be sampled during the sampling process. To avoid sampling too many neighbor nodes, an upper limit is set on the number of samples for each type of node to ensure that each type of neighbor node can be sampled. Finally, for each type of node, neighbor nodes that are strongly related to the target Android software are selected based on their correlation scores from high to low to complete the neighbor node sampling. Step 3) Based on the sampled neighbor nodes and the target node itself, the neighbor node information is aggregated through message passing to generate the final representation of the target node, i.e., the heterogeneous graph of the target software. Step 4) Generate training samples by using multi-label input and output for the subcategories of malware, and then use the trained detection module for real-time online detection. Specifically, this includes: 4.1) Multi-label data annotation: Use vectors of all zeros to represent benign software. If multiple dimensions of a vector are 1, it means that the Android software is judged to be malicious software of multiple categories. 4.2) Based on the model fusion strategy, train multiple sub-detectors to generate the final detection module: based on the matrix representation generated in step 3. The data is used as input to the sub-detector to be trained, and whether it is malware of that category is used as the label. If it is malware of that category, it is labeled as 1, otherwise it is labeled as 0. For the above data, classification is performed based on convolutional neural networks. By setting learnable filters, element-wise convolution operation is performed, and max pooling is used for downsampling. The data is then fed into a fully connected layer for information fusion to enhance information representation. Finally, the training of the binary classification task is completed based on the Softmax function. 4.3) The detection results of sub-detectors are fused through a fusion strategy: Based on the predefined initialization function, i.e., the Init function, the sub-categories of malware and their corresponding sub-detectors are stored in two lists in a one-to-one correspondence. For N types of malware sub-types, the output of the fused Predict function is a 2×N-dimensional matrix in which the categories and 0 / 1 correspond one-to-one. The first horizontal dimension is used as the category vector, and the second horizontal dimension is used as the indicator vector, both of which are 1×N-dimensional vectors. The value of each dimension of the indicator vector corresponds to the result of the detector of the corresponding sub-category in the category vector. The final result returned is the sub-category name in the category vector corresponding to the dimension with a value of 1 in the indicator vector, thereby achieving multi-label output.
8. A system for implementing the Android malware detection method based on large heterogeneous graph representation learning as described in any one of claims 1-7, characterized in that, include: The system comprises a data extraction and graph construction unit, a node sampling unit, a representation generation unit, and a detector unit. Specifically: the data extraction and graph construction unit extracts key semantic information from each Android APK file and constructs a large heterogeneous graph to record the association information between different Android software; the node sampling unit collects strongly relevant information from all categories of associated neighbor nodes, including the Android software itself, for each target Android software and its associated information; the representation generation unit amplifies aggregators that do not suffer information loss and reduces the results of aggregations that suffer information loss to highlight the differences between different Android software, generating a matrix representation of the target Android software; and the detector unit trains multiple sub-detectors based on convolutional neural networks and fusion strategies based on the generated matrix representation and data labeling methods, and outputs detection results of malware and its category confidence.