1. Install Androguard 3.4.0 from source code.
2. Install Pytorch and Pytorch Geometric.
3. Download lite_dataset_10.csv into ./src/feature/LibRadar/Data.

1. Run the train script (see more configurations in the code):

python train.py -i $input_dir

Three new folders are generated in ./src/training, e.g.,

• # generated behavior subgraphs
  ./training/Graphs/
  └── $input_dir_name
      └── HOP_2
          └── TPL_True
              ├── dataset.pt
              ├── FeatureLen.txt
              └── processed
                  ├── data_0_0.pt
                  ├── ...

• # mappings of behavior subgraphs and (APK, API) pairs
  ./training/Mappings/
  └── TestAPK_2_True.csv

• # experiment results with different settings
  ./training/Experiments/
  ├── $timestamp
  │   ├── exp_log.log
  │   ├── models
  │   │   ├── $precission'_'$recall'_'$accuracy'_'$f1'_'$f2
  │   │   └── last_epoch_$epoch_number
  │   ├── scores
  │   │   └── $precission'_'$recall'_'$accuracy'_'$f1'_'$f2.csv
  │   ├── tensorboard
  │   │   └── events.out.tfevents.$timestamp.ecs-tech-research
  │   └── TrainTest
  │       ├── test.pt
  │       └── train.pt
  ├── exp_configs.csv
  └── performance.csv

2. Run the test script (with a trained model model.pkl in ./src/classification):

python main.py -i $input_dir -o $outputdir

For example, the structure of the $input_dir is

$input_dir
├── app-debug.apk
└── Test
    └── app-debug.apk

, then the output folder $output_dir looks like

$outputdir
├── decompile
│   ├── app-debug
│   │   └── call.gml
│   └── Test
│       └── app-debug
│           └── call.gml
├── FeatureLen.txt
├── prediction.csv
├── processed
│   ├── data_0_0.pt
│   └── ...
└── result
    ├── opcode
    │   ├── app-debug.csv
    │   └── Test
    │       └── app-debug.csv
    ├── permission
    │   ├── app-debug.csv
    │   └── Test
    │       └── app-debug.csv
    └── tpl
        ├── app-debug.csv
        └── Test
            └── app-debug.csv

• prediction.csv classification results (APK ID, APK Path, Class).

.pt file is named after APK ID and Behavior Subgraph ID.

Mappings between (APK ID, Behavior Subgraph ID) and (APK Hash, API Name) for each dataset are available in Datasets/mappings

If you find this work useful for your research, please consider citing our paper (PDF):

@ARTICLE{he2023msdroid,
  author={He, Yiling and Liu, Yiping and Wu, Lei and Yang, Ziqi and Ren, Kui and Qin, Zhan},
  journal={IEEE Transactions on Dependable and Secure Computing}, 
  title={MsDroid: Identifying Malicious Snippets for Android Malware Detection}, 
  year={2023},
  volume={20},
  number={3},
  pages={2025-2039},
  doi={10.1109/TDSC.2022.3168285}
}