Abstract Malware programs currently represent the most serious threat to computer information systems. Despite the performed efforts of researchers in this field, detection tools still have limitations for one main reason. Actually, malware developers usually use obfuscation techniques consisting in a set of transformations that make the code and/or its execution difficult to analyze by hindering both manual and automated inspections. These techniques allow the malware to escape the detection tools, and hence to be seen as a benign program. To solve the obfuscation issue, many researchers have proposed to extract frequent Application Programming Interface (API) call sequences from previously encountered malware programs using pattern mining techniques and hence, build a base of fraudulent behaviors. Based on this process, it is worth mentioning that the performance of the detection process heavily depends on the base of examples of malware behaviors; also called malware patterns. In order to deal with this shortcoming, a dynamic detection method called Artificial Malware-based Detection (AMD) is proposed in this paper. AMD makes use of not only extracted malware patterns but also artificially generated ones. The artificial malware patterns are generated using an evolutionary (genetic) algorithm. The latter evolves a population of API call sequences with the aim to find new malware behaviors following a set of well-defined evolution rules. The artificial fraudulent behaviors are subsequently inserted into the base of examples in order to enrich it with unseen malware patterns. The main motivation behind the proposed AMD approach is to diversify the base of malware examples in order to maximize the detection rate. AMD has been tested on different Android malware data sets and compared against recent prominent works using commonly employed performance metrics. The performance analysis of the obtained results shows the merits of our AMD novel approach.

中文翻译：

---

人工恶意模式在Android恶意软件检测中的应用

摘要 恶意软件程序目前是对计算机信息系统最严重的威胁。尽管研究人员在这一领域做出了努力，但由于一个主要原因，检测工具仍然存在局限性。实际上，恶意软件开发人员通常使用包含一组转换的混淆技术，通过阻碍手动和自动检查，使代码和/或其执行难以分析。这些技术允许恶意软件逃脱检测工具，因此被视为良性程序。为了解决混淆问题，许多研究人员提出使用模式挖掘技术从以前遇到的恶意软件程序中提取频繁的应用程序编程接口 (API) 调用序列，从而建立欺诈行为的基础。基于这个过程，值得一提的是，检测过程的性能在很大程度上取决于恶意软件行为示例的基础；也称为恶意软件模式。为了解决这个缺点，本文提出了一种称为基于人工恶意软件的检测（AMD）的动态检测方法。AMD 不仅使用提取的恶意软件模式，还使用人工生成的模式。人工恶意软件模式是使用进化（遗传）算法生成的。后者演化出一系列 API 调用序列，目的是按照一组明确定义的演化规则找到新的恶意软件行为。随后将人工欺诈行为插入到示例的基础中，以便用看不见的恶意软件模式丰富它。提议的 AMD 方法背后的主要动机是使恶意软件示例的基础多样化，以最大限度地提高检测率。AMD 已经在不同的 Android 恶意软件数据集上进行了测试，并使用常用的性能指标与最近的杰出作品进行了比较。所得结果的性能分析显示了我们的 AMD 新方法的优点。