Long Wen,Haiyang Yu

DOI: https://doi.org/10.1063/1.4992953

2017-01-01

AIP Conference Proceedings

Abstract:The Android smartphone, with its open source character and excellent performance, has attracted many users. However, the convenience of the Android platform also has motivated the development of malware. The traditional method which detects the malware based on the signature is unable to detect unknown applications. The article proposes a machine learning-based lightweight system that is capable of identifying malware on Android devices. In this system we extract features based on the static analysis and the dynamitic analysis, then a new feature selection approach based on principle component analysis (PCA) and relief are presented in the article to decrease the dimensions of the features. After that, a model will be constructed with support vector machine (SVM) for classification. Experimental results show that our system provides an effective method in Android malware detection.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Fei Tong,Zheng Yan

DOI: https://doi.org/10.1016/j.jpdc.2016.10.012

IF: 4.542

2017-01-01

Journal of Parallel and Distributed Computing

Abstract:Android security incidents occurred frequently in recent years. This motivates us to study mobile app security, especially in Android open mobile operating system. In this paper, we propose a novel hybrid approach for mobile malware detection by adopting both dynamic analysis and static analysis. We collect execution data of sample malware and benign apps using a net_link technology to generate patterns of system calls related to file and network access. Furthermore, we build up a malicious pattern set and a normal pattern set by comparing the patterns of malware and benign apps with each other. For detecting an unknown app, we use a dynamic method to collect its system calling data. We then compare them with both the malicious and normal pattern sets offline in order to judge the unknown app. Based on the test on a set of mobile malware and benign apps, we found that our approach achieves better detection success rate than some methods using either static analysis or dynamic analysis. What is more, the proposed approach is generic, which can detect different types of malware effectively. Its detection accuracy can be further improved since the pattern sets can be automatically optimized through self-learning.

ZHANG Wen,YAN Han-bing,WEN Wei-ping

DOI: https://doi.org/10.3969/j.issn.1671-1122.2013.01.008

2013-01-01

Abstract:At present, malware is mainly detected through static-based approach, but the recognition rate is low. Based on the mechanism of static detection, this paper gave a behavior-based approach which analysis the behavior of sensitive function in the application. In this way, using the traces of variables and equivalent function matching to determine whether an Android package have malicious behavior. The behavior-based approach improves the accuracy of the static detection. This paper implement a detect tool aim at SMS Trojan and is proved its effectiveness in testing.

Jinxin Liu,Hao Wu,Huabin Wang

DOI: https://doi.org/10.1049/ic.2014.0154

2014-01-01

Abstract:In recent years, the Android operating system for mobile terminals has developed very quickly. A variety of mobile devices which are using Android operating system are more than 60% in the domestic market share. With the number of Android application raising fast, a variety of information leakage, malicious chargeback, failure of operating system events occurred frequently; the safety of Android system also attracts wide attention of researchers. In this paper, combining static analysis and dynamic analysis, we present a malicious code detection method and implementation. Through the statistics of the sensitive API functions and tracking the flow of sensitive information, static analysis module uses the static analysis reverse technology to achieve the detection of malicious behaviors. And dynamic analysis module mainly uses system log analysis and records a variety of sensitive behaviors generated during the operation to discover intrusions. Furthermore, the ultimate combination of static analysis and dynamic analysis will determine whether the target software contains malicious codes.

Hao Chen,Haitao Jiang,Jing Guo,Chao Zhou,Nan Yao,Jian Xu

DOI: https://doi.org/10.14177/j.cnki.32-1397n.2017.41.06.009

2017-01-01

Abstract:A dynamic Android malware detection approach is proposed aiming at the low accuracy of static malware detection approaches by researching the system calls of Android applies. The system calls achieved by stimulated events of Android applies from the sandbox are characterized,and two feature representation methods are designed based on system call frequency and system call dependency respectively. Malware and goodware are distinguished by a classifier constructed by ensemble method. The two methods are tested on 3000 Android applications from the third-part market. The experimental results show that,the feature representation method based on system call dependency is better than that based on system call frequency,and the ensemble-based classifier has a good detection accuracy of 95 . 84％.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Jing Tao,Yan Zhang,Pengfei Cao,Zheng Wang,Qiqi Zhao

DOI: https://doi.org/10.1007/978-3-319-65482-9_26

2017-01-01

Abstract:At present, Android malwares become more and more subtle and intelligent, after their invasion, they often detect whether the running environment is a real environment, to decide whether to perform their malicious behavior. Therefore, malware tend to execute different behavior when running in different environments. Benign applications will perform the same functions in different environments, their behaviors have a strong consistency. Based on this basic idea, we design an Android malware detection method based on behavior comparison analysis. First, design and development a number of specific different running environments, and then execute application in these environments. With the same event input, record and compare the behaviors of this application, calculate the difference, determine whether it is malicious. Under the guidance of this thought, we design and development the Android malware detection system EmuProtect. We evaluate EmuProtect system from the aspects of accuracy and validity, the results show that this system can effectively detect Android malicious applications.

Zhenyu Ni,Ming Yang,Zhen Ling,Jianan Wu,Junzhou Luo

DOI: https://doi.org/10.1109/CBD.2016.046

2016-01-01

Abstract:In recent years, with the growing popularity of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and money from mobile and bank accounts, it's important to detect potential malicious behavior in real time. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection in Android apps. A customized Android system is built to record apps' API (Application Programming Interface) calls, permission uses, and some other runtime features such as user operations. We also develop an automated testing platform to test massive samples so as to collect dynamic app behavior records. Then we exploit these records to extract apps' runtime features of both user interaction and app dynamic behavior for benign and malicious behavior classification. The experimental results show that the app behavior classification can reach an accuracy of 99.0%, identifying 71.8% instances of malware samples by running each app for only 18 minutes.

Yao ZHENG,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1673-629X.2017.03.026

2017-01-01

Abstract:A static feature-based mechanism is studied to provide a static analysis method for detection of the Android malware. In order to identify the intention of different Android malware,all kinds of clustering algorithms are applied to enhance the malware modeling ca-pability to any Android procedure. Besides,a system,called XDroidMat,is developed. The XDroidMat extracts the information from each application' s manifest file and regards components as entry points drilling down for tracing API Calls related to permissions. Then it uses k-means algorithm to strengthen the malware modeling capability. The number of clusters is decided by Singular Value Decomposition ( SVD) method on the low rank approximation. Finally,it uses kNN algorithm to classify the application as benign or malicious. The ex-perimental results show XDroidMat can get 98. 12% accuracy and do well in detecting the Android malware.

WEN Wei-ping,MEI Rui,NING Ge,WANG Liang-liang

DOI: https://doi.org/10.3969/j.issn.1000-436x.2014.08.011

2014-01-01

Abstract:For the Android platform security problem, a mobile client and server collaborative malware detection pro-posal was proposed, where mobile client application was mainly based on permission detection technology and imple-mented lightweight testing. The server-side detection system is mainly responsible for testing suspicious samples submit-ted by the mobile terminals, meanwhile implements the functions of software behavior analysis, signature library updates, and mobile client synchronization, etc. The server-side detection techniques include permission-based detection technol-ogy, bytecode-based static detection technology and root-based dynamic detection technology. The result of the experi-ment shows that the three detection techniques can achieve better detection results.

Jianfei Tang,Hui Zhao

DOI: https://doi.org/10.3233/jifs-220567

2022-09-22

Journal of Intelligent & Fuzzy Systems

Abstract:The focus of a large amount of research on malware detection is currently working on proposing and improving neural network structures, but with the constant updates of Android, the proposed detection methods are more like a race against time. Through the analysis of these methods, we found that the basic processes of these detection methods are roughly the same, and these methods rely on professional reverse engineering tools for malware analysis and feature extraction. These tools generally have problems such as high time-space cost consumption, difficulty in achieving concurrent analysis of a large number of Apk, and the output results are not convenient for feature extraction. Is it possible to propose a general malware detection process implementation platform that optimizes each process of existing malware detection methods while being able to efficiently extract various features on malware datasets with a large number of APK? To solve this problem, we propose an automated platform, AmandaSystem, that highly integrates the various processes of deep learning-based malware detection methods. At the same time, the problem of over privilege due to the openness of Android system and thus the problem of excessive privileges has always required the accurate construction of mapping relationships between privileges and API calls, while the current methods based on function call graphs suffer from inefficiency and low accuracy. To solve this problem, we propose a new bottom-up static analysis method based on AmandaSystem to achieve an efficient and complete tool for mapping relationships between Android permissions and API calls, PerApTool. Finally, we conducted tests on three publicly available malware datasets, CICMalAnal2017, CIC-AAGM2017, and CIC-InvesAndMal2019, to evaluate the performance of AmandaSystem in terms of time efficiency of APK parsing, space occupancy, and comprehensiveness of extracted features, respectively, compared with existing methods were compared.

Junaid Akram,Majid Mumtaz,Gul Jabeen,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116310

2021-01-01

International Journal of Information and Computer Security

Abstract:Security researchers and anti-virus industries have speckled stress on an Android malware, which can actually damage your phones and threatens the Android markets. In this paper, we propose and develop DroidMD, a scalable self-improvement based tool, based on auto optimisation of signature set, which detect malicious apps in the market at source code level. A prototype has been developed tested and implemented to detect malware in applications. We implement and evaluate our approach on almost 30,000 applications including 27,000 benign and 3,670 malware applications. DroidMD detects malware in different applications at partial level and full level. It analyses only the applications code, which increase its reliability. Our evaluation of DroidMD demonstrates that our approach is very efficient in detecting malware at large scale with high accuracy of 95.5%.

Yao Du,Xiaoqing Wang,Junfeng Wang

DOI: https://doi.org/10.1002/sec.1248

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:The rapid development of mobile malwares makes the traditional signature-based and single-feature based malware detection methods a challenging task. The surge of new malwares with more complex structures and dynamic characteristics leads to efficient fusion of multi-source malicious information more difficult in detection. In this paper, we propose a new multi-source based method to detect Android malwares by emphasizing on the traditional static features, control flow graph, and repacking characteristics. Each category of features is treated as an independent information source in feature extracting rules building and classification. Then, the Dempster-Shafer algorithm is used to fuse these information sources. This method can improve accuracy of malware detection without adding too many instability characteristics that are extracted from disassembled codes, and have better performance in the resistance to code obfuscation technologies. To verify our method, different categories of apps are collected to build the dataset in our experiment. Based on the dataset, our method can achieve 97% detection accuracy and 1.9% false positive rate. Copyright (c) 2015John Wiley & Sons, Ltd.

Yue Li,Guangquan Xu,Hequn Xian,Longlong Rao,Jiangang Shi

DOI: https://doi.org/10.31209/2019.100000118

2019-01-01

Abstract:In order to prevent the spread of Android malware and protect privacy information from being compromised, this study proposes a novel multidimensional hybrid features extraction and analysis method for Android malware detection. This method is based primarily on a multidimensional hybrid features vector by extracting the information of permission requests, API calls, and runtime behaviors. The innovation of this study is to extract greater amounts of static and dynamic features information and combine them, that renders the features vector for training completer and more comprehensive. In addition, the feature selection algorithm is used to further optimize the extracted information to remove a number of extraneous features, and a new multi-dimensional hybrid features vector is obtained. The multi-dimensional hybrid features vector is then used to train the classification model. Finally, the unknown samples are detected and identified by using the obtained classification model. Our experiment is conducted based on 359 malicious and 500 benign applications as experimental samples, and the results indicate that our proposed method performs better in the accuracy rate of Android malware detection compared with those methods using static methods alone.

Rajan Thangaveloo,Wong Wang Jing,Chiew Kang Leng,Johari Abdullah

DOI: https://doi.org/10.18517/ijaseit.10.2.10238

2020-03-28

Abstract:Android system has become a target for malware developers due to its huge market globally in recent years. The emergence of 5G in the market and limited protocols post a great challenge to the security in Android. Hence, various techniques have been taken by researchers to ensure high security in Android devices. There are three types of analysis namely static, dynamic and hybrid analysis used to detect and analyze the malicious application in Android. Due to evolving nature of the malware, it is very challenging for the existing techniques to detect and analyze it efficiently and accurately. This paper proposed a Dynamic Analysis Technique in Android Malware detection called DATDroid. The proposed technique consists of three phases, which includes feature extraction, feature selection and classification phases. A total of five features namely system call, errors and time of system call process, CPU usage, memory and network packets are extracted. During the classification 70% of the dataset was allocated for training phase and 30% for testing phase using machine learning algorithm. Our experimental results achieved an overall accuracy of 91.7% with lower false positive rates as compared to benchmarked method. DATDroid also achieved higher precision and recall rate of 93.1% and 90.0%, respectively. Hence our proposed technique has proven to be able to classify malware more accurately and reduce misclassification of malware application as benign significantly.

Zhongxiang Zhan Zhongxiang Zhan,Sai Ji Zhongxiang Zhan,Wenying Zheng Sai Ji,Dengzhi Liu Wenying Zheng

DOI: https://doi.org/10.53106/160792642024012501009

2024-01-01

網際網路技術學刊

Abstract:Android is an open-source mobile operating system, with more than 70% of the mobile market share, widely popular on various intelligent devices. At the same time, the number of new malicious applications keeps increasing every year. In this paper, we first discuss the advantages and disadvantages of various detection methods for malicious software. A single detection method can only cover specific types of malware. Therefore, we propose a system that combines static structural analysis and dynamic detection of malware. This system has dual detection capability, which consists of a client and a server. The client is a lightweight Android application that is used to obtain the relevant data information of the installation package. The server is responsible for static analysis of APK and dynamic running of monitoring logs to get the relevant feature information. Based on the feature information, the Bagging algorithm of ensemble learning is adopted, and the decision tree and random forest are combined to identify the malware accurately. We collected 4210 Android software samples, with malicious apps accounting for about 20% of the total. Cross-testing of malware detection on this sample set showed that DroidExaminer achieved approximately 96% accuracy in detecting malware. It can resist confusion and conversion techniques, and the test performance overhead is less. In addition, DroidExaminer can alert the user to the details of malware intrusion so that the user can prevent malware intrusion.  

computer science, information systems,telecommunications

Chenkai Guo,Jing Xu,Lei Liu,Sihan Xu

DOI: https://doi.org/10.1109/icsess.2015.7339027

2015-01-01

Abstract:Attackers who designed malware seem to be so cautious that most of the malware are disguised as normal apps. This brings about huge difficulties to detect the malware. Similar with traditional PC testing, there are two main detection methods for Android malware: static analysis and dynamic monitoring. However, these methods inevitably face the challenge of code confusion performance cost. In this paper, a new evaluation algorithm based on the statistic technologies is proposed. By extracting permission features, we propose a reasonable method to judge whether an Android app is malicious or not. Besides, an evaluation prototype system MalDetector is developed to verify the effectiveness of our approach. We took 1260 malware and 10k market apps as "malicious" and "benign" datasets respectively. Sufficient experiments on these datasets show that MalDetector is more accurate and with lower false positive rate compared with other traditional methods.

Zhuo Ma,Haoran Ge,Yang Liu,Meng Zhao,Jianfeng Ma

DOI: https://doi.org/10.1109/ACCESS.2019.2896003

IF: 3.9

2019-01-01

IEEE Access

Abstract:Android malware severely threaten system and user security in terms of privilege escalation, remote control, tariff theft, and privacy leakage. Therefore, it is of great importance and necessity to detect Android malware. In this paper, we present a combination method for Android malware detection based on the machine learning algorithm. First, we construct the control flow graph of the application to obtain API information. Based on the API information, we innovatively construct Boolean, frequency, and time-series data sets. Based on these three data sets, three detection models for Android malware detection regarding API calls, API frequency, and API sequence aspects are constructed. Ultimately, an ensemble model is constructed for conformity. We tested and compared the accuracy and stability of our detection models through a large number of experiments. The experiments were conducted on 10010 benign applications and 10683 malicious applications. The results show that our detection model achieves 98.98% detection precision and has high accuracy and stability. All of the results are consistent with the theoretical analysis in this paper.