隨著Android平台的普及和應用程式功能的不斷擴展,第三方函式庫的使用日益普遍。然而這些未經嚴格審核的函式庫可能存在安全隱患,成為惡意程式的潛在工具,引發供應鏈攻擊等新型威脅。本研究旨在改進現有的Android惡意程式檢測系統,特別聚焦於改善敏感子圖的前處理方法。我們的目標是防止攻擊者利用第三方函式庫中的API執行敏感行為或利用先前研究認定為無害的API來製作的危害第三方函式庫,通過改善圖結構前處理方式,以提高檢測系統對新興威脅的防禦能力。 本研究採用了圖神經網路和GNNExplainer解釋性技術,提出了一種創新的方法來評估敏感的第三方函式庫API。通過分析GNNExplainer生成的惡意和良性行為子圖,並結合本研究的敏感API評分方法能夠有效辨別出調用敏感資訊和執行敏感操作的第三方API,同時也能辨別具有類似行為的官方API。基於這個全面的敏感API列表,我們生成更加精確和完整的敏感子圖,作為惡意程式檢測模型的輸入。 根據實驗結果,本方法在保留完整惡意行為的同時,有效降低了圖結構的複雜性。相較於現有研究如SFCGDroid和DGCNDroid的敏感子圖方法,本方法在多項檢測指標上均有所提升。現有模型架構下本方法的敏感子圖F1-Score可以達到96.33%,比SFCGDroid、DGCNDroid表現分別高出1%、2%,訓練時間分別減少了3%、58%。除此之外,本研究提出的檢測系統在CICMalDroid2020與AndroZoo資料集中F1-Score的表現高達98.65%,也相比於現有敏感子圖檢測系統F1-Score表現好上1~4%,並且訓練時間可以減少3倍以上。 ;The increasing use of third-party libraries in Android applications has introduced new security vulnerabilities, including potential supply chain attacks. This research aims to enhance Android malware detection systems by improving the preprocessing of sensitive subgraphs. Our focus is on preventing attackers from exploiting third-party library APIs to perform sensitive operations or utilizing APIs previously deemed harmless to create malicious third-party libraries. These malicious activities could include unauthorized access to sensitive information, execution of harmful operations, or compromising the integrity of the host application. We propose an innovative method using graph neural networks and GNNExplainer to evaluate sensitive APIs in third-party libraries and official Android APIs. By analyzing behavior subgraphs and employing our novel API scoring technique, we generate more precise sensitive subgraphs for enhanced malware detection. Experimental results show that our method reduces graph complexity while preserving malicious behaviors. Our approach achieves a sensitive subgraph F1-Score of 96.33%, outperforming existing methods like SFCGDroid and DGCNDroid by 1-2%, with reduced training times. On the CICMalDroid2020 and AndroZoo datasets, our system reaches an F1-Score of 98.65%, surpassing current systems by 1-4% while reducing training time by over 4 times. These improvements significantly enhance the detection system′s capabilities against emerging Android application threats.
