See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/379749566

SNDGCN: Robust Android malware detection based on subgraph network and

denoising GCN network

Article in Expert Systems with Applications · April 2024

DOI: 10.1016/j.eswa.2024.123922

CITATIONS READS

0 83

4 authors, including:

Xiaofeng Lu
Beijing University of Posts and Telecommunications
51 PUBLICATIONS 820 CITATIONS

SEE PROFILE

All content following this page was uploaded by Xiaofeng Lu on 12 April 2024.

The user has requested enhancement of the downloaded file.

 Expert Systems With Applications 250 (2024) 123922

Contents lists available at ScienceDirect

Expert Systems With Applications

journal homepage: www.elsevier.com/locate/eswa

SNDGCN: Robust Android malware detection based on subgraph network

and denoising GCN network
Xiaofeng Lu a,b ,∗, Jinglun Zhao b , Senhao Zhu b , Pietro Lio c
a
National Engineering Center for Mobile Internet Security Technology, Beijing University of Post and Telecommunications, Beijing, China
b
School of Cyberspace Security, Beijing University of Post and Telecommunications, Beijing, China
c
Computer Laboratory, University of Cambridge, Cambridge, UK

ARTICLE INFO ABSTRACT

Keywords: Android malware seriously affects the use of Android applications, and a growing number of Android malware
Android malware detection developers are using adversarial attacks to evade detection by deep learning models. This work proposes an
Call graph Android malware detection model based on the Android function call graph (FCG) and the denoising graph
Graph convolutional neural network
convolutional network (GCN) that is resistant to adversarial attacks. Methods are also proposed to simplify the
Adversarial attack
FCG to reduce its size, and to construct vertex feature vectors. Because attackers may employ adversarial attack
methods, the proposed model uses the subgraph network (SGN) to detect the underlying structural features of
the FCG to discover the degree of the obfuscation attack. A denoising graph neural network (GNN) is designed,
and the 1-Lipschitz-based neural network denoising method is applied to graph convolution. Moreover, the
degree of denoising is adjusted according to the degree of obfuscation, which enhances the robustness of the
model. The GCN performs the feature vector extraction of the FCG, and a multilayer perceptron (MLP) is used
as the classifier. The results of experiments show that the 𝐹1 value of the proposed Android malware detection
method is higher than those of other malware detection models for different levels of obfuscation attacks, thus
demonstrating its effectiveness against such attacks.

1. Introduction
As an open-source mobile operating system based on the Linux
kernel, Android is popular because of its openness. While the openness
of the Android system brings convenience to developers and users, it
has also led to the generation of malicious software based on the An-
droid platform, which has seriously affected the Android environment
and harmed the interests of users. Therefore, research on the security
mechanisms and malware detection of the Android operating system
has become a top priority in mobile security (Sihag et al., 2021).
Many researchers have used static (Schmeelk et al., 2015) and dy-
namic (Wong & Lie, 2016) detection methods to study the recognition
and detection of Android malware. These methods, especially some
methods based on machine learning and deep learning (Qiu et al.,
2020), have achieved good results. However, despite their outstanding
performance, these models still have some problems. For example, it
is very easy for malware developers to modify the malware’s source
code, making the static features of the sample (such as the API call
frequency, opcode sequence, sensitive permissions, etc.) invalid. As a
result, detection models based solely on static features are vulnerable,
and the misjudgment rate of the model is significantly increased (Grosse
et al., 2016). Although dynamic detection models collect and use the
dynamic characteristics of the sample during operation, the dynamic
characteristics themselves have strong instability and limitations, and
it is challenging to ensure that an inspector can capture malicious
behavior within a short runtime. It is also impossible to traverse all
the logic branches and code branches of the sample software; thus, its
behavior features cannot be fully obtained.
To achieve a better Android malware recognition effect, the ad-
vantages of the static and dynamic features of the sample must be
combined. To achieve this, features can be extracted from the function
call graph (FCG, or call graph, CG) of the Android application (Niu
et al., 2020). Although the FCG is a static feature, it can reflect the
dynamic behavior characteristics of Android applications. However, at
this stage, APK has a large scale, and its FCGs often contain a large
number of API nodes. When processing the FCG, a lot of memory space
is occupied and the detection accuracy is reduced; thus, simplification
is required (Wu et al., 2019).
Second, because the FCG has a non-Euclidean graph data structure,
it is difficult to extract features by convolutional neural networks

∗ Corresponding author at: National Engineering Center for Mobile Internet Security Technology, Beijing University of Post and Telecommunications, Beijing,
China.
E-mail addresses: luxf@bupt.edu.cn (X. Lu), zhaojl@bupt.edu.cn (J. Zhao), zsh239040@bupt.edu.cn (S. Zhu), pl219@cam.ac.uk (P. Lio).

https://doi.org/10.1016/j.eswa.2024.123922
Received 27 February 2023; Received in revised form 10 March 2024; Accepted 4 April 2024
Available online 10 April 2024
0957-4174/© 2024 Published by Elsevier Ltd.
X. Lu et al.
(CNNs) and other methods. In recent years, the concept of the graph
convolutional network (GCN) has emerged, the main idea of which is
to generate the representation of vertices by summarizing the char-
acteristics of the vertices themselves and the characteristics of vertex
neighbors. The GCN calculates the representation of vertices by stack-
ing multiple graph convolution layers. Therefore, the use of a graph
neural network (GNN) to process the FCG of the app is proposed in the
present work.
Third, assuming that the attacker knows that the malicious code
detection model is based on the FCG, the attacker must use anti-attack
technology, such as the Android code obfuscation technique (Dong
et al., 2018), to deceive the detection model. Thus, not only should the
FCG be simplified, but some attacks should also be filtered out from the
perspective of the FCG. In the proposed method, the first- and second-
order subgraph networks (SGNs) are used to reconstruct the original
FCG to detect the counterattack of the FCG.
The extant research has generally only considered one technical
point in malware detection, such as the node characteristics, graph
construction, the graph scale, the detection model, adversarial training,
etc., while no researchers have studied several issues comprehensively.
In addition, no previous studies have analyzed whether adversarial at-
tacks existed in the detected software, and none of the proposed models
have removed the attack content from the detected data. Thus, when
these models encounter an app that has been modified by hackers, they
cannot detect such malicious apps. To solve these problems, this paper
proposes a robust Android malware detection model based on SGNs
and a denoising GCN, named SNDGCN, based on the use of the FCGs
of Android applications. SNDGCN uses the first- and second-order SGNs
to reconstruct the original FCG to detect the adversarial attack of the
FCG. To reduce the influence of the adversarial attack on the model
to the greatest possible extent, a 1-Lipschitz-based neural denoising
GCN is applied to remove the attack effect in the detected app, which
can improve the robustness of the model. The proposed method is
compared with some baseline models on different datasets, and the
presence of adversarial attacks is simulated. The experimental results
show that SNDGCN achieves higher accuracy and 𝐹1 values than the
state-of-the-art methods, and exhibits significantly higher robustness
against apps with adversarial attacks, thus indicating the effectiveness
of the proposed method.
The main contributions of this research are summarized as follows.
(1) To date, this is the first study to analyze whether adversarial
attacks have been carried out on the tested apps and analyze
the extent of the attacks. SGNs are used to detect whether an
app has undergone adversarial modifications.
(2) This is the first research to automatically adjust the hyper-
parameters in the denoising neural network according to the
degree of adversarial attacks, thus clarifying the effect of ad-
versarial attacks.
(3) This paper comprehensively studies the multidimensional node
characteristics of malware, the graph structure, graph pruning,
and adversarial attack detection and removal.
2. Related works
Before GNNs were applied to malware detection, many other models
and methods were proposed. DREBIN (Arp et al., 2014) is a lightweight
Android malware detection method that performs static analysis and
uses a support vector machine (SVM) to implement sample classifi-
cation. The main contribution of DREBIN lies in feature engineering;
it gathers eight features from the code and manifest of an applica-
tion. Rathore et al. (2021) designed an adversarial attack method for
Android malware detection models based on reinforcement learning,
with the goal of maximizing the deception rate while minimizing
modifications to Android applications and ensuring the functionality
and malicious behavior of the applications. The problem with this
2
Expert Systems With Applications 250 (2024) 123922
method, however, is that the initial detection effect of malware variants
is weak because the robustness of the model must be enhanced after
training. Furthermore, the dimension of the feature vector used by
the detection model is relatively singular, and is mainly based on
permission information. It is thus difficult to comprehensively cover
various characteristics of Android application samples. İbrahim et al.
(2022) studied the features and types of Android malware using a GRU
model, the input of which included numerous Android app features.
With the introduction of GNNs, researchers began to use these
networks for malware detection. For instance, Feng et al. (2020) used
a GNN to extract the features of call graphs, generate vectorized
representations of Android applications, and then classify them via
a multilayer perceptron (MLP), and achieved good results. However,
they also pointed out that although this method has a high recognition
rate for Android malware, it cannot defend against adversarial attacks;
attackers can avoid detection by obfuscating the source code. Gao
et al. (2021) proposed GDroid, which uses a heterogeneous GNN to
map applications and Android APIs into a large heterogeneous graph,
thereby transforming the original problem into a node classification
task. A GNN is used to iteratively generate node embeddings contain-
ing topology and node features, after which the nodes are classified.
Experiments carried out by the researchers demonstrated that GDroid
could detect 98.99% of Android malware with a false positive rate of
less than 1%. However, the heterogeneous graphs contain too few types
of information, including only APPs and APIs, and other important
information, such as system permissions, is not considered. Therefore,
the robustness of the model to adversarial attacks may be insufficient,
as an attacker can modify the system’s API calls to evade detection.
In addition to FCGs, other types of graphs have been proposed. Lin
et al. (2023) used CICFlowMeter-V3 to extract more than 80 network
traffic characteristics from three states of software execution (instal-
lation, before reboot, and after reboot) to build a network traffic
diagram of the malware. The information in the diagram was then
analyzed to explore correlations between malware and its family classi-
fication. Esmaeili et al. (2023) proposed a dynamic malware detection
method based on a control flow diagram, in which nodes represent the
uninterrupted instruction sequence in the basic instruction block and
edges represent the transfer of instruction flow. However, this malware
detection method based on dynamic analysis has some limitations, such
as incomplete feature extraction, a dependent execution environment,
and anti-sandbox detection, which may lead to higher misjudgment and
missed judgment.
One disadvantage of using a GNN is that the scale of graph nodes
is large, thus contributing to low graph operation efficiency. As such,
some researchers have proposed ways to reduce the size of the graph.
For instance, to carry out Android malware detection, He et al. (2022)
proposed to extract the FCG based on code snippets, and the results
of experiments demonstrated that this method could effectively deal
with zero-day threats, application evolution, and code obfuscation.
However, this detection method based on code fragments ignores the
dynamic nature of program execution, destroys the integrity of the ex-
ecution path of malicious code, and easily leads to higher misjudgment
and missed judgment. Liu et al. (2024) used graph pruning technology
to build a sensitive FCG on the original FCG, which retained the context
of sensitive API calls and deleted irrelevant nodes in the FCG.
Because deep learning models are susceptible to adversarial sample
attacks, many methods have been proposed to improve the robustness
of malware detection systems. One research direction is to combine
GNN models with other models. As an example, Pei et al. (2020)
proposed a deep learning framework named AMalNet to learn multiple
embedding representations for Android malware detection and family
attributions. It uses a version of the GCN to model high-level graphical
semantics, which automatically identifies and learns the semantic and
sequential patterns. Because the GCN cannot capture dependencies
between nodes that are far away from each other in the graph, the GCN
was combined with IndRNN to further capture remote dependencies
X. Lu et al.
Fig. 1. The generation of an adjacency matrix based on function call relationships.
between nodes in context. Furthermore, DeepCatra (Wu et al., 2023) is
a multi-view learning approach for Android malware detection, which
consists of a bidirectional long short-term memory (BiLSTM) network
and a GNN as subnets. The two subnets rely on features extracted from
statically computed call traces leading to critical APIs derived from
public vulnerabilities. The node features in this GNN are relatively
simple.
Another way to improve the robustness of a GNN is to adopt adver-
sarial training. For instance, Li et al. (2024) proposed a new Android
malware detection method based on imbalanced heterogeneous graph
embedding, which uses a heterogeneous graph to model different types
of entities (e.g., APPs, APIs, permissions, intentions, etc.). A generative
adversarial network (GAN) is used to supplement the unbalanced nodes
in the dataset, and a heterogeneous information network is used to de-
tect malware. Yumlembam et al. (2022) proposed the addition of nodes
and edges to the existing API graph to dynamically generate adversarial
samples and improve the detection accuracy of malware based on GAN
training. However, this method of directly adding edges and nodes does
not guarantee that the app corresponding to the adversarial sample
will work, as this type of adversarial attack is not the method used by
hackers in the real world.
The previously discussed studies generally only considered one
technical point in malware detection, such as the node characteristics,
graph construction, graph scale, or model robustness, and did not
comprehensively consider these points. Furthermore, none of these
studies investigated the detection and removal of adversarial attacks on
the tested apps. The present work proposes the use of SGNs to detect
whether an app has undergone adversarial modifications.
3. Function call graph simplification
3.1. Function call graph
The FCG reflects the internal functions of an Android application,
including the call relationships between the API and developer-defined
functions, which can directly reflect its functional characteristics.
The Android FCG can be represented by directed graph 𝐺 = ⟨𝑉 , 𝐸⟩,
where 𝑉 represents the set of all vertices in the graph. Each vertex
represents a function extracted from the unpacked and decompiled
smali code file, including Android system library functions and user-
defined functions. Moreover, 𝐸 indicates that the graph 𝐺 contains a
set of all relationships (edges). Edges are also important in the FCG, and
represent the process of an Android application executing functions.
The edge information can also be obtained by traversing the smali code
file. In the FCG, the edges represent the call relationships between
vertices. As shown in Fig. 1, in the adjacency matrix 𝐴 of the call
graph, the corresponding position element is set to 1 if an edge exists;
otherwise, it is 0. If Func1 calls Func2, (1, 2) is set to 1.
In function vertex set 𝑉 , the function of each function is mainly
realized by Java library functions and Android system calls. Therefore,
API call information can continue to be mined from function vertices
and the API sequence can be extracted as vertex information.
3
Expert Systems With Applications 250 (2024) 123922
Fig. 2. The application of the 1-hops vertex reservation algorithm to delete 𝑣𝑒𝑟𝑡𝑒𝑥4 .
3.2. Function call graph simplification
Due to the large scale of APK at this stage, its call graph often
contains many API nodes, most of which are ordinary nodes necessary
for application operation. These nodes introduce invalid information,
increase the data complexity of the detection system, and reduce the
detection efficiency. Therefore, some nodes are deleted based on the
sensitivity of the API. In the Android operating system, sensitive APIs
provide some important system-level functions and are protected by the
security mechanism of system permissions. While these APIs may also
be used in normal applications, in malicious software, they are often
used to implement some malicious behaviors, such as sending spam
messages, stealing user information, etc. For example, malicious billing
software may call the API for sending text messages, while software that
steals privacy information may call the API for accessing the address
book. The list of sensitive APIs considered in this study was obtained
from Rasthofer’s analysis (Rasthofer et al., 2014) of sensitive APIs.
However, APIs not on the sensitive APIs list cannot simply be deleted.
To simplify the call graph and retain its original structure, an 𝑁-hops
vertex reservation algorithm is proposed.
It was found that a sensitive system API will contain more relevant
information in the Android application call graph; thus, the FCG is
simplified depending on the sensitive APIs. Whether an API is reserved
depends on the distance 𝑁 from it to the nearest sensitive API. The
vertex deletion rule is as follows. Suppose a vertex is not a sensitive
API, and the number of hops between it and its nearest sensitive API
is 𝑥. If 𝑥 is less than a certain threshold, then the vertex can be
reserved; otherwise, the vertex will be deleted. In Fig. 2, a blue vertex
represents a sensitive API node and a white vertex represents a normal
API node. The distance between 𝑣𝑒𝑟𝑡𝑒𝑥4 and 𝑣𝑒𝑟𝑡𝑒𝑥6 is two hops. If the
threshold is 1, then 𝑣𝑒𝑟𝑡𝑒𝑥4 can be removed. The simplified call graph
significantly reduces the number of nodes, thus effectively reducing the
computational resource consumption of large-scale call graph analysis.
Algorithm 1 describes the 𝑁-hops vertex reservation algorithm.
Algorithm 1 𝑁-hops vertex reservation algorithm
1: for each vertex 𝑖 in 𝑣𝑒𝑟𝑡𝑒𝑥_𝑙𝑖𝑠𝑡 do
2: 𝑟𝑒𝑚𝑜𝑣𝑒 = 𝑡𝑟𝑢𝑒
3: for each sensitive API vertex 𝑗 do
4: if Distance(𝑖, 𝑗) <= 𝑇 ℎ𝑟𝑒𝑠ℎ𝑜𝑙𝑑 then
5: # Distance function calculates the hops between 𝑖 and 𝑗
6: 𝑟𝑒𝑚𝑜𝑣𝑒 = 𝑓 𝑎𝑙𝑠𝑒
7: break
8: end if
9: end for
10: if 𝑟𝑒𝑚𝑜𝑣𝑒 == 𝑡𝑟𝑢𝑒 then
11: 𝑑𝑒𝑙𝑒𝑡𝑒𝑉 𝑒𝑟𝑡𝑒𝑥(𝑖)
12: end if
13: end for
Several difficulties are encountered when introducing the call graph
to malware detection. First, the FCG is essentially a non-Euclidean
structured data type, and its combination with static features, such as
commonly used permission declarations, is more challenging. Second,
there may be tens of thousands of vertices in the call graph of Android
X. Lu et al.
Table 1
The system permissions.
Permission Group Permission
CALENDAR READ_CALENDAR
CAMERA CAMERA
CONTACTS READ_CONTACTS
ACCESS_FINE_LOCATION
LOCATION
ACCESS_COARSE_LOCATION
MICROPHONE RECORD_AUDIO
PHONE READ_PHONE_STATE
READ_CALL_LOG
CALL_PHONE
PROCESS_OUTGOING_CALLS
SEND_SMS
SMS
READ_SMS
READ_EXTERNAL_STORAGE
STORAGE
WRITE_EXTERNAL_STORAGE
application software, and it is also difficult to extract features from
call graphs. Finally, the attacker may obfuscate the malware in various
ways, thus affecting the feature extraction of the detection system and
evading detection.
In summary, the research on Android system malware detection
based on call graphs has essential value, and is also a research hotspot
in this field.
3.3. Function call graph vertex feature extraction
After obtaining the simplified call graph node list and adjacency
matrix, features for each function must be constructed and quantified.
At present, the common node feature vectorization methods include
word2vec (Popov, 2017) and one-hot encoding. In the process of word
embedding, the path information of the library where the node is
located will be lost; thus, the node characteristics cannot be fully
expressed. A new method of constructing vertex features in an FCG is
thus constructed.
The vector of each vertex is composed of three parts, namely 𝐹𝑡 , 𝐹𝑚 ,
and 𝐹𝑐 , which are spliced into a vertex feature vector with a length of
512.
(1) The vector 𝐹𝑡 represents the path of the library where this func-
tion is located. If it comes from a developer-defined function, 𝐹𝑡
is set to all 0 values. If it comes from the Android framework
layer, the description is the system API. An Android library path
set 𝐿1 is pre-established to collect the paths of the libraries
where all APIs in the dataset are located, and the paths of each
library are then mapped into vectors based on this list. 𝐹𝑡 is the
vector mapped to the path of the library where this function is
located.
(2) Vector 𝐹𝑚 represents the vector mapped by the function name
of the current vertex through word2vec. Because functions with
similar names generally have similar use, the user-defined func-
tion vertices with high similarity are defined.
(3) Vector 𝐹𝑐 represents the system permission information re-
quired for the execution of the current system API. A system
permission list was constructed based on a previous study (Au
et al., 2012), as presented in Table 1. Because many system API
calls require some system permissions, the mapping between the
system API and system permissions is established and converted
into vector 𝐹𝑐 , and, finally, the vertex vector is obtained.
4. Adversarial attack detection based on the subgraph network
4.1. Adversarial attacks and motivation
It is assumed that an attacker will adopt adversarial techniques to
deceive the detection model. In the context of the present work, it
4
Expert Systems With Applications 250 (2024) 123922
is assumed that the attacker knows that the malicious code detection
model is based on FCGs, so the attacker can use an obfuscation attack
against malicious applications. The attacker will change the static
features of an app while retaining malicious behavior, thus affecting
the detection model and evading detection. Specifically, in this study,
adversarial attacks are implemented on Android applications via an
FCG obfuscation attack.
An FCG obfuscation attack involves adding redundant edges and
nodes to the FCG. It is assumed that when conducting obfuscation
attacks, attackers usually prefer to add edges in the FCG rather than
delete edges. The randomly added edges are redundant edges that do
not interfere with the normal execution process and the result of the
program. For example, consider the call chain 𝐴 → 𝐵 in the FCG,
indicating that function 𝐴 calls function 𝐵. Redundant nodes 𝐶 and
𝐷 and redundant edges 𝐴 → 𝐶, 𝐶 → 𝐷, and 𝐷 → 𝐵 can be added to
make the call chain become 𝐴 → 𝐶 → 𝐷 → 𝐵.
If anomalies can be found from the perspective of the underlying
structure of the FCG, the detection of adversarial attacks on the FCG
can be realized. Most of the common obfuscation methods for Android
applications have strong randomness, i.e., the changes of vertex and
edges are often random; thus, SGNs can be used to detect obfuscation
attacks. An SGN not only judges whether an Android application is
obfuscated, but also accurately quantifies the degree of obfuscation to
a certain extent. As a result, the subsequent denoising GCN model can
reduce the misjudgment of samples.
4.2. Subgraph network
An SGN is a graph composed of subgraphs in the original graph and
can be regarded as a mapping of the original graph, i.e., the original
node-level network is mapped to the subgraph-level network. An SGN
reconstructs graph features to extract the underlying information of
graph-structured data.
A subgraph is defined as follows. Given a graph 𝐺(𝑉 , 𝐸), when set
𝑉𝑖 belongs to 𝑉 and set 𝐸𝑖 belongs to 𝐸, 𝑔𝑖 = (𝑉𝑖 , 𝐸𝑖 ) is a subgraph
of 𝐺, and multiple subgraphs of graph 𝐺 can be expressed as 𝑔 =
{ }
𝑔𝑖 ⊆ 𝐺 ∣ 𝑖 = 1, 2, … , 𝑛 , where 𝑛 < 𝑁.
An SGN is defined as follows. Given a graph 𝐺(𝑉 , 𝐸), the SGN can be
( )
expressed as 𝐺∗ 𝑉 ∗ , 𝐸 ∗ , where 𝐺∗ represents the set of subgraphs,
{ }
𝑉 ∗ = 𝑔𝑗 ∣ 𝑗 = 0, 1, … , 𝑛 , and 𝐸 ∗ represents that the two subgraphs
in the set 𝑉 ∗ are connected. The connection state in the SGN means
that the two subgraphs 𝑔𝑖 and 𝑔𝑗 have a common edge or vertex in the
original graph 𝐺.
After extracting enough subgraphs from the graph, the connec-
tions between the subgraphs are established according to certain rules,
thereby constructing an SGN. In an FCG, two subgraphs are considered
to be connected if and only if they share the same nodes or edges from
the original graph.
For first-order SGNs, an edge in the original graph is represented as
a subgraph, denoted as SGN(1), and the connections of all subgraphs
form an SGN. Specifically, the edges in the original graph are taken
as the vertices of the SGN, and the vertices between the edges in the
original graph correspond to the connecting edges in the SGN, as shown
in Fig. 3.
For second-order SGNs, open triangles (with at least two edges)
are defined as the basic subgraph units, denoted as SGN(2). If two
such triangles are connected, the two corresponding vertices in the
second-order SGN are connected, as shown in Fig. 4.
4.3. Adversarial attack detection based on subgraph networks
When using SGNs for adversarial attack detection research, because
SGN(1) and SGN(2) have the advantages of a simple structure, low
computational complexity, and almost no loss of information of the
original graph-structured data, both SGNs are used to reconstruct the
network.
X. Lu et al. Expert Systems With Applications 250 (2024) 123922

Therefore, after obtaining the differences in the malicious proba-

bilities of the first-order SGN, the second-order SGN, and the original
FCG in the classifier, the model can accurately evaluate the degree of
obfuscation of this sample. Due to the isomorphism of the SGN, if a
sample has a large deviation from the SGN classification prediction
results, then the degree of obfuscation is large; otherwise, the degree
of obfuscation is small, or the developer did not obfuscate the sample.
Finally, the k-means algorithm is applied to the data 𝑑, which are
clustered into four categories. Referring to the clustering results, values
of 𝑑 in the ranges of [0, 0.05), [0.05, 0.25), [0.25, 0.5), and [0.5, 1) are
defined as no obfuscation, low obfuscation, medium obfuscation, and
high obfuscation, respectively.

5. Robust Android malware detection based on the denoising GCN

5.1. System classification framework

Graphs constructed in the form of vertex connections are non-

Fig. 3. A first-order SGN.
Euclidean data, also known as graph data. Many deep learning methods
cannot be directly applied to non-Euclidean graph data. For example,
convolution operations can only operate on image or text data, and
cannot be directly applied to graph data, thus limiting the development
of deep learning methods in this field. In recent years, GNN algorithms
have emerged as effective methods for solving graph learning problems.
GCNs have strong feature expression capabilities based on the use of
nonlinear activation functions to learn linear or nonlinear functions
to represent the problem. Traditional neural networks also do not
have constraints on weights and gradients, which leads to the poor
robustness of neural networks to adversarial attacks.
The framework of the proposed Android malware detection model
based on the denoising GCN is presented in Fig. 5. The framework
is mainly divided into FCG extraction and preprocessing, the GCN,
and the MLP classifier. To complete the task of graph classification,
the whole graph must first be input into the network, and the hidden
representation of all the vertices is then obtained via the state update
process, i.e., the convolutional layer. Then, via graph pooling, the
vector representation of the graph level is obtained, and is finally used
as the input of the neural network classifier to train the optimal model.

5.2. Graph convolutional network

In ordinary convolution operations, such as those on image data, a

fixed-size convolution kernel is used to extract features from the image
and obtain feature vectors. This is because, in an image, the number
Fig. 4. A second-order SGN.
of pixel blocks around a pixel block is stable. However, in graph data,
the number of neighbor vertices of a vertex often fluctuates in a large
range; thus, it cannot be simply scaled to a fixed number of vertices and
The adversarial detection model proposed in this work is based on then subjected to the ordinary convolution process. Therefore, a special
the first- and second-order SGNs, and uses the reconstructed features convolution process must be used for graph data so that the GCN can
of the SGN to distinguish the attacked samples. 𝑥 is the feature vector process the irregular neighbor vertices in the data and extract valuable
of the input sample, and 𝑥𝑠𝑔𝑛 is the feature vector of the reconstructed features from it.
SGN. The discriminator in the model can detect whether an input sam- GCNs include convolutional layers and pooling layers.
ple is adversarial by computing the difference between the probabilities
that 𝑥 and 𝑥𝑠𝑔𝑛 are malware, as calculated by the graph classifier: 5.2.1. Convolutional layers
( ( ))2 A message-passing neural network (MPNN) framework is used to
𝑠𝑡𝑑 𝑝 (𝑥) − 𝑝 𝑥𝑠𝑔𝑛 model the spatial convolution process. The MPNN is a GNN framework
𝑑 (𝑥,𝑥𝑠𝑔𝑛 ) = 0.5 × ( ( ))2 (1)
𝑠𝑡𝑑 (𝑝 (𝑥))2 + 𝑠𝑡𝑑 𝑝 𝑥𝑠𝑔𝑛 based on spatial convolution. As shown in Eq. (3), the function 𝑀𝑙 is re-
sponsible for completing the message-passing step of the MPNN, and 𝑈𝑙
where 𝑝(𝑥) is the probability that 𝑥 is malware, 𝑠𝑡𝑑(∗) represents the is responsible for completing the state update step after message passing
standard deviation, and 𝑑 (𝑥,𝑥𝑠𝑔𝑛 ) represents the normalized Euclidean and aggregation. Moreover, ℎ𝑙+1 represents the hidden representation
𝑣
distance between 𝑝(𝑥) and 𝑝(𝑥𝑠𝑔𝑛 ), the value of which is between 0 and of the node at layer 𝑙 + 1. When the number of layers 𝑙 is 0, the initial
1; 𝑑 is larger for samples that have been artificially altered, and smaller state ℎ0𝑣 of the hidden state is the initial feature 𝑥𝑣𝑢 of the node 𝑉𝑢 .
for clean samples. A variety of reconstructed SGNs are used to obtain ∑
the maximum value of 𝑑 by Eq. (2). Moreover, 𝑥𝑠𝑔𝑛1 is the first-order ℎ𝑙+1
𝑣 = 𝑈𝑙+1 (ℎ𝑣 , 𝑀𝑙+1 (ℎ𝑙𝑣 , ℎ𝑙𝑢 , 𝑥𝑣𝑢 )) (3)
𝑢∈𝑛𝑒[𝑣]
SGN and 𝑥𝑠𝑔𝑛2 is the second-order SGN.
( ) Each node uses 𝑈𝑙+1 to update its state after receiving a message
𝑑 = 𝑚𝑎𝑥 𝑑 (𝑥,𝑥𝑠𝑔𝑛1 ) , 𝑑 (𝑥,𝑥𝑠𝑔𝑛2 ) , … (2) from each neighbor. This process is continuously repeated until the

5
X. Lu et al.
Fig. 5. The framework of the Android malware detection model based on the denoising GCN.
Fig. 6. The information transfer process of each iteration of the GCN.
hidden representation of the whole graph is converged. At this point,
the process of extracting features from the graph data is completed.
The further refinement of Eq. (3) yields the state update formula
used in this work, as follows:
( 𝑙+1 ( ) ) FCG vertices in this study. The set of these vertices is denoted as
ℎ𝑙+1
𝑣 =𝑓 𝑊 ∗ 𝑎𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒 ℎ𝑙𝑣 , ℎ𝑙𝑢 , ∀𝑢 ∈ 𝑛𝑒[𝑣] (4)
where ℎ𝑙+1
𝑣 is the hidden representation of the (𝑙 + 1)-th layer node, 𝑓
is the activation function, 𝑊 𝑙+1 is the weight matrix, 𝑎𝑔𝑔𝑟𝑒𝑔𝑎𝑡𝑒(∗) is
the aggregation function for processing variable-length data, and {ℎ𝑙𝑣 }
is the hidden representation of all neighbor vectors of node 𝑣. Fig. 6
presents the information transmission process of each iteration of the
GCN.
5.2.2. Pooling layer
The pooling operation is a common method of traditional CNNs that
is often used to reduce the feature length to reduce the number of pa-
rameters that must be learned, thereby avoiding overfitting. Moreover,
considering the large number of hierarchies in the input information,
the use of the pooling step to fully mine the hidden features in the data
is inevitable.
The convolutional layer continuously iterates the vertex features in
the FCG through the message-passing framework and finally reaches
a convergent state, thus obtaining the hidden representation of all
vertices. In the Android malware detection model, each FCG repre-
sents an Android application APK sample, so the research goal can be
transformed into a graph classification task. In this task, each graph is
represented as a graph-level feature vector, and the pooling process of
the FCG is critical for the detection model.
6
Expert Systems With Applications 250 (2024) 123922
To preserve the important information in the FCG vertices to the
greatest possible extent, and considering the existing FCG vertex sensi-
tivity knowledge based on the research on sensitive Android APIs (Arzt
et al., 2014), 70 Android system APIs were selected as the important
𝑉𝑠 . For the same function 𝑥, its neighbor relations are often different
in different Android application samples. Therefore, after the graph
convolution calculation, the hidden layer representation of vertex 𝑋
contains different neighbor information. When the training data con-
verge through the iterative computation of graph convolution, the
hidden representations of the vertices in 𝑉𝑠 are aggregated to obtain
the final graph vector representation by Eq. (5).
⨁ ⨁ ⨁
ℎ = ℎ𝑁 ℎ𝑁 ⋯ ℎ𝑁𝑣 , ∀𝑣𝑘 ∈ 𝑉𝑠 (5)
𝑣
1 𝑣 2 𝑘
5.3. Denoising graph convolutional network
In the Android malware detection task, the form of an adversarial
attack is to obfuscate the malicious application, thereby changing its
static characteristics while retaining the malicious behavior, affecting
the detection model, and evading detection. In the proposed method,
these obfuscation methods will perturb the feature information of nodes
in the FCG and the connection information between nodes, thereby
affecting the hidden representation of the final graph.
Let the aggregated vector of the hidden features of the neighbor
nodes of node 𝑣 in the FCG be 𝑥.
Assuming that the node features in the FCG have been obfuscated
by the attacker, the hidden features of the neighbor nodes of the
X. Lu et al.
aggregated node 𝑣 are expressed as (𝑥 + 𝜎), where 𝜎 represents the
deviation caused by the attacker’s obfuscation. For example, consider
that a node that does not exist in the FCG has been added; the deviation
brought by the obfuscation to the output is expressed as ‖𝐹 (𝑥 + 𝜎) −
𝐹 (𝑥)‖.
The maximum ratio between input and output perturbation is de-
noted by 𝐶 in the following equation.
𝐹 (𝑥 + 𝜎) − 𝐹 (𝑥) ≤ 𝐶(𝑥 + 𝜎 − 𝑥)
𝐹 is called a 𝐶-Lipschitz function. When 𝐶 = 1, the perturbation
of the convolution process will be effectively constrained, thereby
ensuring that the disturbance generated by adversarial attacks will
not be amplified. To minimize the error caused by obfuscation to the
output, the goal is to ensure Eq. (7):
‖𝐹 (𝑥 + 𝜎) − 𝐹 (𝑥)‖ ≤ ‖𝑥 + 𝜎 − 𝑥‖
i.e., the Lipschitz constant 𝐶 of the function 𝐹 is guaranteed to be 1. 𝐶
can be calculated by the following formula.
𝐶 = ‖𝑊 𝑙 ‖ ⋅ ‖∇𝑙−1 𝑓 ‖ ⋅ ‖𝑊 𝑙−1 ‖ ⋯ ‖∇1 𝑓 ‖ ⋅ ‖𝑊 1 ‖
The proposed adaptive anti-obfuscation method is applied to the
graph convolution process. According to the work of Zhao et al. (2021),
− ∑
let 𝑓 be the 𝐾𝑙 -Lipschitz activation function. The gradient of the
−
activation function 𝑓 in layer 𝑙 is ‖∇𝑙−1 𝑓 ‖. To make 𝐶 = 1, an
−
adaptive coefficient 𝐾𝑙 is introduced to make ‖∇𝑙−1 𝑓 ‖ to be 1∕ 𝐾𝑙 and
− 𝑏𝑖 is the bias value, and 𝑓 is the activation function. The activation
guarantees the weight matrix ‖𝑊 𝑙‖ of layer 𝑙 to be 𝐾𝑙 . Then, 𝐶 can be
obtained by Eq. (9).
1 1
𝐶= ⋅ 𝐾𝑙 ⋅ ... ⋅ ⋅ 𝐾2 ⋅ 1 = 1
𝐾𝑙 𝐾2
− −
Thus, the goal is to make ‖𝑊 1 ‖ = 𝐾𝑙 , and to make ‖∇𝑙−1 𝑓 ‖ = 1∕𝐾𝑙 .
Then, the 𝐾𝑙 -Lipschitz activation function is expressed as
⎧ ∑ T −
− ⎪ 𝑓 𝑡 (𝑥), if 𝑥 ≥ 𝜇𝑡 − 𝑥−𝜇 𝛼
−( 𝜆 𝑡 ) 𝑡
𝑓 (𝑥) = ⎨ , 𝑓 𝑡 (𝑥) = 1 − 𝑒 𝑡 (10)
𝑡=1
⎪𝐾 𝑥, if 𝑥 < 𝜇𝑡
⎩ 𝑙
− layer performs linear transformation on the input and outputs it to
where 𝑓 𝑡 is the 𝑡th Weibull activation function (Weibull, 1951) with
unique parameters 𝛼𝑡 , 𝜆𝑡 , and 𝜇𝑡 , 𝑥 represents the element in the node
vector, 𝛼𝑡 is the shape parameter, 𝜆𝑡 is the scale parameter, and 𝜇𝑡 is
the displacement parameter. 𝛼𝑡 < 1 means that the perturbation rate
decreases with time. In robust deep learning, the perturbation diffusion
on a layer is similar to a monotonically decreasing function, i.e., the
probability of attack failure decreases with the perturbation diffusion.
In the process of GCN convergence, the information aggregation
of vertex 𝑣 in one iteration is represented as Eq. (4). The activation
−
function 𝑓 in Eq. (4) is replaced with an approximate 𝑓 whose gradient
−
is 𝐾𝑙 , and the weight vector 𝑊 is replaced with 𝑊 . Assuming that the
neighbor vertex 𝑢 of vertex 𝑣 is represented as 𝑢′ after obfuscation, after
− −
replacing 𝑓 and 𝑊 in Eq. (4) with 𝑓 and 𝑊 , the influence of vertex 𝑢′
on 𝑣 will be less than 𝑢′ − 𝑢. In other words, the obfuscation is limited
and is not amplified.
5.4. Multilayer perceptron
Neural networks have achieved very good results for classifica-
tion tasks. Deep neural networks can fit some difficult-to-fit complex
problems via the addition of hidden layers. After complex calculation,
a relatively simple output vector is finally obtained to complete the
classification task. The MLP (a fully connected neural network) is a
commonly used neural network structure that has demonstrated very
good results in classification. The structure of the MLP is shown in
Fig. 7.
Expert Systems With Applications 250 (2024) 123922
(6)
Fig. 7. The overall architecture of the MLP.
Each layer in the neural network can only complete one linear trans-
(7) formation, so a single-layer network can only fit a function once, and
its learning ability is very limited. Thus, an MLP with multiple hidden
layers is used in this study. The hidden layers are made to be fully
connected layers, and each unit is called a neuron. In this way, during
(8) the iteration of the neural network, each neuron in the MLP completes
a linear operation before feeding the result into the activation function.
The calculation formula of each neuron is as follows:
𝑛
𝑜𝑖𝑗 = 𝑓 ( 𝑤𝑖𝑗 𝑥𝑖 + 𝑏𝑖 ) (11)
𝑖=1
where 𝑜𝑖𝑗 is the output of a single neuron, 𝑤𝑖𝑗 is the weight matrix,
function is nonlinear in nature, and is used to add nonlinearity to a
linear single-layer network so that the neural network can fit more
complex functions and solve the linear inseparability problem. The
(9)
entire MLP is similar to a large-scale matrix multiplication operation on
the input vector. After matrix multiplication is completed, the original
complex input vector is transformed into a simpler feature space of
another dimension before classification, i.e., a more easily classified
feature space (Zhang et al., 2018).
The graph vector of the FCG after the state update and pooling
process is used as the input vector of the MLP. The input passes through
hidden layers with lengths of 1024 and 64, respectively. Each hidden
the ReLU activation function. Finally, the logit score result is obtained
through the output layer with a length of 1, and the sigmoid activation
function is used to obtain the sample classification probability. Eq. (12)
is the sigmoid activation function.
1
𝑠𝑖𝑔𝑚𝑜𝑖𝑑(𝑥) = (12)
1 + 𝑒𝑥𝑝(−𝑥)
6. Experiments and results
6.1. Datasets
The datasets used in this study included public datasets and Android
applications from the Google Play Store, including the VirusShare
(VirusShare, 2019) and AndroZoo (Allix et al., 2016) datasets. To avoid
the influence of the datasets on the experimental results and to better
reflect the universality of the model, experiments were carried out on
two different datasets, namely dataset1 and dataset2. Dataset1 included
5500 normal samples collected from the Google Play Store and 5500
malicious samples from the AndroZoo dataset. Dataset2 included 5560
malicious samples from the Drebin dataset (Arp et al., 2014), to which
6000 normal samples were added. There was no overlap between the
samples in dataset1 and dataset2.
All samples in the datasets were detected by the VirusTotal detec-
tion engine (VirusTotal, 2023). If a sample is detected as malicious by
more than six detection engines, it is classified as a malicious sample.
If a sample is judged as benign by all detection engines on VirusTotal,
the sample is considered to be benign. For both datasets, 80% of the
7
X. Lu et al. Expert Systems With Applications 250 (2024) 123922

Table 2
Some statistical information of the call graphs extracted from the datasets.
Type Dataset1 Dataset2
# of graphs 11 000 11 560
# of malicious samples 5500 5560
# of benign samples 5500 6000
# of nodes average in malicious samples 2722 2519
# of nodes average in benign samples 10 372 10 758
# of edges average in malicious samples 6251 5936
# of edges average in benign samples 29 882 31 913

Table 3
The top 10 malicious sample families in dataset1.
Malware family Malicious behavior Quantity
GingerMaste Remote control 379 Fig. 8. The results of the experiment to simplify function call graphs.
FakeInst Malicious deduction 450
SmsAgent Privacy theft, remote control 622
Rogue Hooliganism 645
BadNews Tariff consumption, privacy theft 485
SMSZombie Remote control, fraud 281
Reshare Repackage and camouflage, hooliganism 505
Umeng Malicious deduction 320
QDPlugin Self-start, malicious pop-up 294
Adware Malicious promotion 1270
Others / 6749

samples were used as the training set, and the rest of the samples were
used as the test set. Some statistical information is shown in Table 2.
To prove the effectiveness of the proposed model, the malicious
sample dataset contained 195 malicious families to test the detection
performance of the model for a variety of different malicious behavior
samples. Table 3 reports the top 10 malicious sample families in
dataset1.
Fig. 9. The node degree distribution proportions of the FCG, SGN(1), and SGN(2).

6.2. Experimental setup

The Android application samples in the two datasets were decom-
piled using APKTool to extract the call graphs, and the 3-hops vertex
reservation algorithm was then used to simplify the call graphs. Then,
5-fold cross-validation was used to evaluate the performance of the
model and improve its robustness.
The Python library and PyTorch Geometric library were used to
realize the GNN model. A computer with the Ubuntu 18.04 operating
system, 48 GB of memory, and a 1080Ti GPU was used. The main
parameters set in the experiment were a learning rate of 5e-3, a batch
size of 128, and a four-layer GCN.
6.3. Experimental results
6.3.2. 𝑁-hops vertex reservation algorithm
Fig. 8 shows the relationship between the model performance and
the threshold of the 𝑁-hops vertex reservation algorithm. As the re-
served node threshold increased, the model training time gradually
increased, and the 𝐹1 score exhibited a trend of first increasing and
then decreasing. The 𝐹1 score was the highest when 𝑁 = 3, indicating
that the redundant information that affected the detection model was
minimized while retaining most of the key information in the original
FCG. When 𝑁 = 3, the training and detection time was only 61.3% of
that for the non-simplified data, indicating that the simplified method
improved the training and operation efficiency of the detection model.
Therefore, in the subsequent experiments, three hops were used as the
vertex reservation threshold to ensure model accuracy while reducing
the time overhead.

6.3.1. Metrics 6.3.3. Adversarial attack and graph structure

Accuracy, precision, recall, and the comprehensive evaluation index An adversarial attack on the FCG structure will change the structure
(𝐹1 score) were used as the metrics for model performance. of the FCG and its SGNs. Specifically, an adversarial attack increases
the number of nodes and edges in the SGN and makes sparse the
𝑇𝑃 + 𝑇𝑁
𝐴𝑐𝑐𝑢𝑟𝑎𝑐𝑦 = × 100% (13) connections between nodes, leading to a decrease in the average node
𝑇𝑃 + 𝐹𝑃 + 𝑇𝑁 + 𝐹𝑁
degree. Fig. 9 shows the distribution of the node degree of the FCG,
𝑇𝑃 SGN(1), and SGN(2) before and after obfuscation. The proportion of
𝑃 𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 = × 100% (14)
𝑇𝑃 + 𝐹𝑃 nodes with low degrees increased after the FCG obfuscation attack. In
the figure, the blue bars represent the proportion of nodes with degrees
𝑇𝑃 between [0, 4], which significantly increased after the FCG obfuscation
𝑅𝑒𝑐𝑎𝑙𝑙 = × 100% (15)
𝑇𝑃 + 𝐹𝑁 attack. Correspondingly, the proportions of nodes with high degrees,
2 ∗ 𝑝𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 ∗ 𝑟𝑒𝑐𝑎𝑙𝑙 such as those represented by the orange, green, red, and purple bars in
𝐹1 = (16) the figure, decreased after the obfuscation attack.
(𝑝𝑟𝑒𝑐𝑖𝑠𝑖𝑜𝑛 + 𝑟𝑒𝑐𝑎𝑙𝑙)

8
X. Lu et al.
Fig. 10. The relationship between the 𝐾𝑙 value and the 𝐹1 score.
Fig. 11. The comparison with other Android malware detection methods.
6.3.4. 𝐾𝑙 Of the denoising graph convolutional network
According to the structural difference between the subgraph and
the original image detected by the SGN, the samples were divided into
four categories: no obfuscation, a low degree of obfuscation, a medium
degree of obfuscation, and a high degree of obfuscation. The method for
determining the degree of obfuscation was introduced in Section 4.3.
For different degrees of obfuscation, different 𝐾𝑙 values can be used
when using the denoising GNN. Fig. 10 shows the relationship between
the 𝐾𝑙 value and the 𝐹1 value. When no obfuscation was detected, 𝐾𝑙
was set to 2.4. When the obfuscation degree of the sample was low or
medium, the 𝐾𝑙 value was set to 2.2. When a high degree of obfuscation
was detected, 𝐾𝑙 was set to 2.0.
6.3.5. Performance comparison
The performance of the model was compared with two other mal-
ware detection methods, the first of which was the DeepCatra model
proposed by Wu, which consists of a BiLSTM network and a GNN as
subnets. The other method was a hybrid classifier based on LSTM pro-
posed by Chaulagain, which combines two LSTM models with decision-
level fusion to capture the features of both static API calls and dynamic
system calls.
As shown in Fig. 11, overall, the proposed model exhibited certain
advantages in terms of various evaluation indicators, and had an 𝐹1
score of 97.1%. Although the 𝐹1 score of the proposed method was
only 0.6% higher than that of Wu’s method, the recall rate of Wu’s
method was very low, namely 94.3%. This means that Wu’s method
had a higher miss rate, which will lead to detection evasion by more
malware.
Fig. 11 also presents the test time consumption of different methods.
The test time of the proposed method was only 74.8% of that of
Chaulagain’s method and 62.5% of that of Wu’s method.
9
Expert Systems With Applications 250 (2024) 123922
Fig. 12. The model performance under different obfuscation attack levels.
Fig. 12 displays the decreasing trends of the performance of dif-
ferent methods with the increase of the degree of obfuscation. The
results demonstrate that the proposed method achieved the best model
performance for low, medium, and high levels of obfuscation . As the
degree of obfuscation increased, the 𝐹1 score of the proposed method
decreased to a lesser degree as compared to the other two methods.
Under high obfuscation, the 𝐹1 score of the proposed method was
93.3%, while the 𝐹1 scores of the other methods were lower than
92%. This indicates that the proposed denoising GCN can effectively
eliminate the impact of obfuscation attacks and achieve better detection
performance.
7. Conclusion
In the method proposed in this paper, the call graph is extracted
from an Android application, the GCN model is used to carry out feature
extraction, and an MLP is used as a classifier. To address the problem of
the call graph being too large to analyze and containing a large amount
of invalid information, an 𝑁-hops vertex reservation algorithm was
proposed to simplify the call graph. Because the traditional word2vec
method encounters certain shortcomings when expressing node fea-
tures, a new node feature extraction method was proposed. Aiming at
countering the attack methods commonly used by attackers, sub-graph
network technology was applied to the proposed model and a denoising
method was applied to the GCN, which significantly reduces the impact
of adversarial attacks. The proposed model was compared with two
existing Android malware detection models. The results of experiments
demonstrated that the 𝐹1 score of the proposed method was higher
than those of two baseline methods for different levels of obfuscation
attacks. The findings prove the effectiveness of the proposed method
and verify that it has a solid ability to resist adversarial attacks.
One limitation of the proposed method is that it relies on manual
confounding to apps, and the number of adversarial samples generated
is limited. Furthermore, the techniques used in this study to generate
adversarial samples were not diverse enough to fully simulate the at-
tack methods adopted by hackers. In the future, focus will be placed on
emulating the adversarial modifications and obfuscations that hackers
make to apps.
CRediT authorship contribution statement
Xiaofeng Lu: Conceptualization, Methodology, Investigation, Writ-
ing – original draft. Jinglun Zhao: Methodology, Validation, Visualiza-
tion, Writing – original draft. Senhao Zhu: Validation, Visualization.
Pietro Lio: Review & editing.
X. Lu et al.
Declaration of competing interest
The authors declare that they have no known competing finan-
cial interests or personal relationships that could have appeared to
influence the work reported in this paper.
Data availability
Data will be made available on request.
Acknowledgments
This research work was supported by National Natural Science
Foundation of China (Grant No. 62136006), National Key R&D Program
of China (Grant No. 2020YFB2104700).
References
Allix, K., Bissyandé, T. F., Klein, J., & Le Traon, Y. (2016). Androzoo: Collecting millions
of android apps for the research community. In Proceedings of the 13th international
conference on mining software repositories (pp. 468–471).
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., & Siemens, C. (2014).
Drebin: Effective and explainable detection of android malware in your pocket.. In
Ndss, vol. 14 (pp. 23–26).
Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D.,
& McDaniel, P. (2014). Flowdroid: Precise context, flow, field, object-sensitive
and lifecycle-aware taint analysis for android apps. ACM Sigplan Notices, 49(6),
259–269.
Au, K. W. Y., Zhou, Y. F., Huang, Z., & Lie, D. (2012). Pscout: analyzing the android
permission specification. In Proceedings of the 2012 ACM conference on computer and
communications security (pp. 217–228).
Dong, S., Li, M., Diao, W., Liu, X., Liu, J., Li, Z., Xu, F., Chen, K., Wang, X., & Zhang, K.
(2018). Understanding android obfuscation techniques: A large-scale investigation
in the wild. In Security and privacy in communication networks: 14th international
conference, secureComm 2018, Singapore, Singapore, August 8-10, 2018, proceedings,
part i (pp. 172–192). Springer.
Esmaeili, B., Azmoodeh, A., Dehghantanha, A., Srivastava, G., Karimipour, H., & Lin, J.
C.-W. (2023). A GNN-based adversarial internet of things malware detection frame-
work for critical infrastructure: Studying Gafgyt, Mirai and Tsunami campaigns.
IEEE Internet of Things Journal.
Feng, P., Ma, J., Li, T., Ma, X., Xi, N., & Lu, D. (2020). Android malware detection
based on call graph via graph neural network. In 2020 international conference on
networking and network applications (pp. 368–374). IEEE.
Gao, H., Cheng, S., & Zhang, W. (2021). GDroid: Android malware detection and
classification with graph convolutional network. Computers & Security, 106, Article
102264.
Grosse, K., Papernot, N., Manoharan, P., Backes, M., & McDaniel, P. (2016). Adver-
sarial perturbations against deep neural networks for malware classification. arXiv
preprint arXiv:1606.04435.
He, Y., Liu, Y., Wu, L., Yang, Z., Ren, K., & Qin, Z. (2022). Msdroid: Identifying
malicious snippets for android malware detection. IEEE Transactionson Dependable
and Secure Computing.
10
View publication stats
Expert Systems With Applications 250 (2024) 123922
İbrahim, M., Issa, B., & Jasser, M. B. (2022). A method for automatic android
malware detection based on static analysis and deep learning. IEEE Access, 10,
117334–117352.
Li, T., Luo, Y., Wan, X., Li, Q., Liu, Q., Wang, R., Jia, C., & Xiao, Y. (2024). A
malware detection model based on imbalanced heterogeneous graph embeddings.
Expert Systems with Applications, 246, Article 123109.
Lin, H.-C., Wang, P., Lin, W.-H., Lin, Y.-H., & Chen, J.-H. (2023). Graph neural
network for malware detection and classification on renewable energy management
platform. In 2023 IEEE 5th eurasia conference on biomedical engineering, healthcare
and sustainability (pp. 164–166). IEEE.
Liu, Z., Wang, R., Japkowicz, N., Gomes, H. M., Peng, B., & Zhang, W. (2024).
SeGDroid: An android malware detection method based on sensitive function call
graph learning. Expert Systems with Applications, 235, Article 121125.
Niu, W., Cao, R., Zhang, X., Ding, K., Zhang, K., & Li, T. (2020). Opcode-level
function call graph based android malware classification using deep learning.
Sensors, 20(13), 3645.
Pei, X., Yu, L., & Tian, S. (2020). AMalNet: A deep learning framework based on graph
convolutional networks for malware detection. Computers & Security, 93, Article
101792.
Popov, I. (2017). Malware detection using machine learning based on word2vec
embeddings of machine code instructions. In 2017 siberian symposium on data science
and engineering (pp. 1–4). IEEE.
Qiu, J., Zhang, J., Luo, W., Pan, L., Nepal, S., & Xiang, Y. (2020). A survey of android
malware detection with deep neural models. ACM Computing Surveys, 53(6), 1–36.
Rasthofer, S., Arzt, S., & Bodden, E. (2014). A machine-learning approach for classifying
and categorizing android sources and sinks. In NDSS, vol. 14 (p. 1125).
Rathore, H., Sahay, S. K., Nikam, P., & Sewak, M. (2021). Robust android malware
detection system against adversarial attacks using q-learning. Information Systems
Frontiers, 23, 867–882.
Schmeelk, S., Yang, J., & Aho, A. (2015). Android malware static analysis techniques.
In Proceedings of the 10th annual cyber and information security research conference
(pp. 1–8).
Sihag, V., Vardhan, M., & Singh, P. (2021). A survey of android application and
malware hardening. Computer Science Review, 39, Article 100365.
VirusShare (2019). VirusShare.com. URL https://virusshare.com/whatsnew.
VirusTotal (2023). VirusTotal - Free Online Virus, Malware and URL Scanner. URL
https://www.virustotal.com/old-browsers/home/url.
Weibull, W. (1951). A statistical distribution function of wide applicability. Journal of
Applied Mechanics.
Wong, M. Y., & Lie, D. (2016). Intellidroid: a targeted input generator for the dynamic
analysis of android malware. In NDSS, vol. 16, no. 2016 (pp. 21–24).
Wu, Y., Shi, J., Wang, P., Zeng, D., & Sun, C. (2023). DeepCatra: Learning flow-and
graph-based behaviours for Android malware detection. IET Information Security,
17(1), 118–130.
Wu, F., Souza, A., Zhang, T., Fifty, C., Yu, T., & Weinberger, K. (2019). Simplifying
graph convolutional networks. In International conference on machine learning (pp.
6861–6871). PMLR.
Yumlembam, R., Issac, B., Jacob, S. M., & Yang, L. (2022). Iot-based android malware
detection using graph neural network with adversarial defense. IEEE Internet of
Things Journal.
Zhang, C., Pan, X., Li, H., Gardiner, A., Sargent, I., Hare, J., & Atkinson, P. M.
(2018). A hybrid MLP-CNN classifier for very fine resolution remotely sensed image
classification. ISPRS Journal of Photogrammetry and Remote Sensing, 140, 133–144.
Zhao, X., Zhang, Z., Zhang, Z., Wu, L., Jin, J., Zhou, Y., Jin, R., Dou, D., & Yan, D.
(2021). Expressive 1-lipschitz neural networks for robust multiple graph learning
against adversarial attacks. In International conference on machine learning (pp.
12719–12735). PMLR.