TDBAMLA: Temporal and dynamic behavior analysis in Android malware using LSTM and attention mechanisms

IF 4.1 2区 计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE Computer Standards & Interfaces Pub Date : 2024-08-30 DOI:10.1016/j.csi.2024.103920
Harshal Devidas Misalkar , Pon Harshavardhanan
{"title":"TDBAMLA: Temporal and dynamic behavior analysis in Android malware using LSTM and attention mechanisms","authors":"Harshal Devidas Misalkar ,&nbsp;Pon Harshavardhanan","doi":"10.1016/j.csi.2024.103920","DOIUrl":null,"url":null,"abstract":"<div><p>The increasing ubiquity of Android devices has precipitated a concomitant surge in sophisticated malware attacks, posing critical challenges to cybersecurity infrastructures worldwide. Existing models have achieved significant strides in malware detection but often suffer from high false-positive rates, lower recall, and computational delays, thus demanding a more efficient and accurate system. Current techniques primarily rely on static features and simplistic learning models, leading to inadequate handling of temporal aspects and dynamic behaviors exhibited by advanced malware. These limitations compromise the detection of modern, evasive malware, and impede real-time analysis. This paper introduces a novel framework for Android malware detection that incorporates Temporal and Dynamic Behavior Analysis using Long Short-Term Memory (LSTM) networks and Attention Mechanisms. We further propose development of an efficient Grey Wolf Optimized (GWO) Decision Trees to find the most salient API call patterns associated with malwares. An Iterative Fuzzy Logic (IFL) layer is also deployed before classification to assess the \"trustworthiness\" of app metadata samples. For Ongoing Learning, we propose use of Deep Q-Networks (DQNs), which helps the reinforcement learning model to adapt more quickly to changes in the threat landscapes. By focusing on crucial system calls and behavioral characteristics in real-time, our model captures the nuanced temporal patterns often exhibited by advanced malwares. Empirical evaluations demonstrate remarkable improvements across multiple performance metrics. Compared to existing models, our approach enhances the precision of malware identification by 8.5 %, accuracy by 5.5 %, and recall by 4.9 %, while also achieving an 8.3 % improvement in the Area Under the Receiver Operating Characteristic Curve (AUC), with higher specificity and a 4.5 % reduction in identification delay. In malware pre-emption tasks, our model outperforms by improving precision by 4.3 %, accuracy by 3.9 %, recall by 4.9 %, AUC by 3.5 %, and increasing specificity by 2.9 %. These gains make our framework highly applicable for real-time detection systems, cloud-based security solutions, and threat intelligence services, thereby contributing to a safer Android ecosystem.</p></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"92 ","pages":"Article 103920"},"PeriodicalIF":4.1000,"publicationDate":"2024-08-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548924000898","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0

Abstract

The increasing ubiquity of Android devices has precipitated a concomitant surge in sophisticated malware attacks, posing critical challenges to cybersecurity infrastructures worldwide. Existing models have achieved significant strides in malware detection but often suffer from high false-positive rates, lower recall, and computational delays, thus demanding a more efficient and accurate system. Current techniques primarily rely on static features and simplistic learning models, leading to inadequate handling of temporal aspects and dynamic behaviors exhibited by advanced malware. These limitations compromise the detection of modern, evasive malware, and impede real-time analysis. This paper introduces a novel framework for Android malware detection that incorporates Temporal and Dynamic Behavior Analysis using Long Short-Term Memory (LSTM) networks and Attention Mechanisms. We further propose development of an efficient Grey Wolf Optimized (GWO) Decision Trees to find the most salient API call patterns associated with malwares. An Iterative Fuzzy Logic (IFL) layer is also deployed before classification to assess the "trustworthiness" of app metadata samples. For Ongoing Learning, we propose use of Deep Q-Networks (DQNs), which helps the reinforcement learning model to adapt more quickly to changes in the threat landscapes. By focusing on crucial system calls and behavioral characteristics in real-time, our model captures the nuanced temporal patterns often exhibited by advanced malwares. Empirical evaluations demonstrate remarkable improvements across multiple performance metrics. Compared to existing models, our approach enhances the precision of malware identification by 8.5 %, accuracy by 5.5 %, and recall by 4.9 %, while also achieving an 8.3 % improvement in the Area Under the Receiver Operating Characteristic Curve (AUC), with higher specificity and a 4.5 % reduction in identification delay. In malware pre-emption tasks, our model outperforms by improving precision by 4.3 %, accuracy by 3.9 %, recall by 4.9 %, AUC by 3.5 %, and increasing specificity by 2.9 %. These gains make our framework highly applicable for real-time detection systems, cloud-based security solutions, and threat intelligence services, thereby contributing to a safer Android ecosystem.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
TDBAMLA:利用 LSTM 和注意力机制对安卓恶意软件进行时态和动态行为分析
随着安卓设备的日益普及,复杂的恶意软件攻击也随之激增,给全球网络安全基础设施带来了严峻挑战。现有模型在恶意软件检测方面取得了长足进步,但往往存在假阳性率高、召回率低和计算延迟等问题,因此需要更高效、更准确的系统。当前的技术主要依赖于静态特征和简单的学习模型,导致无法充分处理高级恶意软件表现出的时间方面和动态行为。这些局限性影响了对现代规避型恶意软件的检测,阻碍了实时分析。本文介绍了一种用于安卓恶意软件检测的新型框架,该框架利用长短期记忆(LSTM)网络和注意力机制结合了时态和动态行为分析。我们还建议开发一种高效的灰狼优化(GWO)决策树,以找到与恶意软件相关的最显著的 API 调用模式。在分类之前还部署了迭代模糊逻辑(IFL)层,以评估应用程序元数据样本的 "可信度"。在持续学习方面,我们建议使用深度 Q 网络(DQN),这有助于强化学习模型更快地适应威胁环境的变化。通过实时关注关键的系统调用和行为特征,我们的模型可以捕捉到高级恶意软件经常表现出的细微时间模式。经验评估表明,我们的模型在多个性能指标上都有显著改进。与现有模型相比,我们的方法将恶意软件识别的精确度提高了 8.5%,准确度提高了 5.5%,召回率提高了 4.9%,同时还将接收器工作特性曲线下面积(AUC)提高了 8.3%,特异性更高,识别延迟减少了 4.5%。在恶意软件抢占任务中,我们的模型表现优异,精确度提高了 4.3%,准确度提高了 3.9%,召回率提高了 4.9%,AUC 提高了 3.5%,特异性提高了 2.9%。这些优势使我们的框架非常适用于实时检测系统、基于云的安全解决方案和威胁情报服务,从而为更安全的安卓生态系统做出了贡献。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Computer Standards & Interfaces
Computer Standards & Interfaces 工程技术-计算机:软件工程
CiteScore
11.90
自引率
16.00%
发文量
67
审稿时长
6 months
期刊介绍: The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.
期刊最新文献
Grammar-obeying program synthesis: A novel approach using large language models and many-objective genetic programming LAMB: An open-source software framework to create artificial intelligence assistants deployed and integrated into learning management systems A lightweight finger multimodal recognition model based on detail optimization and perceptual compensation embedding Developing a behavioural cybersecurity strategy: A five-step approach for organisations A traceable and revocable decentralized attribute-based encryption scheme with fully hidden access policy for cloud-based smart healthcare
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1