Creating Android Malware Knowledge Graph Based on a Malware Ontology

TL;DR

This paper extends a malware ontology to cover Android malware, creating a comprehensive knowledge graph from over 2600 samples to improve malware understanding and threat intelligence.

Contribution

It introduces AndMalOnt, an extended Android malware ontology, and constructs a large knowledge graph from threat reports, enhancing malware data organization and analysis.

Findings

Extended malware ontology with 13 new classes

Constructed a knowledge graph with over 2600 malware samples

Open-source tools and data available for research

Abstract

As mobile and smart connectivity continue to grow, malware presents a permanently evolving threat to different types of critical domains such as health, logistics, banking, and community segments. Different types of malware have dynamic behaviors and complicated characteristics that are shared among members of the same malware family. Malware threat intelligence reports play a crucial role in describing and documenting the detected malware, providing a wealth of information regarding its attributes, patterns, and behaviors. There is a large amount of intelligent threat information regarding malware. The ontology allows the systematic organization and categorization of this information to ensure consistency in representing concepts and entities across various sources. In this study, we reviewed and extended an existing malware ontology to cover Android malware. Our extended ontology is called AndMalOnt. It consisted of 13 new classes, 16 object properties, and 31 data properties. Second, we created an Android malware knowledge graph by extracting reports from the MalwareBazaar repository and representing them in AndMalOnt. This involved generating a knowledge graph that encompasses over 2600 malware samples. Our ontology, knowledge graph, and source code are all open-source and accessible via GitHub