|
In the face of increasing Android malware threats, we conducted in-depth research aimed at addressing classification and interpretability issues. We use dynamic monitoring technique to obtain the information of parameters passed between API call sequence and function. The API sequence is formed into the graph, the API is used as the node, and the parameter information is embedded into the edges. The Graph Attention Network (GAT) is used to manipulate the graph. The attention score generated by GAT also plays a guiding role in node selection in subsequent reinforcement learning tasks, which is used to guide the generation process of simulated malware behavior. In terms of interpretability, we emphasize the importance of explaining GNN model decisions. We propose an innovative approach, the Malicious behavior generator. MB-generator models the interpretation task as a continuous decision process, using a policy network to predict the connection choices of nodes within the function call graph to form a behavior subgraph. The reward mechanism takes into account the dependencies between the newly added node and the previously added node to provide a better explanation of the behavior set. In summary, our research work will have a profound impact on the field of malware analysis and defense. We achieved higher performance on the dataset with 98.43% accuracy, higher than Mamadroid and GDroid. The results show that the proposed method is effective for interpretation graph neural network prediction.
|
