高级检索

    InterDroid:面向概念漂移的可解释性Android恶意软件检测方法

    InterDroid: An Interpretable Android Malware Detection Method for Conceptual Drift

    • 摘要: 针对Android恶意软件检测存在特征引入过程主观性高、特征选择过程可解释性差、训练模型检测效果不具备时间稳定性的问题,提出了一种面向概念漂移的可解释性Android恶意软件检测方法InterDroid,该方法首先通过高质量的人工Android恶意软件分析报告引入权限、API包名、意图、Dalvik字节码4种特征.并通过自动化机器学习算法TPOT(tree-based tipeline optimization tool)获得InterDroid训练及对比算法,从而摒弃传统方法中繁复的模型选择与参数调整过程.其后,融入模型解释算法SHAP(shapley additive explanations)改进传统的特征包装方法,从而获得对分类结果具有高贡献度的特征组合用于检测模型训练.最后,通过曼-惠特尼U(Mann-Whitney U, MWU)与机器学习模型的双重检验证明概念漂移现象在Android恶意软件检测中的存在性.并基于联合分布适配(joint distribution adaptation, JDA)算法提高检测模型对新时期Android恶意软件的检测准确率.实验表明:InterDroid筛选出的特征组合具备稳定性与可解释性.同时,InterDroid中的特征迁移模块可将自身对2019年、2020年新兴Android恶意软件的检测准确率分别提高46%,44%.

       

      Abstract: Aiming at the problems in Android malware detection, which are high subjectivity of feature definition, poor interpretability of feature selection process, and lack of temporal instability of training model detection accuracy, an interpretable Android malware detection method for concept drift called InterDroid is proposed. Firstly, four characteristics of the detection model: permission, API package name, intention and Dalvik bytecode are inferred through the high-quality artificial Android malware analysis report. And InterDroid training and comparison algorithm are obtained through automatic machine learning algorithm TPOT (tree-based tipeline optimization tool), thus abandoning the complicated process of model selection and parameter adjustment in traditional methods. After that, the traditional feature wrapper method is improved by integrating the model interpretation algorithm SHAP (shapley additive explanations), and the feature set with high contribution to the classification results is obtained for detection model training. Finally, the existence of concept drift in Android malware detection is proved by the double tests of MWU(Mann-Whitney U) and machine learning model. Based on the JDA(joint distribution adaptation), the accuracy of the detection model for Android malware in the new era is improved. The experimental results show that the feature screened by InterDroid is stable and interpretable. At the same time, the feature-representation transfer module in InterDroid can improve the detection accuracy of Android malware in 2019 and 2020 by 46% and 44%.

       

    /

    返回文章
    返回