Malicious code detection in android: the role of sequence characteristics and disassembling methods


Creative Commons License

GÜRKAN BALIKÇIOĞLU P., ŞIRLANCI M., ACAR KÜÇÜK Ö., ULUKAPİ B., Turkmen R. K. , ACARTÜRK C.

INTERNATIONAL JOURNAL OF INFORMATION SECURITY, 2022 (SCI-Expanded) identifier identifier

  • Publication Type: Article / Article
  • Publication Date: 2022
  • Doi Number: 10.1007/s10207-022-00626-2
  • Journal Name: INTERNATIONAL JOURNAL OF INFORMATION SECURITY
  • Journal Indexes: Science Citation Index Expanded (SCI-EXPANDED), Scopus, Academic Search Premier, FRANCIS, ABI/INFORM, Applied Science & Technology Source, Business Source Elite, Business Source Premier, Compendex, Computer & Applied Sciences, Criminal Justice Abstracts, INSPEC
  • Keywords: Malware detection, LSTM, Natural language processing, MALWARE DETECTION, FRAMEWORK
  • Middle East Technical University Affiliated: Yes

Abstract

The acceptance and widespread use of the Android operating system drew the attention of both legitimate developers and malware authors, which resulted in a significant number of benign and malicious applications available on various online markets. Since the signature-based methods fall short for detecting malicious software effectively considering the vast number of applications, machine learning techniques in this field have also become widespread. In this context, stating the acquired accuracy values in the contingency tables in malware detection studies has become a popular and efficient method and enabled researchers to evaluate their methodologies comparatively. In this study, we wanted to investigate and emphasize the factors that may affect the accuracy values of the models managed by researchers, particularly the disassembly method and the input data characteristics. Firstly, we developed a model that tackles the malware detection problem from a Natural Language Processing (NLP) perspective using Long Short-Term Memory (LSTM). Then, we experimented with different base units (instruction, basic block, method, and class) and representations of source code obtained from three commonly used disassembling tools (JEB, IDA, and Apktool) and examined the results. Our findings exhibit that the disassembly method and different input representations affect the model results. More specifically, the datasets collected by the Apktool achieved better results compared to the other two disassemblers.