| CPC G06F 21/562 (2013.01) [G06F 21/566 (2013.01); G06N 20/20 (2019.01); G06F 2221/033 (2013.01)] | 24 Claims |
|
1. A non-invasive computer implemented method for malware detection in an application to be installed on a device, comprising:
obtaining, by a first lightweight analysis submodule and before the application is installed, a first set of features of the application by employing system native functions of the device;
performing one or more lightweight analyses on the first set of features, wherein each lightweight analysis comprises a set of rules configured to identify a single type of malware;
checking whether the first set of features matches the set of rules of at least one of the one or more lightweight analyses;
outputting a negative classification label, provided the first set of features matches none of the set of rules of the at least one of the one or more lightweight analyses;
performing a deep analysis for a type of malware of each of at least one matched set of rules, provided the first set of features matches at least one of the set of rules of the one or more lightweight analyses;
wherein the deep analysis comprises:
obtaining, by a deep analysis submodule, a second set of features of the application by employing the system native functions of the device,
running a machine learning (ML) model, wherein the ML model outputs a classification label for the analyzed application,
wherein the system native functions are native Android Application Programming Interface (API) functions,
wherein when there are two or more lightweight analysis:
the two or more lightweight analysis are executed in parallel, or
the two or more lightweight analysis are executed in sequence and a specific and excluding order of priority of execution of each of the two or more lightweight analysis is employed,
wherein an order of lightweight analysis is from malware types with a more specific behavior to ones with less specific behavior.
|