Malware detection method based on adaptive node-edge joint mask

By modeling the importance of nodes and edges in the Android malware detection model through an adaptive node-edge joint masking mechanism, the problem of insufficient robustness in existing technologies is solved, and stable detection is achieved under complex perturbation and evolution scenarios.

CN122174233APending Publication Date: 2026-06-09JIANGSU UNIV +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
JIANGSU UNIV
Filing Date
2026-03-09
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

Existing technologies for Android malware detection rarely consider the differences in importance of different nodes and edges in the graph during detection decisions, and lack systematic design for scenarios involving structural perturbations and behavioral evolution, resulting in insufficient robustness of the model under complex perturbation and evolution scenarios.

Method used

By introducing an adaptive node-edge joint masking mechanism, the importance of nodes and edges in the function call graph is modeled to protect key structural and semantic information. The masked graph is generated and trained in the graph neural network to improve the robustness of the model under perturbation and evolution scenarios.

Benefits of technology

It significantly enhances the adaptability of the malware detection model to adversarial perturbations, improves the stability and reliability of detection results, and enhances the model's generalization ability in time-evolving scenarios.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122174233A_ABST
    Figure CN122174233A_ABST
Patent Text Reader

Abstract

This invention discloses a malware detection method based on adaptive node-edge joint masking. First, a function call graph of an Android application is constructed, and the structural and semantic features of nodes and edges are extracted. Then, a masking strategy is adaptively determined based on the relative importance of nodes and edges in the graph structure, and joint masking is applied to nodes and edges. On this basis, a graph neural network model is trained, enabling the model to learn stable and discriminative representations even when some graph structures or features are damaged. Finally, the trained model is used to detect malware in Android applications. This invention demonstrates effectiveness in improving the robustness and engineering practicality of Android malware detection models.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention pertains to malware detection technology, specifically a malware detection method based on adaptive node-edge joint masking. Background Technology

[0002] In recent years, deep learning technology has been widely applied in pattern recognition, data mining, and intelligent analysis. By automatically learning features from complex data through multi-layered neural networks, deep learning models can extract discriminative high-level semantic features from large amounts of raw data, significantly reducing reliance on manual feature engineering. Compared to traditional machine learning methods, deep learning demonstrates stronger modeling capabilities in handling high-dimensional, nonlinear, and complex correlated data, and has achieved remarkable results in tasks such as image recognition, natural language processing, and speech recognition. With the improvement of computing power and the accumulation of large-scale data resources, deep learning models continue to evolve towards deeper and more complex structures, and their generalization and expressive abilities continue to improve, providing a new technological foundation for modeling and automating the analysis of complex system behavior.

[0003] Building upon the continuous development of deep learning, graph neural network (Graph Neural Network) technology has emerged and become a research hotspot for representing data with non-Euclidean structures. Graph Neural Networks can directly model graph-structured data, learning node features, edge relationships, and overall topological information simultaneously through information propagation and aggregation mechanisms between nodes. This makes them suitable for describing complex relationships between objects. Compared to traditional neural networks, which can only handle regular structured data, Graph Neural Networks have significant advantages in representing relational structures and capturing global and local dependencies. With further research, Graph Neural Networks have demonstrated good adaptability in modeling complex systems such as program structures, social networks, and biological networks, and are gradually becoming an important technique for analyzing structured behavioral data.

[0004] In the field of Android malware detection, researchers are increasingly incorporating deep learning and graph neural networks into program behavior analysis tasks. By modeling the code structure or runtime behavior of applications and representing function call relationships, control flow relationships, or component interaction relationships as graph structures, a more comprehensive characterization of application behavior can be achieved. Building upon this, using graph neural networks to learn features from the program graph can simultaneously capture both structural and semantic information about program behavior, resulting in a significant improvement in detection accuracy compared to traditional methods. In recent years, detection methods based on graph representations such as function call graphs and API call graphs have emerged continuously. Related research shows that graph neural networks have strong expressive power in distinguishing between benign and malicious applications, and are gradually becoming one of the important technical directions for Android malware detection.

[0005] Although deep learning and graph neural networks have made some progress in Android malware detection, existing technologies mostly focus on modeling under the condition of complete graph structure, and rarely consider the differences in importance of different nodes and edges in the graph in the detection decision, and also lack systematic design for scenarios of structural perturbation and behavioral evolution. Summary of the Invention

[0006] Purpose of the Invention: The purpose of this invention is to address the shortcomings of existing technologies and provide a malware detection method based on adaptive node-edge joint masking. This invention jointly models the importance of nodes and edges in a function call graph and introduces an adaptive masking mechanism to guide the model to focus on key structural and semantic information. During the masking process, the connectivity characteristics of the function call graph are combined to protect bridge edges or key connected edges to maintain the structural integrity of key call paths. Graph representation learning is performed under mask constraints, enabling the model to learn stable and consistent representations even when node or edge information is incomplete, thereby improving the robustness of the detection model in complex perturbation and evolution scenarios.

[0007] Technical solution: The present invention provides a malware detection method based on adaptive node-edge joint masking, comprising the following steps:

[0008] Step 1: Select and collect Android application installation packages from the application sample library, and complete sample deduplication, timestamp archiving and labeling according to preset rules to build a malware detection dataset for training and evaluation; among them, the application installation package samples in the dataset are divided into training set and test set according to time to support detection evaluation in time evolution scenarios.

[0009] Step 2: Perform static analysis on the Android application installation packages in the dataset, extract function-level call relationships, and construct a function call graph. (Function Call Graph, FCG); Nodes in the function call graph represent functions or methods, and edges in the function call graph represent call relationships; structural features and semantic features (i.e., node feature matrices) are generated for nodes and edges respectively. With the edge index matrix ), forming a graph structure input representation;

[0010] Step 3: Based on the obtained function call graph To calculate the node importance score and edge importance score respectively, based on the node's structural information (i.e., node... normalization degree ) and semantic features (i.e., node feature vector norm in the following text) The importance of nodes is determined by using the nodes they connect to, and the importance of edges is determined based on the importance of those connected nodes. Then, the importance is normalized to obtain the node importance score and edge importance score for subsequent masking decisions.

[0011] Step 4: Based on the node importance score and edge importance score, and under the premise of satisfying the preset basic mask ratio constraint, construct a mask probability distribution that is inversely proportional to the importance, and perform joint masking processing on node features and edge connection relationships according to the preset masking strategy to generate a mask map. ;

[0012] Among them, nodes and / or edges with higher importance scores have a lower probability of being masked;

[0013] Step 5: Create a mask image The input graph neural network encoder is trained, and through a preset self-supervised objective, the model learns a stable and consistent graph representation under conditions where nodes / edges are partially missing or perturbed; and the graph representation is used to construct a downstream malware classifier.

[0014] Furthermore, the detailed process of static analysis in step 2 is as follows:

[0015] Step 2.1: Unpack and parse the Android application installation package to be analyzed, read the manifest file and code file, extract the application's package structure information, component information and related metadata, and complete sample deobfuscation and deduplication preprocessing.

[0016] Step 2.2: Perform static analysis on the application code to construct intermediate representations at the function / method level;

[0017] Step 2.3: Identify all function and method entities in the application and map them to nodes; normalize the method signatures, class names, and package names to ensure consistent representation across samples;

[0018] Step 2.4: Based on the intermediate representation, parse the calling relationships between functions / methods and generate edges; where the calling relationships include direct calls and indirect calls, and record the caller, callee, and calling context information for each calling edge;

[0019] Step 2.5: Construct a function call graph based on the node set and edge set. The function call graph (FCG) is normalized by removing isolated nodes, merging duplicate edges, limiting the graph size, or sampling subgraphs from very large graphs to form graph structure data that can be directly input into the model.

[0020] Step 2.6: Create a function call graph. Each node in Construct the corresponding node feature vector And summarize them to form a node feature matrix. ;

[0021] Step 2.7: Construct an edge index matrix based on the call relationships in the function call graph. Used to represent the connection relationships between nodes and the direction of invocation; edge index matrix Including source node index sequence With the target node index sequence The composition is as follows:

[0022] ;

[0023] in, Let be the number of edges. and These correspond to the source node and target node of the m-th edge, respectively (which can be understood as an edge having two nodes).<u,v> (where u is the source node and v is the target node, and the two form an edge); the first row represents the index sequence of all source nodes, and the second row represents the index sequence of all target nodes, thus obtaining the edge index matrix used as input to the graph neural network;

[0024] Step 2.8, based on the node feature matrix With the edge index matrix Construct a graph structure for the input representation and define the function call graph as follows: ;

[0025] in: Represents a function call graph; This represents the node feature matrix, where 𝑛 is the number of nodes. For node feature dimensions, each row corresponds to the feature vector of a node; Represents the edge index matrix. The first row represents the source node index sequence, and the second row represents the target node index sequence, used to describe the calling relationship between nodes; this invention uses a graph structure It serves as the input representation for subsequent adaptive node-edge joint masking and graph neural network model training and inference.

[0026] Furthermore, the node feature vector It includes the following three parts:

[0027] 1) Opcode feature subvector : Parse the bytecode instruction sequence of the function / method corresponding to this node and count the preset opcode set. The occurrence of each opcode is determined; the value is a binary indicator (1 for occurrence, 0 for absence), thus obtaining the opcode feature subvector. ;

[0028] 2) Permission feature sub-vector Based on the permission-related calls involved in the code of the function / method corresponding to this node, map it to a preset set of permissions. ,right Each permission generates a corresponding dimension value, which is a binary indicator, thereby obtaining a permission feature sub-vector. ;

[0029] 3) Sensitive API Feature Subvectors : Match the API calls appearing in the function / method corresponding to this node with the preset set of sensitive APIs. Perform matching to generate sensitive API feature sub-vectors. The feature subvector is a binary indicator, used to characterize the sensitive behavior-related calls involved in the node.

[0030] The above three types of sub-vectors are concatenated according to their dimensions to obtain the node feature vector (the node feature is composed of opcode feature, permission feature, and sensitive API feature):

[0031] .

[0032] Furthermore, the specific calculation methods for the node importance and edge importance in step 3 are as follows:

[0033] Step 3.1: For each node in the function call graph Its node importance score The calculation formula is:

[0034] ;

[0035] in, For nodes The degree of normalization; For node feature vectors; The L2 norm of the node's eigenvectors;

[0036] Step 3.2, for the edges Its importance score The calculation formula is:

[0037] ;

[0038] Bridge edges are identified through structural connectivity analysis; if deleting an edge would cause the graph structure to split or significantly reduce the overall connectivity, then the edge is marked as a critical connection edge, and its probability of being masked is reduced during the masking process.

[0039] This invention adaptively masks edges and nodes based on their importance under a given preset masking ratio, prioritizing the masking of less important nodes (skipping bridge edges when they are encountered), thus ensuring the connectivity of the entire graph.

[0040] Furthermore, the adaptive node-edge joint masking process in step 4 is subdivided into:

[0041] Step 4.1: Given the basic mask ratio of the nodes Ratio of edge base mask (For example, you can set the mask ratio for both nodes and edges to 10%), and then adjust the mask ratio based on node importance. Importance of edges Construct inverse sampling probability The formula is as follows:

[0042] ;

[0043] ;

[0044] The less important, The larger the value, the higher the mask probability.

[0045] While satisfying the overall mask ratio constraint and Under the given conditions, random sampling is performed according to the above probability distribution to determine the set of nodes and the set of edges to be masked;

[0046] Step 4.2: To enhance randomness, adjust the base mask ratio. Introduce small disturbances within the range and :

[0047] ;

[0048] ;

[0049] And perform mask sampling at the perturbed scale;

[0050] Step 4.3: Based on the sampling results, perform feature zeroing or replacement with mask vector operation on the selected nodes; delete the selected edge connection relationship; at the same time, apply protection factor to bridge edges or key connected edges to reduce their mask probability.

[0051] Finally, a mask image is generated. , ;

[0052] The set of nodes after masking. The set of edges after masking. This is the node feature matrix after masking.

[0053] Furthermore, step 5, mask constraint, is illustrated in the following diagram, which shows the detailed process of learning and classification:

[0054] Step 5.1: Obtain the mask image The graph neural network encoder is trained to obtain the corresponding graph representation vector. The representation learning process of the graph neural network encoder can be represented as follows:

[0055]

[0056] in, This represents the function call graph after the masking. This represents the graph neural network encoding function with parameters . This represents the learned graph-level representation vector;

[0057] During training, a preset self-supervised learning objective enables the graph neural network to learn a stable and consistent graph representation even when node features and / or edge connections are partially missing or disturbed.

[0058] Step 5.2: Based on the graph representation vector A malware classifier is constructed, and the Android application to be detected is classified and predicted. The classification process can be represented as follows:

[0059]

[0060] in, Represents the classification function, This indicates the corresponding malicious or benign prediction result and its confidence level.

[0061] The network of this invention involves two main modules: an upstream GNN pre-trained model and a downstream MLP classification model. The upstream GNN pre-trained model includes an encoder, an edge decoder, a node decoder, and a node similarity decoder, while the downstream MLP classification model includes four multi-head pooling modules.

[0062] Beneficial effects: Compared with the prior art, the present invention has the following advantages:

[0063] (1) This invention jointly models the importance of nodes and edges in the function call graph and implements an adaptive masking strategy based on importance, guiding the detection model to focus on the structural and semantic information that plays a key role in the determination of malicious behavior, avoiding the model from over-relying on redundant or unstable features, thereby improving the stability and reliability of the detection results.

[0064] (2) By introducing a joint masking mechanism of nodes and edges during the masking training process, and combining it with bridge edge or key connected edge protection constraints, the model can still maintain effective representation ability when the function call relationship or node features are disturbed, which significantly enhances the adaptability of the malware detection model to adversarial disturbances.

[0065] (3) The present invention performs graph representation learning under mask constraints, enabling the model to learn a stable and consistent graph-level representation under the condition of partial structural or feature loss, thereby improving the model's generalization ability on data with different time distributions and enhancing the long-term effectiveness of the detection model in time evolution scenarios.

[0066] (4) It can be flexibly combined with different types of graph neural network models and existing malware detection processes. It is suitable for static analysis scenarios and can also be extended to static and dynamic joint analysis scenarios, with good engineering practical value and promotion prospects. Attached Figure Description

[0067] Figure 1 This is a comprehensive overview diagram of the DualDroid invention;

[0068] Figure 2 Construct the FCG diagram for Android for the DualDroid of this invention;

[0069] Figure 3 The examples show the evaluation results of the present invention and the baseline model in a time evolution scenario;

[0070] Figure 4 The evaluation results for the FCGHunter structural level perturbation are shown in the example. Detailed Implementation

[0071] The technical solution of the present invention will be described in detail below, but the scope of protection of the present invention is not limited to the embodiments described.

[0072] like Figure 1 As shown, the malware detection method based on adaptive node-edge joint masking of the present invention is designed for the function call graph representation of Android applications. By jointly modeling the importance of nodes and edges in the graph, it adaptively performs masking processing on node features and edge connection relationships, enhancing the robustness of the model to perturbations while preserving key structural and semantic information. The method includes the following steps:

[0073] Step 1: Filter and collect Android application installation packages, and complete preprocessing according to preset rules to build a malware detection dataset for training and evaluation; divide the application installation package samples in the dataset into training set and test set according to time.

[0074] Step 2: Perform static analysis on the Android application installation packages in the dataset, extract function-level call relationships, and construct a function call graph. Function call graph The nodes in the function call graph represent functions or methods, and the edges in the function call graph represent the call relationships.

[0075] Step 3: Based on the obtained function call graph Node importance scores and edge importance scores are calculated separately. First, node importance is determined based on the structural information and semantic features of the node. Then, edge importance is determined based on the importance of the nodes it connects to. The importance scores are then normalized to obtain node importance scores and edge importance scores for subsequent masking decisions.

[0076] Step 4: Based on the node importance score and edge importance score, and under the premise of satisfying the preset basic mask ratio constraint, construct a mask probability distribution that is inversely proportional to the importance, and perform joint masking processing on node features and edge connection relationships according to the preset masking strategy to generate a mask map. ;

[0077] Step 5: Create a mask image The input graph neural network encoder is trained, and through a pre-defined self-supervised objective, the model learns a stable and consistent graph representation under conditions where nodes / edges are partially missing or perturbed; and the graph representation is used to construct a downstream malware classifier.

[0078] Step 6: Repeat steps 2 to 4 to generate a graph representation for the Android application to be detected, and input the graph representation into the downstream malware classifier to output the detection results of malicious or benign malware and compare them with the baseline model.

[0079] Step 7: Under adversarial evaluation or robustness evaluation conditions, apply structural perturbation and feature-level perturbation to the function call graph G, and measure the robustness of the model by indicators such as attack success rate and perturbation cost; among them, structural perturbation includes the addition, deletion and modification of edges, and feature-level perturbation includes the modification or replacement of node features.

[0080] The detailed process of static analysis in step 2 of this embodiment is as follows:

[0081] Step 2.1: Unpack and parse the Android application installation package to be analyzed, read the manifest file and code file, extract the application's package structure information, component information and related metadata, and complete sample deobfuscation and deduplication preprocessing.

[0082] Step 2.2: Perform static analysis on the application code to construct intermediate representations at the function / method level;

[0083] Step 2.3: Identify all function and method entities in the application and map them to nodes; normalize the method signatures, class names, and package names to ensure consistent representation across samples;

[0084] Step 2.4: Based on the intermediate representation, parse the calling relationships between functions / methods and generate edges; where the calling relationships include direct calls and indirect calls, and record the caller, callee, and calling context information for each calling edge;

[0085] Step 2.5: Construct a function call graph based on the node set and edge set. The function call graph G is normalized by removing isolated nodes, merging duplicate edges, limiting the graph size, or sampling subgraphs from very large graphs to form graph structure data that can be directly input into the model.

[0086] Step 2.6: Create a function call graph. Each node in Construct the corresponding node feature vector And summarize them to form a node feature matrix. ;

[0087] Step 2.7: Construct an edge index matrix based on the call relationships in the function call graph. Edge index matrix Including source node index sequence With the target node index sequence The composition is as follows:

[0088] ;

[0089] in, The first row of the matrix represents the index sequence of all source nodes, and the second row represents the index sequence of all target nodes.

[0090] Step 2.8, based on the node feature matrix With the edge index matrix Construct a graph structure for the input representation and define the function call graph as follows: ;

[0091] in: Represents a function call graph; This represents the node feature matrix, where 𝑛 is the number of nodes. For node feature dimensions; Represents the edge index matrix. Let be the number of edges.

[0092] The above node feature vectors It includes the following three parts:

[0093] 1) Opcode feature subvector That is, to parse the bytecode instruction sequence of the function / method corresponding to the node and count the preset opcode set. The occurrence of each opcode is determined to obtain the opcode feature vector. ;

[0094] 2) Permission feature sub-vector This refers to mapping nodes to a predefined set of permissions based on the permission-related calls made by the corresponding functions / methods in the code. ,right Each permission generates a value for a corresponding dimension, thus obtaining a permission feature subvector. ;

[0095] 3) Sensitive API Feature Subvectors This refers to matching the API calls appearing in the functions / methods corresponding to the nodes with a preset set of sensitive APIs. Perform matching to generate sensitive API feature sub-vectors. ;

[0096] The node feature vector is obtained by concatenating the above three types of sub-vectors according to their dimensions.

[0097] .

[0098] The specific calculation method for the node importance and edge importance in step 3 of this embodiment is as follows:

[0099] Step 3.1: For each node in the function call graph The importance of its nodes The calculation formula is:

[0100] ;

[0101] in, For nodes The degree of normalization; For node feature vectors; The L2 norm of the node's eigenvectors;

[0102] Step 3.2, for the edges Its importance The calculation formula is:

[0103] ;

[0104] Bridge edges are identified through structural connectivity analysis; if deleting an edge would cause the graph structure to split or significantly reduce the overall connectivity, then the edge is marked as a critical connection edge, and its probability of being masked is reduced during the masking process.

[0105] The adaptive node-edge joint masking process in step 4 of this embodiment is further subdivided as follows:

[0106] Step 4.1: Given the basic mask ratio of the nodes Ratio of edge base mask Then, based on node importance Importance of edges Construct inverse sampling probability The formula is as follows:

[0107] ;

[0108] ;

[0109] While satisfying the overall mask ratio constraint and Under the given conditions, random sampling is performed according to the above probability distribution to determine the set of nodes and the set of edges to be masked;

[0110] Step 4.2: To enhance randomness, adjust the base mask ratio. Introduce small disturbances within the range and :

[0111] ;

[0112] ;

[0113] And perform mask sampling at the perturbed scale;

[0114] Step 4.3: Based on the sampling results, perform feature zeroing or replacement with mask vector operation on the selected nodes; delete the selected edge connection relationship; at the same time, apply protection factor to bridge edges or key connected edges to reduce their mask probability;

[0115] Finally, a mask image is generated. , .

[0116] In this embodiment, step 5, mask constraint, is illustrated in the following diagram, which shows the detailed process of learning and classification:

[0117] Step 5.1: Obtain the mask image The graph neural network encoder is trained to obtain the corresponding graph representation vector. The representation learning process of the graph neural network encoder is represented as follows:

[0118] ;

[0119] in, This represents the function call graph after the masking. This represents the graph neural network encoding function with parameters . This represents the learned graph-level representation vector;

[0120] Step 5.2: Based on graph representation vectors A malware classifier is constructed, and the Android application to be detected is classified and predicted. The classification process is represented as follows:

[0121] ;

[0122] in, Represents the classification function, This indicates the corresponding malicious or benign prediction result and its confidence level.

[0123] To verify the feasibility of the malware detection method based on adaptive node-edge joint mask of the present invention, this embodiment further details the malware detection process as follows:

[0124] Step a: Repeat steps 2 to 4 for the Android application to be tested, construct the corresponding function call graph and generate a masked graph view to obtain the graph representation of the application;

[0125] Step b: Input the graph representation into the classifier constructed in step 5, and output the detection result of whether the Android application is malicious or benign.

[0126] Step c: Compare and analyze the detection results with the detection results of various existing malware detection baseline models. The baseline models include, but are not limited to, detection models based on feature perturbation defense, detection models based on deep ensemble learning, detection models based on graph representation learning, and detection models based on masking mechanisms. At the same time, in the time evolution evaluation scenario, evaluate the detection performance of the method of the present invention and the baseline models under different time data distribution conditions to analyze the detection capability of the models under the condition of time distribution change.

[0127] The experimental results are shown in Table 1 and Figure 3 As shown.

[0128] Table 1 Evaluation results of DualDroid and baseline model under ideal conditions

[0129] Methods Accuracy Precision Recall F1 PAD-SMA 97.43% 95.93% 97.75% 96.83% DLA 98.01% 97.22% 97.83% 97.52% AT-MaxMa 96.06% 92.52% 98.11% 95.23% MaskDroid 96.29% 96.09% 94.85% 95.46% MaMaDroid 95.46% 96.82% 93.54% 95.15% Malscan-avg 97.00% 95.77% 96.60% 96.18% Malscan-con 97.49% 97.07% 96.79% 96.50% APIGraph 97.43% 96.83% 96.74% 96.79% EFCGs 95.46% 97.37% 91.88% 94.55% Invention DualDroid 98.26% 98.25% 98.15% 98.20%

[0130] To verify the technical effect of the present invention, this embodiment further evaluates the robustness of the present invention, and the detailed process is as follows:

[0131] First, under robustness evaluation conditions, the function call graph is perturbed using a structural perturbation method based on FCGHunter, wherein the structural perturbation includes adding, deleting, or modifying edge connections in the function call graph; and the detection results of the malware detection model of the present invention are compared with those of at least one baseline model under the same structural perturbation conditions to evaluate the robustness performance of different models in structural perturbation scenarios.

[0132] Then, under robustness evaluation conditions, the function call graph is perturbed by a feature-level perturbation method based on IG-JSMA, wherein the feature-level perturbation includes modification or replacement of node features; and the detection results of the malware detection model of the present invention are compared with those of at least one baseline model under the same feature-level perturbation conditions to evaluate the robustness performance of different models under feature perturbation scenarios.

[0133] Under the aforementioned adversarial evaluation or robustness evaluation conditions, structural perturbations and feature-level perturbations are applied to the function call graph, and the robustness of the model is measured by indicators such as attack success rate and perturbation cost; wherein, the structural perturbation includes the addition, deletion and modification of edges, and the feature-level perturbation includes the modification or replacement of node features.

[0134] Experimental results are as follows Figure 4 As shown in Table 2.

[0135] Table 2

[0136] Method ASR(%) APR(%) API-Graph 89.80 -- MalScan-avg 95.65 -- MalScan-con 81.32 -- MaMaDroid 82.11 -- EFCGS 36.56 8.91 MaskDroid 44.90 9.62 Invention DualDroid 19.59 16.50

[0137] The results from the examples clearly demonstrate that the present invention achieves high detection performance in standard detection scenarios, with an evaluation index that comprehensively considers detection accuracy and malicious sample recall capability reaching 98.20%. In time evolution evaluation scenarios with significant temporal distribution changes, this index still remains above 90%. Under structural and feature-level adversarial attack conditions, it can effectively reduce the attack success rate, verifying the effectiveness of the present invention in improving the robustness and engineering practicality of Android malware detection models.

[0138] As described above, although the invention has been shown and described with reference to specific preferred embodiments, it should not be construed as limiting the invention itself. Various changes in form and detail may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. A malware detection method based on adaptive node-edge joint masking, characterized in that, Includes the following steps: Step 1: Filter and collect Android application installation packages, and complete preprocessing according to preset rules to build a malware detection dataset for training and evaluation; divide the application installation package samples in the dataset into training set and test set according to time. Step 2: Perform static analysis on the Android application installation packages in the dataset, extract function-level call relationships, and construct a function call graph. Function call graph The nodes in the function call graph represent functions or methods, and the edges in the function call graph represent the call relationships. Step 3: Based on the obtained function call graph Calculate the node importance score and the edge importance score separately; First, the importance of a node is determined based on its structural information and semantic features. Then, the importance of an edge is determined based on the importance of its connected nodes. Next, the importance is normalized to obtain the node importance score and edge importance score used for subsequent masking decisions. Step 4: Based on the node importance score and edge importance score, and under the premise of satisfying the preset basic mask ratio constraint, construct a mask probability distribution that is inversely proportional to the importance, and perform joint masking processing on node features and edge connection relationships according to the preset masking strategy to generate a mask map. ; Step 5: Create a mask image The input graph neural network encoder is trained, and through a pre-defined self-supervised objective, the model learns a stable and consistent graph representation under conditions where nodes / edges are partially missing or perturbed; and the graph representation is used to construct a downstream malware classifier.

2. The malware detection method based on adaptive node-edge joint masking according to claim 1, characterized in that, The detailed process of static analysis in step 2 is as follows: Step 2.1: Unpack and parse the Android application installation package to be analyzed, read the manifest file and code file, extract the application's package structure information, component information and related metadata, and complete sample deobfuscation and deduplication preprocessing. Step 2.2: Perform static analysis on the application code to construct intermediate representations at the function / method level; Step 2.3: Identify all function and method entities in the application and map them to nodes; normalize the method signatures, class names, and package names to ensure consistent representation across samples; Step 2.4: Based on the intermediate representation, parse the calling relationships between functions / methods and generate edges; where the calling relationships include direct calls and indirect calls, and record the caller, callee, and calling context information for each calling edge; Step 2.5: Construct a function call graph based on the node set and edge set. Function call graph Normalization processes are performed, including removing isolated nodes, merging duplicate edges, limiting the graph size, or sampling subgraphs from very large graphs, to form graph structure data that can be directly input into the model. Step 2.6: Create a function call graph. Each node in Construct the corresponding node feature vector And summarize them to form a node feature matrix. ; Step 2.7: Construct an edge index matrix based on the call relationships in the function call graph. Edge index matrix Including source node index sequence With the target node index sequence The composition is as follows: ; in, and These correspond to the source node and target node of the m-th edge, respectively. The first row of the matrix represents the index sequence of all source nodes, and the second row represents the index sequence of all target nodes. Step 2.8, based on the node feature matrix With the edge index matrix Construct a graph structure for the input representation and define the function call graph as follows: ; in: Represents a function call graph; This represents the node feature matrix, where 𝑛 is the number of nodes. For node feature dimensions; Represents the edge index matrix. Let be the number of edges.

3. The malware detection method based on adaptive node-edge joint masking according to claim 2, characterized in that, The node feature vector It includes the following three parts: 1) Opcode feature subvector That is, to parse the bytecode instruction sequence of the function / method corresponding to the node and count the preset opcode set. The occurrence of each opcode is determined to obtain the opcode feature vector. ; 2) Permission feature sub-vector This refers to mapping nodes to a predefined set of permissions based on the permission-related calls made by the corresponding functions / methods in the code. ,right Each permission generates a value for a corresponding dimension, thus obtaining a permission feature subvector. ; 3) Sensitive API Feature Subvectors This refers to matching the API calls appearing in the functions / methods corresponding to the nodes with a preset set of sensitive APIs. Perform matching to generate sensitive API feature sub-vectors. ; The node feature vector is obtained by concatenating the above three types of sub-vectors according to their dimensions. 。 4. The malware detection method based on adaptive node-edge joint masking according to claim 1, characterized in that, The specific calculation methods for node importance and edge importance in step 3 are as follows: Step 3.1: For each node in the function call graph Its node importance score The calculation formula is: ; in, For nodes The degree of normalization; For node feature vectors; The L2 norm of the node's eigenvectors; Step 3.2, for the edges Its importance score The calculation formula is: ; Bridge edges are identified through structural connectivity analysis; if deleting an edge would cause the graph structure to split or significantly reduce the overall connectivity, then the edge is marked as a critical connection edge, and its probability of being masked is reduced during the masking process.

5. The malware detection method based on adaptive node-edge joint masking according to claim 1, characterized in that, Step 4, the adaptive node-edge joint masking process, is further subdivided into: Step 4.1: Given the basic mask ratio of the nodes Ratio of edge base mask Then, based on node importance Importance of edges Construct inverse sampling probability The formula is as follows: ; ; While satisfying the overall mask ratio constraint and Under the given conditions, random sampling is performed according to the above probability distribution to determine the set of nodes and the set of edges to be masked; Step 4.2: To enhance randomness, adjust the base mask ratio. Introduce small disturbances within the range and : ; ; And perform mask sampling at the perturbed scale; Step 4.3: Based on the sampling results, perform feature zeroing or replacement with mask vector operation on the selected nodes; delete the selected edge connection relationship; at the same time, apply protection factor to bridge edges or key connected edges to reduce their mask probability; Finally, a mask image is generated. , ; The set of nodes after masking. The set of edges after masking. This is the node feature matrix after masking.

6. The malware detection method based on adaptive node-edge joint masking according to claim 1, characterized in that, The mask constraint in step 5 is illustrated in the following diagram, which shows the detailed process of learning and classification: Step 5.1: Obtain the mask image The graph neural network encoder is trained to obtain the corresponding graph representation vector. The representation learning process of the graph neural network encoder is represented as follows: ; in, This represents the function call graph after the masking. This represents the graph neural network encoding function with parameters . This represents the learned graph-level representation vector; Step 5.2: Based on graph representation vectors A malware classifier is constructed, and the Android application to be detected is classified and predicted. The classification process is represented as follows: ; in, Represents the classification function, This indicates the corresponding malicious or benign prediction result and its confidence level.