Loading...

Evaluation of Malicious Codes in Obfuscated Codes to Detect them with Machine Learning Methods

Yousefi Choobini, Abolfazl | 2025

0 Viewed
  1. Type of Document: M.Sc. Thesis
  2. Language: Farsi
  3. Document No: 58421 (05)
  4. University: Sharif University of Technology
  5. Department: Electrical Engineering
  6. Advisor(s): Aref, Mohammad Reza; Ahmadi, Siavash
  7. Abstract:
  8. In an age where Android malware is quickly multiplying and obfuscation is becoming increasingly advanced, safety in the Android ecosystem has emerged as one of the biggest problems in current information technology. Reflection can be considered one of the most robust and harmful obfuscation strategies, as it alters the call graph as well as hides important execution paths. Most malware detection frameworks, such as MsDroid, are susceptible to this type of obfuscation, allowing significant decrease in abilities to accurately identify malicious behavioral patterns. In this research, we introduce a new architecture to improve malware detection against reflection-based obfuscation. The architecture consists of two main elements. The first is the inclusion of reflection anchors and sensitive APIs as critical nodes to generate more complete local subgraphs. The second is using the Relational GATv2 architecture which has the ability to incorporate heterogeneous dependencies in the graph learning and model semantic relationships among edges. This design allows our model a deeper understanding of behavioral patterns obscured or complicated by reflection, and improves its ability to identify risky behavior. The experiments on the AndroZoo dataset were conducted on 7000 samples (3500 benign samples, and 3500 malware samples). The results from the experiments showed that the proposed model outperformed the baseline methods, including MsDroid. More specifically the model achieved an accuracy of greater than 93% and an F1-score of approximately 95.6%, showing a good trade-off between precision and recall, while also showing improved tolerance to structural distortions, such as reflection obfuscation. In the more realistic case where only obfuscated malware samples were evaluated, although all models exhibited a drop in performance, the proposed architecture was still able to outperform competing models with an F1 score of 86%. The ablation studies showed that all the components taken collectively provided appropriate improvements as noted in the baseline evaluations. Furthermore, the curated analyses demonstrated that the proposed method obtained high accuracy and was computability viable for deployment at large scale
  9. Keywords:
  10. Android Operating System ; Graph Neural Network ; Graph Attention Networks ; Malware Detection ; Reflection Obfuscation ; Attention-Based Learning

 Digital Object List

 Bookmark

No TOC