N-opcode analysis for android malware classification and categorization

Kang, BooJoong; Yerima, Suleiman Y.; McLaughlin, Kieran; Sezer, Sakir

doi:10.1109/cybersecpods.2016.7502343

Cited by 75 publications

(56 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…In the static analysis approach, the code is usually reverse engineered and examined for presence of any malicious code. [24][25][26][27][28][29][30][31][32][33][34] are examples of detection solutions based on static analysis. Dynamic analysis on the other hand, involves executing apps in a controlled environment such as a sandbox, virtual machine, or a physical device in order to trace its behavior.…”

Section: Related Workmentioning

confidence: 99%

Machine learning-based dynamic analysis of Android apps with improved code coverage

Yerima

Alzaylaee

Sezer

2019

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

This paper investigates the impact of code coverage on machine learning-based dynamic analysis of Android malware. In order to maximize the code coverage, dynamic analysis on Android typically requires the generation of events to trigger the user interface and maximize the discovery of the run-time behavioral features. The commonly used event generation approach in most existing Android dynamic analysis systems is the random-based approach implemented with the Monkey tool that comes with the Android SDK. Monkey is utilized in popular dynamic analysis platforms like AASandbox, vetDroid, MobileSandbox, TraceDroid, Andrubis, ANANAS, DynaLog, and HADM. In this paper, we propose and investigate approaches based on stateful event generation and compare their code coverage capabilities with the state-of-the-practice random-based Monkey approach. The two proposed approaches are the state-based method (implemented with DroidBot) and a hybrid approach that combines the state-based and random-based methods. We compare the three different input generation methods on real devices, in terms of their ability to log dynamic behavior features and the impact on various machine learning algorithms that utilize the behavioral features for malware detection. Experiments performed using 17,444 applications show that overall, the proposed methods provide much better code coverage which in turn leads to more accurate machine learning-based malware detection compared to the state-of-the-art approach.

show abstract

Section: Related Workmentioning

confidence: 99%

Machine learning-based dynamic analysis of Android apps with improved code coverage

Yerima

Alzaylaee

Sezer

2019

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

show abstract

“…It was evaluated on 1386 benign apps and 1296 malapps achieving a detection accuracy of up to 98.4%. Some papers such as [10], [11], [12], [29] and [30], employ static analysisbased opcode features with machine learning for Android malware detection. Other papers utilize tools such as Droidbox [13] or Dynalog [14] to extract dynamic features [15] for training machine learning based classifiers.…”

Section: Related Workmentioning

confidence: 99%

Longitudinal performance analysis of machine learning based Android malware detectors

Yerima

Khan

2019

2019 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)

Self Cite

View full text Add to dashboard Cite

This paper presents a longitudinal study of the performance of machine learning classifiers for Android malware detection. The study is undertaken using features extracted from Android applications first seen between 2012 and 2016. The aim is to investigate the extent of performance decay over time for various machine learning classifiers trained with static features extracted from date-labelled benign and malware application sets. Using date-labelled apps allows for true mimicking of zero-day testing, thus providing a more realistic view of performance than the conventional methods of evaluation that do not take date of appearance into account. In this study, all the investigated machine learning classifiers showed progressive diminishing performance when tested on sets of samples from a later time period. Overall, it was found that false positive rate (misclassifying benign samples as malicious) increased more substantially compared to the fall in True Positive rate (correct classification of malicious apps) when older models were tested on newer app samples.

show abstract

“…The authors from [19] aimed at utilizing the benefits of the n-gram based approaches while trying to minimize the dimensionality of the feature input space by evaluating the relative importance of the various extracted n-grams. [11] used a similar strategy and extract n-grams of operation codes from binaries, which are then used for detection.…”

Section: Overview Of Malware Detectionmentioning

confidence: 99%

“…In this paper, we compare our deep learning based detector's functionality with a benchmark detector that we implemented, which is closely related, in terms of the principles used, to the works like [25], [11] and [27]. In the work of [24], the authors work with multiple extracted features form binaries, some of which revolve around the notion of capturing structure-related attributes of binaries by collecting n-gram based statistics.…”

Section: A Related Workmentioning

confidence: 99%

Malware Detection Using 1-Dimensional Convolutional Neural Networks

Sharma

Malacaria

Khouzani

2019

2019 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

View full text Add to dashboard Cite

This work introduces a highly accurate and efficient malware detection system based on 1-dimensional convolutional neural networks. The system takes as input a binary file and classifies it as malicious or benign. There is minimal preprocessing of the binaries, with features discovery left to the network during training. A crucial difference with other convolutional neural networks (CNN) based approaches is the use of 1-dimensional convolutions; this methodological choice is shown to have significant positive consequences for the detector. In order to compare the detector with state-of-the-art techniques a TF-IDF based benchmark malware detector is also implemented: experiments show an improved accuracy of the proposed CNN detector while maintaining similar training times. The system is also compared, on a publicly available dataset of 11130 binaries, with an existing embedding based CNN detector. The proposed system outperforms, both in accuracy and training time the embedding based CNN.

show abstract

N-opcode analysis for android malware classification and categorization

Cited by 75 publications

References 21 publications

Machine learning-based dynamic analysis of Android apps with improved code coverage

Machine learning-based dynamic analysis of Android apps with improved code coverage

Longitudinal performance analysis of machine learning based Android malware detectors

Malware Detection Using 1-Dimensional Convolutional Neural Networks

Contact Info

Product

Resources

About