Skip to content
/ MsDroid Public

An explainable GNN-based Android malware detection system in paper "MsDroid: Identifying Malicious Snippets for Android Malware Detection" (TDSC 2022)

License

GPL-3.0 license
50 stars 14 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

E0HYL/MsDroid

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
Datasets
Datasets
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

MsDroid (TDSC'22)

Preparations

  1. Install Androguard 3.4.0 from source code.
  2. Install Pytorch and Pytorch Geometric.
  3. Download lite_dataset_10.csv into ./src/feature/LibRadar/Data.

Source Code

  1. Run the train script (see more configurations in the code):
python train.py -i $input_dir

Three new folders are generated in ./src/training, e.g.,

  • # generated behavior subgraphs
./training/Graphs/
└── $input_dir_name
    └── HOP_2
        └── TPL_True
            ├── dataset.pt
            ├── FeatureLen.txt
            └── processed
                ├── data_0_0.pt
                ├── ...
  • # mappings of behavior subgraphs and (APK, API) pairs
./training/Mappings/
└── TestAPK_2_True.csv
  • # experiment results with different settings
./training/Experiments/
├── $timestamp
│   ├── exp_log.log
│   ├── models
│   │   ├── $precission'_'$recall'_'$accuracy'_'$f1'_'$f2
│   │   └── last_epoch_$epoch_number
│   ├── scores
│   │   └── $precission'_'$recall'_'$accuracy'_'$f1'_'$f2.csv
│   ├── tensorboard
│   │   └── events.out.tfevents.$timestamp.ecs-tech-research
│   └── TrainTest
│       ├── test.pt
│       └── train.pt
├── exp_configs.csv
└── performance.csv
  1. Run the test script (with a trained model model.pkl in ./src/classification):
python main.py -i $input_dir -o $outputdir

For example, the structure of the $input_dir is

$input_dir
├── app-debug.apk
└── Test
    └── app-debug.apk

, then the output folder $output_dir looks like

$outputdir
├── decompile
│   ├── app-debug
│   │   └── call.gml
│   └── Test
│       └── app-debug
│           └── call.gml
├── FeatureLen.txt
├── prediction.csv
├── processed
│   ├── data_0_0.pt
│   └── ...
└── result
    ├── opcode
    │   ├── app-debug.csv
    │   └── Test
    │       └── app-debug.csv
    ├── permission
    │   ├── app-debug.csv
    │   └── Test
    │       └── app-debug.csv
    └── tpl
        ├── app-debug.csv
        └── Test
            └── app-debug.csv
  • prediction.csv classification results (APK ID, APK Path, Class).

Processed Graph Data

.pt file is named after APK ID and Behavior Subgraph ID.

Mappings between (APK ID, Behavior Subgraph ID) and (APK Hash, API Name) for each dataset are available in Datasets/mappings

Citation

If you find this work useful for your research, please consider citing our paper (PDF):

@ARTICLE{he2023msdroid,
  author={He, Yiling and Liu, Yiping and Wu, Lei and Yang, Ziqi and Ren, Kui and Qin, Zhan},
  journal={IEEE Transactions on Dependable and Secure Computing}, 
  title={MsDroid: Identifying Malicious Snippets for Android Malware Detection}, 
  year={2023},
  volume={20},
  number={3},
  pages={2025-2039},
  doi={10.1109/TDSC.2022.3168285}
}

About

An explainable GNN-based Android malware detection system in paper "MsDroid: Identifying Malicious Snippets for Android Malware Detection" (TDSC 2022)

Resources

Readme

License

GPL-3.0 license
Activity

Stars

50 stars

Watchers

1 watching

Forks

14 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages