Dual Modal Featuring Scheme for Learning Based Android Malware Prevention

Backgroud:The prevalence and evolution of Android malware pose persistent threats to various devices. Behavioral features are vital for learning-based malware detectors. Prior studies focus on either host logs or network traffic data and their concatenation. Their deep fusion and alignment on the behavioral level are rarely explored. Aims:We propose a deep semantic alignment-based multimodal feature fusion scheme to detect Android malware. The scheme mainly includes a system-traffic graph (STG) construction algorithm, the STG2Vec model, and an attention-enhanced graph neural network(GNN) designed to handle class-imbalanced nodes. Method:The STG construction algorithm builds a novel argument-oriented host behavior feature space by modeling the semantics of system call arguments and network traffic bursts within a unified heterogeneous graph, while filtering irrelevant data for efficiency. The STG2Vec model encodes heterogeneous nodes into a shared representation space. Graph-based multimodal feature fusion is achieved through constructing a self-attention GNN model, and an incentive factor is introduced to enhance the representation of class-imbalanced nodes, ultimately enabling malware detection. Results:The experimental results show that the malware detection rate achieves 99.12\%, outperforming state-of-the-art solutions. Furthermore, 643‬ unseen malware samples can be identified by our scheme, demonstrating its feasibility for preventing evolving Android malware. Conclusions:The performance improvement indicates that our scheme can provide a novel feature space for malware analysis and a new way to align dynamic behaviors.