MalFlows: Context-aware Fusion of Heterogeneous Flow Semantics for Android Malware Detection

TL;DR

MalFlows introduces a context-aware fusion method for heterogeneous flow semantics in Android malware detection, leveraging a novel HIN embedding technique and deep neural networks to improve accuracy over existing methods.

Contribution

The paper presents MalFlows, the first comprehensive approach to integrate diverse flow semantics using HIN and flow2vec for enhanced malware detection accuracy.

Findings

MalFlows outperforms baseline methods on large-scale dataset.

Flow2vec effectively learns accurate app representations.

Heterogeneous flow fusion improves malware detection precision.

Abstract

Static analysis, a fundamental technique in Android app examination, enables the extraction of control flows, data flows, and inter-component communications (ICCs), all of which are essential for malware detection. However, existing methods struggle to leverage the semantic complementarity across different types of flows for representing program behaviors, and their context-unaware nature further hinders the accuracy of cross-flow semantic integration. We propose and implement MalFlows, a novel technique that achieves context-aware fusion of heterogeneous flow semantics for Android malware detection. Our goal is to leverage complementary strengths of the three types of flow-related information for precise app profiling. We adopt a heterogeneous information network (HIN) to model the rich semantics across these program flows. We further propose flow2vec, a context-aware HIN embedding technique that distinguishes the semantics of HIN entities as needed based on contextual constraints across different flows and learns accurate app representations through the joint use of multiple meta-paths. The representations are finally fed into a channel-attention-based deep neural network for malware classification. To the best of our knowledge, this is the first study to comprehensively aggregate the strengths of diverse flow-related information for assessing maliciousness within apps. We evaluate MalFlows on a large-scale dataset comprising over 20 million flow instances extracted from more than 31,000 real-world apps. Experimental results demonstrate that MalFlows outperforms representative baselines in Android malware detection, and meanwhile, validate the effectiveness of flow2vec in accurately learning app representations from the HIN constructed over the heterogeneous flows.