A Family of Droids-Android Malware Detection via Behavioral Modeling: Static vs Dynamic Analysis

Onwuzurike, Lucky; Almeida, Mário; Mariconti, Enrico; Blackburn, Jeremy; Stringhini, Gianluca; Cristofaro, Emiliano De

doi:10.1109/pst.2018.8514191

Cited by 37 publications

(24 citation statements)

References 34 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Afonso et al [33] and Dash et al [34] detected malware by dynamically obtained features. Meanwhile, some state-of-the-art approaches used dynamic and static methods to obtain features to detect malware [35,36]. The drawbacks of the hybrid approach is that it requires additional OS system consumption and a lot of time.…”

Section: Hybrid Detectionmentioning

confidence: 99%

A detection method for android application security based on TF-IDF and machine learning

et al. 2020

View full text Add to dashboard Cite

Android is the most widely used mobile operating system (OS). A large number of thirdparty Android application (app) markets have emerged. The absence of third-party market regulation has prompted research institutions to propose different malware detection techniques. However, due to improvements of malware itself and Android system, it is difficult to design a detection method that can efficiently and effectively detect malicious apps for a long time. Meanwhile, adopting more features will increase the complexity of the model and the computational cost of the system. Permissions play a vital role in the security of the Android apps. Term Frequency-Inverse Document Frequency (TF-IDF) is used to assess the importance of a word for a file set in a corpus. The static analysis method does not need to run the app. It can efficiently and accurately extract the permissions from an app. Based on this cognition and perspective, in this paper, a new static detection method based on TF-IDF and Machine Learning is proposed. The system permissions are extracted in Android application package's (Apk's) manifest file. TF-IDF algorithm is used to calculate the permission value (PV) of each permission and the sensitivity value of apk (SVOA) of each app. The SVOA and the number of the used permissions are learned and tested by machine learning. 6070 benign apps and 9419 malware are used to evaluate the proposed approach. The experiment results show that only use dangerous permissions or the number of used permissions can't accurately distinguish whether an app is malicious or benign. For malware detection, the proposed approach achieve up to 99.5% accuracy and the learning and training time only needs 0.05s. For malware families detection, the accuracy is 99.6%. The results indicate that the method for unknown/new sample's detection accuracy is 92.71%. Compared against other stateof-the-art approaches, the proposed approach is more effective by detecting malware and malware families.

show abstract

Section: Hybrid Detectionmentioning

confidence: 99%

A detection method for android application security based on TF-IDF and machine learning

et al. 2020

View full text Add to dashboard Cite

show abstract

“…Early research incorporating traditional ML algorithms included k-means clustering, kNN [35,39], SVM [5,28,50], decision trees [1,7,8,14,47], and naive Bayes [47]. These ML algorithms usually have manually selected or ranked features as input, such as malicious system call traces [6], permissions [34,37], APIs [1,27,32,37,39,50], network addresses [5], network traffic [22,42] and embedded call graphs [15]. However, a reliance on expert knowledge for feature engineering can render a model more vulnerable to change than if the model learns features itself.…”

Section: Related Work 21 Android Malware Detectionmentioning

confidence: 99%

“…From each sample we extract three input feature sets -1) opcode instructions; previously shown to be an effective feature set [30], 2) permissions; which cannot be obfuscated without rendering the app useless, and 3) the presence of a selection of API calls, Android commands and Linux terminal commands [48]. The latter two feature sets provide useful information for Android malware classification [5,28,32,34,50], since a malware detector learning only from opcodes is likely to be cheated easily with obfuscation, especially if such evasive techniques are not considered in the learning process. We point out that these features are simply extracted, and expert malware knowledge is not used to rank or engineer them using statistical methods.…”

Section: Feature Extractionmentioning

confidence: 99%

DANdroid

Millar

McLaughlin

Rincón

et al. 2020

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

We present DANdroid, a novel Android malware detection model using a deep learning Discriminative Adversarial Network (DAN) that classifies both obfuscated and unobfuscated apps as either malicious or benign. Our method, which we empirically demonstrate is robust against a selection of four prevalent and real-world obfuscation techniques, makes three contributions. Firstly, an innovative application of discriminative adversarial learning results in malware feature representations with a strong degree of resilience to the four obfuscation techniques. Secondly, the use of three feature sets; raw opcodes, permissions and API calls, that are combined in a multi-view deep learning architecture to increase this obfuscation resilience. Thirdly, we demonstrate the potential of our model to generalize over rare and future obfuscation methods not seen in training. With an overall dataset of 68,880 obfuscated and unobfuscated malicious and benign samples, our multi-view DAN model achieves an average F-score of 0.973 that compares favourably with the state-of-the-art, despite being exposed to the selected obfuscation methods applied both individually and in combination. CCS CONCEPTS • Security and privacy → Malware and its mitigation; • Computing methodologies → Adversarial learning; Multi-task learning; Neural networks;

show abstract

“…Moreover, according to Vidas and Christin [65], mobile malware authors often employ emulation or virtualization detection strategies to change malware behavior and eventually evade detection. Also related to MaMaDroid is AuntieDroid [50], which applies MaMaDroid's technique in a dynamic analysis setting by modeling the behavior of apps using traces produced from executing the apps in a virtual device.…”

Section: Android Malware Detectionmentioning

confidence: 99%