Android Malware Detection Based On Knowledge Distillation And NAS Fusion

With the popularity of the Android operating system is constantly enriching and improving the user experience,while the number of malicious software is also increasing rapidly.Malware can harm the legitimate rights of users and threaten their privacy or property security.In order to maintain the healthy development of mobile terminals,in-depth research on malware detection based on deep learning has made a series of breakthroughs.However,there are still issues that required thorough research and resolution.For example,a single type of feature is one-sided and cannot effectively and comprehensively characterize malware.What’s more,deep learning models are inevitably plagued by large and complex models with millions or billions of parameters,requiring strong computing power support.Therefore,in response to address the above two issues,this thesis conducts in-depth research on malware characterization,and proposes the following two Android malware detection methods based on knowledge distillation.(1)Android malware detection based on knowledge distillation intermediate layer loss.This thesis aims at solving the problems of complex and large parameters in existing malware detection models.Firstly,the idea of Knowledge Distillation(KD)is applied to malware detection,and a novel detection framework based on Multi-Layer Perceptron(MLP)network,MKDIL,is proposed.Secondly,a combination of permission features(including official and custom permissions)and exposed component features extracted from applications is used to characterize malware.The core of the MKDIL architecture is in-depth research on the middle layer loss of the teacher network in KD,which allows the student network to pay more attention to the middle layer information of the teacher network and learning more hint knowledge.The MKDIL architecture reduces the performance gap between teacher and student models in malware detection,while compressing the model structure and reducing the number of parameters,achieving lightweight student models with better performance than massive teacher models.This thesis collects malware and benign applications from recent years,and extracts permissions and exposed component features to construct a dataset.Comparing the MKDIL architecture with the classic deep learning model,the experimental results show that our MKDIL architecture model has better performance.(2)Android malware detection based on knowledge search.This thesis based on MKDIL’s work,further integrates knowledge distillation and Neural Architecture Search(NAS)technology,proposes a new malware detection architecture KS(Knowledge Search).The continuous evolution of malware poses new challenges to the sustainability of detection models.Therefore,this thesis expands the dataset and divides it into years,expands the Application Programming Interface(API)feature that can intuitively reflect software evolution characteristics.Specially,deeply explore the inherent relationship between APIs,permissions,and exposed components for combined learning,while simultaneously training a complex teacher network with multiple parallel shallow networks.Besides,NAS technology is exploited to automatically select the student network with the best learning ability from multiple shallow networks.The KS architecture is compared with classic neural networks and some state-of-the-art solution.The experimental results indicate that our KS architecture can effectively detect malware with good robustness and sustainability,and can effectively respond to the evolution and development of malware.