MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models

Mariconti, Enrico; Onwuzurike, Lucky; Andriotis, Panagiotis; Cristofaro, Emiliano De; Ross, Gordon J.; Stringhini, Gianluca

doi:10.14722/ndss.2017.23353

Cited by 237 publications

(277 citation statements)

References 35 publications

Supporting

Mentioning

265

Contrasting

Unclassified

Order By: Relevance

“…The Data Analytics platform consists of centralized database servers for analytics and processing. The research will be focused on identifying the classification and anomaly detection machine learning algorithms that includes open source and commercial platforms, libraries with these platforms [17] [18] to detect malware [19] [20] that primarily focus on the Linux data structure extracted by the VMI Framework.…”

Section: Data Analytics and Resultsmentioning

confidence: 99%

Virtual Memory Introspection Framework for Cyber Threat Detection in Virtual Environment

Upadhyay¹,

Gohel²,

Pons³

et al. 2018

Adv. sci. technol. eng. syst. j.

View full text Add to dashboard Cite

show abstract

Section: Data Analytics and Resultsmentioning

confidence: 99%

Virtual Memory Introspection Framework for Cyber Threat Detection in Virtual Environment

Upadhyay¹,

Gohel²,

Pons³

et al. 2018

Adv. sci. technol. eng. syst. j.

View full text Add to dashboard Cite

show abstract

“…Classifier In contrast, MaMaDroid [24] shows vulnerability to unbalanced training dataset. In Figure 3b, in the case of using fixed size of malicious apps and a set 1,500 of benign instances in the training phase, we observe that DaDiDroid outperforms MaMaDroid with on average 26% higher accuracy.…”

Section: Datasetmentioning

confidence: 99%

“…By parsing the API names that correspond to a given Android app in Marvin dataset, we determine this type of obfuscation in our datasets. In essence, leveraging previous works [28,24], we define that an API is obfuscated if either at least 50% of its functions or methods are at most 3 characters or if we cannot tell what its class implements, extends or inherits due to identifier mangling [28].…”

Section: Robustness Against Obfuscation Techniquesmentioning

confidence: 99%

“…DroidAPIMiner [1], for instance, uses the frequency of API calls to classify malware apps. Recently, MaMaDroid [24] leverages the similarity in the code of apps as extracted from the transition probabilities between different API calls to build an efficient Android malware detection system. However, the increased code complexity and the use of obfuscation techniques as a way to protect apps from code theft, reverse engineering and code inspection, pose several challenges to static analysis of malware apps.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DaDiDroid: An Obfuscation Resilient Tool for Detecting Android Malware via Weighted Directed Call Graph Modelling

Ikram

Beaume

Kâafar

2019

Proceedings of the 16th International Joint Conference on E-Business and Telecommunications

View full text Add to dashboard Cite

With the number of new mobile malware instances increasing by over 50% annually since 2012 [25], malware embedding in mobile apps is arguably one of the most serious security issues mobile platforms are exposed to. While obfuscation techniques are successfully used to protect the intellectual property of apps' developers, they are unfortunately also often used by cybercriminals to hide malicious content inside mobile apps and to deceive malware detection tools. As a consequence, most of mobile malware detection approaches fail in differentiating between benign and obfuscated malicious apps. We examine the graph features of mobile apps code by building weighted directed graphs of the API calls, and verify that malicious apps often share structural similarities that can be used to differentiate them from benign apps, even under a heavily "polluted" training set where a large majority of the apps are obfuscated. We present DaDiDroid an Android malware app detection tool that leverages features of the weighted directed graphs of API calls to detect the presence of malware code in (obfuscated) Android apps. We show that DaDiDroid significantly outperforms MaMaDroid [24], a recently proposed malware detection tool that has been proven very efficient in detecting malware in a clean nonobfuscated environment. We evaluate DaDiDroid's accuracy and robustness against several evasion techniques using various datasets for a total of 43,262 benign and 20,431 malware apps. We show that DaDiDroid correctly labels up to 96% of Android malware samples, while achieving an 91% accuracy with an exclusive use of a training set of obfuscated apps.

show abstract

“…The sheer number of apps available in current markets, along with the ratio at which new apps are submitted, makes impossible to manually analyze all of them. Automated analyses also have their limitations and some techniques might require a substantial amount of time per app [25]. This has motivated the need for a multi-staged analysis pipeline in which apps should be initially triaged to allocate resources intelligently and guarantee that the analysis effort is devoted to those samples that potentially have more security interest.…”

Section: Introductionmentioning

confidence: 99%

TriFlow

Mirzaei

Suárez-Tangil

Tapiador

et al. 2017

Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

View full text Add to dashboard Cite

Information flows in Android can be effectively used to give an informative summary of an application's behavior, showing how and for what purpose apps use specific pieces of information. This has been shown to be extremely useful to characterize risky behaviors and, ultimately, to identify unwanted or malicious applications in Android. However, identifying information flows in an application is computationally highly expensive and, with more than one million apps in the Google Play market, it is critical to prioritize applications that are likely to pose a risk. In this work, we develop a triage mechanism to rank applications considering their potential risk. Our approach, called TRIFLOW, relies on static features that are quick to obtain. TRIFLOW combines a probabilistic model to predict the existence of information flows with a metric of how significant a flow is in benign and malicious apps. Based on this, TRIFLOW provides a score for each application that can be used to prioritize analysis. TRIFLOW also provides an explanatory report of the associated risk. We evaluate our tool with a representative dataset of benign and malicious Android apps. Our results show that it can predict the presence of information flows very accurately and that the overall triage mechanism enables significant resource saving.

show abstract

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models

Cited by 237 publications

References 35 publications

Virtual Memory Introspection Framework for Cyber Threat Detection in Virtual Environment

Virtual Memory Introspection Framework for Cyber Threat Detection in Virtual Environment

DaDiDroid: An Obfuscation Resilient Tool for Detecting Android Malware via Weighted Directed Call Graph Modelling

TriFlow

Contact Info

Product

Resources

About