Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Ming Yang,Shan Wang,Zhen Ling,Yaowen Liu,Zhenyu Ni

DOI: https://doi.org/10.1002/cpe.4172

2017-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryIn recent years, with the prevalence of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and even money from mobile and bank accounts, it is important to detect potential malicious behaviors so as to block them. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection. A customized Android system is built to record apps' API calls, permission uses, and some other runtime features. We also develop an automated app behavior inspection platform to install and inspect massive samples so as to collect apps' dynamic behavior records. Then these records are exploited to train a string subsequence kernel–based Support Vector Machine (SVM) model, which can be used to classify benign and malicious behaviors offline. To realize online detection, we further extract apps' runtime features including sensitive permission combination uses, sensitive behavior sequences, and user interactions for behavior classification. The classification results can reach an accuracy of 84.9% in offline phase and 99.0% in online phase. Besides, we verify our scheme for identifying malicious apps, and the results show that 71.8% instances of malware samples are identified by running each app for only 18 minutes.

Hongbing Yan,Yan Xiong,Wenchao Huang,Jianmeng Huang,Zhaoyi Meng

DOI: https://doi.org/10.1109/BIGCOM.2018.00023

2018-01-01

Abstract:Android devices have increased rapidly in recent years. Because sensitive data of users can bring huge profits, there are so many malicious Android applications (apps) which aim at users' sensitive data in Android markets. Malicious apps may collect sensitive data of users, such as phone number, location, contact information, and send them to advertisers or attackers. To prevent malicious apps from stealing user information, a simple solution is not to grant corresponding permissions to apps. But if we don't give corresponding permissions, the apps may exit directly. This affect the normal use of apps. In order to solve the above problems, we design a system which uses machine-learning technology to detect malicious behaviours. Our system is based on the observation that apps in the same category usually use sensitive data in the same or similar way. The system implements automatic detection of malicious behaviours. The true positive rate of our system can be over 90% and the false positive rate can be below 8%.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Zhenyu Ni,Ming Yang,Zhen Ling,Jianan Wu,Junzhou Luo

DOI: https://doi.org/10.1109/CBD.2016.046

2016-01-01

Abstract:In recent years, with the growing popularity of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and money from mobile and bank accounts, it's important to detect potential malicious behavior in real time. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection in Android apps. A customized Android system is built to record apps' API (Application Programming Interface) calls, permission uses, and some other runtime features such as user operations. We also develop an automated testing platform to test massive samples so as to collect dynamic app behavior records. Then we exploit these records to extract apps' runtime features of both user interaction and app dynamic behavior for benign and malicious behavior classification. The experimental results show that the app behavior classification can reach an accuracy of 99.0%, identifying 71.8% instances of malware samples by running each app for only 18 minutes.

Chenkai Guo,Jing Xu,Lei Liu,Sihan Xu

DOI: https://doi.org/10.1109/icsess.2015.7339027

2015-01-01

Abstract:Attackers who designed malware seem to be so cautious that most of the malware are disguised as normal apps. This brings about huge difficulties to detect the malware. Similar with traditional PC testing, there are two main detection methods for Android malware: static analysis and dynamic monitoring. However, these methods inevitably face the challenge of code confusion performance cost. In this paper, a new evaluation algorithm based on the statistic technologies is proposed. By extracting permission features, we propose a reasonable method to judge whether an Android app is malicious or not. Besides, an evaluation prototype system MalDetector is developed to verify the effectiveness of our approach. We took 1260 malware and 10k market apps as "malicious" and "benign" datasets respectively. Sufficient experiments on these datasets show that MalDetector is more accurate and with lower false positive rate compared with other traditional methods.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.

Yubo Song,Yijin Geng,Junbo Wang,Shang Gao,Wei Shi

DOI: https://doi.org/10.1155/2021/6689486

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:Since a growing number of malicious applications attempt to steal users’ private data by illegally invoking permissions, application stores have carried out many malware detection methods based on application permissions. However, most of them ignore specific permission combinations and application categories that affect the detection accuracy. The features they extracted are neither representative enough to distinguish benign and malicious applications. For these problems, an Android malware detection method based on permission sensitivity is proposed. First, for each kind of application categories, the permission features and permission combination features are extracted. The sensitive permission feature set corresponding to each category label is then obtained by the feature selection method based on permission sensitivity. In the following step, the permission call situation of the application to be detected is compared with the sensitive permission feature set, and the weight allocation method is used to quantify this information into numerical features. In the proposed method of malicious application detection, three machine-learning algorithms are selected to construct the classifier model and optimize the parameters. Compared with traditional methods, the proposed method consumed 60.94% less time while still achieving high accuracy of up to 92.17%.

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Yao Du,Xiaoqing Wang,Junfeng Wang

DOI: https://doi.org/10.1002/sec.1248

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:The rapid development of mobile malwares makes the traditional signature-based and single-feature based malware detection methods a challenging task. The surge of new malwares with more complex structures and dynamic characteristics leads to efficient fusion of multi-source malicious information more difficult in detection. In this paper, we propose a new multi-source based method to detect Android malwares by emphasizing on the traditional static features, control flow graph, and repacking characteristics. Each category of features is treated as an independent information source in feature extracting rules building and classification. Then, the Dempster-Shafer algorithm is used to fuse these information sources. This method can improve accuracy of malware detection without adding too many instability characteristics that are extracted from disassembled codes, and have better performance in the resistance to code obfuscation technologies. To verify our method, different categories of apps are collected to build the dataset in our experiment. Based on the dataset, our method can achieve 97% detection accuracy and 1.9% false positive rate. Copyright (c) 2015John Wiley & Sons, Ltd.

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smartphones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malware detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android malware detection and can achieve a high level of 96% accuracy with real-world Android application sets.

Hongli Yuan,Yongchuan Tang,Wenjuan Sun,Li Liu

DOI: https://doi.org/10.1371/journal.pone.0238694

IF: 3.7

2020-09-11

PLoS ONE

Abstract:Android is the most widely used mobile operating system (OS). A large number of third-party Android application (app) markets have emerged. The absence of third-party market regulation has prompted research institutions to propose different malware detection techniques. However, due to improvements of malware itself and Android system, it is difficult to design a detection method that can efficiently and effectively detect malicious apps for a long time. Meanwhile, adopting more features will increase the complexity of the model and the computational cost of the system. Permissions play a vital role in the security of the Android apps. Term Frequency—Inverse Document Frequency (TF-IDF) is used to assess the importance of a word for a file set in a corpus. The static analysis method does not need to run the app. It can efficiently and accurately extract the permissions from an app. Based on this cognition and perspective, in this paper, a new static detection method based on TF-IDF and Machine Learning is proposed. The system permissions are extracted in Android application package's (Apk's) manifest file. TF-IDF algorithm is used to calculate the permission value (PV) of each permission and the sensitivity value of apk (SVOA) of each app. The SVOA and the number of the used permissions are learned and tested by machine learning. 6070 benign apps and 9419 malware are used to evaluate the proposed approach. The experiment results show that only use dangerous permissions or the number of used permissions can't accurately distinguish whether an app is malicious or benign. For malware detection, the proposed approach achieve up to 99.5% accuracy and the learning and training time only needs 0.05s. For malware families detection, the accuracy is 99.6%. The results indicate that the method for unknown/new sample's detection accuracy is 92.71%. Compared against other state-of-the-art approaches, the proposed approach is more effective by detecting malware and malware families.

multidisciplinary sciences

Yi-Ming Chen,Tzung-Han Jeng,Yung-Ching Shyong

DOI: https://doi.org/10.1109/ICCCI49374.2020.9145994

2020-06-01

Abstract:Nowadays Android smart mobile devices have become the main target of malware developers, so detecting and preventing Android malware has become an important issue of information security. Therefore, this paper proposes an Android application classification system that combines static permissions and dynamic packet analysis. This system first obtains the static information of Android applications through static analysis, classifies the applications as benign or malicious through machine learning, and avoids excessive dynamic data collection time by filtering out benign applications. Then in the dynamic analysis stage, the malware's network traffic is used to extract multiple types of features, and then machine learning is used to achieve the malware family classification. The experimental results showed that the accuracy rate of the static model for malicious and benign classification was 98.86%. On the other hand, the accuracy of the dynamic model proposed in this paper for family classification of applications is 96%, which is better than 94.33% of DroidClassifier [1]. The final experiment confirmed that the system proposed in this paper can not only save 52.5% of dynamic data collection time but also improve the accuracy of Android application family classification.

Computer Science

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Yafei Sang

DOI: https://doi.org/10.1109/nas.2017.8026853

2017-01-01

Abstract:With the widespread use of smartphones, more and more malicious attacks happen with information leakage from apps installed on users' devices. The adversary always uses a malware as the client to take remote control of smartphones, and leverages the vulnerability of operation systems to send back the collected information without users' permissions. All the information has to be transferred by network traffic. In this paper, we consider that different apps maybe generate different network flows by different operations, and the "shapes" of the benign flows and malicious ones will be diverse. Thus we propose a detection model based on the analysis of relationships between behavior patterns and network flows, which achieves our goal by using the Random Forest machine learning algorithm to classify the network flows into benign or malicious. To further improve the controllability of the experiment, we design an app called Moledroid to simulate malwares by uploading the user's privacy without authorization, in addition, we can change the behavior pattern of the app to complete our evaluation. Finally, we run this app and several benign apps to generate traffic to detect the malicious network flows, and it shows that our detection model can achieve precision and accuracy higher than 95%, which demonstrates that our model is suitable for detecting the network flows of information theft.

Huanran Wang,Weizhe Zhang,Hui He

DOI: https://doi.org/10.1016/j.jisa.2022.103159

IF: 4.96

2022-01-01

Journal of Information Security and Applications

Abstract:Recent years have witnessed a significant increase in the use of Android devices in many aspects of our life. However, users can download Android apps from third-party channels, which provides numerous opportunities for malware. Attackers utilize unsolicited permissions to gain access to the sensitive private intelligence of users. Since signature-based antivirus solutions no longer meet practical needs, efficient and adaptable solutions are desperately needed, especially in new variants. As a remedy, we propose a hybrid Android malware detection approach that combines dynamic and static tactics. We firstly adopt static analysis inferring different permission usage patterns between malware and benign apps based on the machine-learning-based method. To classify the suspicious apps further, we extract the object reference relationships from the memory heap to construct a dynamic feature base. We then present an improved state-based algorithm based on DAMBA. Experimental results on a real-world dataset of 21,708 apps show that our approach outperforms the well-known detector with 97.5% F1-measure. Besides, our system is demonstrated to resist permission abuse behaviors and obfuscation techniques.

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Rajesh Kumar,Zhang Xiaosong,Riaz Ullah Khan,Jay Kumar,Ijaz Ahad

DOI: https://doi.org/10.1145/3194452.3194465

2018-01-01

Abstract:The across the board reception of android devices and their ability to get to critical private and secret data have brought about these devices being focused by malware engineers. Existing android malware analysis techniques categorized into static and dynamic analysis. In this paper, we introduce two machine learning supported methodologies for static analysis of android malware. The First approach based on statically analysis, content is found through probability statistics which reduces the uncertainty of information. Feature extraction were proposed based on the analysis of existing dataset. Our both approaches were used to high-dimension data into low-dimensional data so as to reduce the dimension and the uncertainty of the extracted features. In training phase the complexity was reduced 16.7% of the original time and detect the unknown malware families were improved.

Xuanxia Yao,Yang Li,Zhiguo Shi,Kaijun Liu,XiaoJiang Du

DOI: https://doi.org/10.1002/cpe.7555

2023-01-01

Abstract:SummaryWith the development of mobile communication, Android software has increased sharply. Meanwhile, more and more malware emerges. Identifying malware in time is very important. Currently, most malware identifying methods are static, and the detection accuracy mainly depends on the classification feature and the algorithm. In order to improve the detection accuracy, reducing the dimension and difficulty of feature extraction, we propose a lightweight Android malware detection method based on sensitive features combination. After fully analyzing the static features in Android software, we improve the extraction methods of various features, define four sensitive features, and then form a sensitive features combination to more accurately reflect the characteristics of Android software with fewer features. Finally, four different machine learning classification algorithms were used to evaluate the classification effect of the sensitive features combination. The experiments show that the sensitive features combination has a good classification effect. When combined with the random forest classification algorithm, the accuracy is the highest, which could reach 97.6%.