Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Rajesh Kumar,Zhang Xiaosong,Riaz Ullah Khan,Jay Kumar,Ijaz Ahad

DOI: https://doi.org/10.1145/3194452.3194465

2018-01-01

Abstract:The across the board reception of android devices and their ability to get to critical private and secret data have brought about these devices being focused by malware engineers. Existing android malware analysis techniques categorized into static and dynamic analysis. In this paper, we introduce two machine learning supported methodologies for static analysis of android malware. The First approach based on statically analysis, content is found through probability statistics which reduces the uncertainty of information. Feature extraction were proposed based on the analysis of existing dataset. Our both approaches were used to high-dimension data into low-dimensional data so as to reduce the dimension and the uncertainty of the extracted features. In training phase the complexity was reduced 16.7% of the original time and detect the unknown malware families were improved.

Long Wen,Haiyang Yu

DOI: https://doi.org/10.1063/1.4992953

2017-01-01

AIP Conference Proceedings

Abstract:The Android smartphone, with its open source character and excellent performance, has attracted many users. However, the convenience of the Android platform also has motivated the development of malware. The traditional method which detects the malware based on the signature is unable to detect unknown applications. The article proposes a machine learning-based lightweight system that is capable of identifying malware on Android devices. In this system we extract features based on the static analysis and the dynamitic analysis, then a new feature selection approach based on principle component analysis (PCA) and relief are presented in the article to decrease the dimensions of the features. After that, a model will be constructed with support vector machine (SVM) for classification. Experimental results show that our system provides an effective method in Android malware detection.

Linfeng Wei,Weiqi Luo,Jian Weng,Yanjun Zhong,Xiaoqian zhang,Zheng Yan

DOI: https://doi.org/10.1109/access.2017.2771470

IF: 3.9

2017-01-01

IEEE Access

Abstract:In this paper, we propose a machine learning-based approach to detect malicious mobile malware in Android applications. This paper is able to capture instantaneous attacks that cannot be effectively detected in the past work. Based on the proposed approach, we implemented a malicious app detection tool, named Androidetect. First, we analyze the relationship between system functions, sensitive permissions, and sensitive application programming interfaces. The combination of system functions has been used to describe the application behaviors and construct eigenvectors. Subsequently, based on the eigenvectors, we compare the methodologies of naive Bayesian, J48 decision tree, and application functions decision algorithm regarding effective detection of malicious Android applications. Androidetect is then applied to test sample programs and real-world applications. The experimental results prove that Androidetect can better detect malicious applications of Android by using a combination of system functions compared with the previous work.

Wei Zhang,Huan Ren,Qingshan Jiang,Kai Zhang

DOI: https://doi.org/10.1007/978-3-319-25393-0_54

2015-01-01

Abstract:A huge increase in the number of mobile malware brings a serious threat to Internet security, as the adoption rate of mobile device is soaring, especially Android device. A variety of researches have been developed to defense malware, but the mobile device users continuously suffer private information leak or economic losses from malware. Recently, a large number of methods have been proposed based on static or dynamic features analysis combining with machine learning methods, which are considered effective to detect malware on mobile device. In this paper, we propose an effective framework to detect malware on Android device based on feature extraction and neural network calssifier. In this framework, we take use of static features to represent malware and utilize extreme learning machine ELM algorithm to learn the neural network. We first extract features from the malware, and then utilize three different feature extraction methods including principal component analysis PCA, Karhunen-Loève transform KLT and independent component analysis ICA to transform the feature matrix into new feature spaces and generate three new feature matrixes. For each feature matrix, we construct En base classifiers by using ELM. Finally, we utilize Stacking method to combine the results. Experimental results suggest that the proposed framework is effective in detecting malware on Android device.

Manzhi Yang,QiaoYan Wen

DOI: https://doi.org/10.1109/icsess.2016.7883038

2016-01-01

Abstract:Nowadays, the amount of the application in Android App Market has grown fast, and the android malwares have been introduced fast into that market, too. In this paper, we use static analysis of a given android application with intensive feature engineering which we focus on different sources and different levels. It means that we not only extract features from the executable file classes.dex but also from the other android resource files such as manifest of the application, more over we expand features at different levels of abstraction of the APK application, rather than using more features at the single level. Finally, we combine these different feature sets into one feature set which is used by the classifiers for training/testing. Our method is compared against other Android malware code detection and found to be more efficient in terms of detection accuracy and false alarm rate.

Yueqi Jin,Tengfei Yang,Yangyang Li,Haiyong Xie

DOI: https://doi.org/10.1007/978-981-15-8083-3_19

2020-01-01

Abstract:Android, the world’s most widely used mobile operating system, is the target of a large number of malwares. These malwares have brought great trouble to information security and users’ privacy, such as leaking personal information, secretly downloading programs to consume data, and secretly sending deduction SMS messages. With the increase of malwares, detection methods have been proposed constantly. Especially in recent years, the malware detection methods based on deep learning are popular. However, the detection methods based on static features have a low accuracy, and others based on dynamic features take a long time, all this limits its scope.

Xin Su,Dafang Zhang,Wenjia Li,Kai Zhao

DOI: https://doi.org/10.1109/TrustCom.2016.69

2016-01-01

Abstract:The growing amount and diversity of Android malware has significantly weakened the effectiveness of the conventional defense mechanisms, and thus Android platform often remains unprotected from new and unknown malware. To address these limitations, we propose DroidDeep, a malware detection approach for the Android platform based on the deep learning model. Deep learning emerges as a new area of machine learning research that has attracted increasing attention in artificial intelligence. To implement this, we first extract five types of features from the static analysis of Android apps. Then, we build the deep learning model to learn features from Android apps. Finally, the learned features are used to detect unknown Android malware. In an experiment with 3,986 benign apps and 3,986 malware, DroidDeep outperforms several existing malware detection approaches and achieves a 99.4% detection accuracy. Moreover, DroidDeep can achieve a remarkable run-time efficiency which makes it very easy to adapt to a lager scale of real-world Android malware detection.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

Zhiqiang Wang,Yao Tang,Jing Yao,Rong Qian,Zheng Zhang,Pingchuan Ma

DOI: https://doi.org/10.1145/3207677.3277976

2018-01-01

Abstract:In the1 modern global mobile phone market, Android OS is firmly occupying the first throne with the absolute user base and the proportion of mobile phones, and with the proliferation of android smart phones and other mobile devices, it has also attracted more and more attention from malware developers. There are a large number of malware in several major application markets around the world. In order to solve this problem, this paper proposes a large-scale malware detection system based on multiclass features and machine learning. There are two main problems in the traditional detection schemes, one is how to analyze and extract effectively features which can distinguish malware and benign software, the other is that how to select the most suitable algorithm to detect malware. For the first problem, we select the features that can reflect the android software's maliciousness by extracting android features and removing the features whose degree of distinction are less. For the second problem, we compare seven machine learning algorithms and select the most suitable algorithm that has the highest accuracy for android malware identification. Afterwards, many experiments are done to verify our solutions. First, we extract 234 features and select 76 features. Second, selecting the most suitable algorithm "ensemble learning" by comparing the detection accuracies of 7 algorithms, then adjusting and optimizing the related parameter to achieve the highest accuracy, 99.73%, which proves the effectiveness of our system and scheme.

Xin Wang,Dafang Zhang,Xin Su,Wenjia Li

DOI: https://doi.org/10.1155/2017/6451260

IF: 1.968

2017-01-01

Security and Communication Networks

Abstract:In recent years, Android malware has continued to grow at an alarming rate. More recent malicious apps' employing highly sophisticated detection avoidance techniques makes the traditional machine learning based malware detection methods far less effective. More specifically, they cannot cope with various types of Android malware and have limitation in detection by utilizing a single classification algorithm. To address this limitation, we propose a novel approach in this paper that leverages parallel machine learning and information fusion techniques for better Android malware detection, which is named Mlifdect. To implement this approach, we first extract eight types of features from static analysis on Android apps and build two kinds of feature sets after feature selection. Then, a parallel machine learning detection model is developed for speeding up the process of classification. Finally, we investigate the probability analysis based and Dempster-Shafer theory based information fusion approaches which can effectively obtain the detection results. To validate our method, other state-of-the-art detection works are selected for comparison with real-world Android apps. The experimental results demonstrate that Mlifdect is capable of achieving higher detection accuracy as well as a remarkable run-time efficiency compared to the existing malware detection solutions.

Xinning Wang,Chong Li

DOI: https://doi.org/10.1016/j.neucom.2020.12.088

IF: 6

2021-01-01

Neurocomputing

Abstract:With the advent of smart phones, the popularity of free Android applications has risen rapidly. This has led to malicious Android apps being involuntarily installed, which violate the user privacy or conduct attack. Malware detection on Android platforms therefore is a growing concern because of the undesirable similarity between malicious behavior and benign behavior, which can lead to slow detection, and allow compromises to persist for comparatively long periods of time in infected phones. The contributions of this paper are first a multiple dimensional, kernel feature-based framework and feature weight-based detection (WBD) designed to categorize and comprehend the characteristics of Android malware and benign apps. Furthermore, our software agent is orchestrated and implemented for the data collection and storage to scan thousands of benign and malicious apps automatically. We examine 112 kernel attributes of executing the task data structure in the Android system and evaluate the detection accuracy with a number of datasets of various dimensions. We find that memory-and signal-related features contribute to more precise classification than schedule-related and other descriptors of task states listed in our paper. Particularly, memory-related features provide fine-grain classification policies for preserving higher classification precision than the signal-related and others. Furthermore, we study and evaluate 80 newly infected attributes of the Android kernel task structure, prioritizing the 70 features of most significance based on dimensional reduction to optimize the efficiency of high-dimensional classification. Our second contribution is that our experiments demonstrate that, as compared to existing techniques with a short list of task structure features (16 or 32 features), our method can achieve 94%-98% accuracy and 2%-7% false positive rate, while detecting malware apps with reduced-dimensional features that adequately abbreviate online malware detections and advance offline malware inspections. (c) 2021 Elsevier B.V. All rights reserved.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Hui Li,Hailing Zhang,Xue Chen,Dan Liao,Ming Zhang

DOI: https://doi.org/10.21203/rs.3.rs-1592245/v1

2022-01-01

Abstract:Abstract In recent years, the rapid increase in the number and type of Android malware has brought great challenges and pressure to malware detection systems. As a widely used method in android malware detection, static detecting has been a hot topic in academia and industry. However, in order to improve the accuracy of detection, the existing static detecting methods sacrifice the excessively high analysis complexity and time cost. Moreover, the correlation between static features leads to redundancy of a large amount of data. Therefore, this paper proposes a static detecting method of Android malware based on sensitive pattern. It uses an improved FP-growth algorithm to mine frequent combinations of sensitive permissions and API calls in malicious apps and benign apps, which avoids the generation of redundant information. In addition, this paper adopts multi-layered gradient boosting decision trees algorithm to train the detection model. And a dual similarity combination method is proposed to measure the similarity between different sensitive patterns. The experimental results show that our proposed detection method has high accuracy and great generalization ability.

Yue Li,Guangquan Xu,Hequn Xian,Longlong Rao,Jiangang Shi

DOI: https://doi.org/10.31209/2019.100000118

2019-01-01

Abstract:In order to prevent the spread of Android malware and protect privacy information from being compromised, this study proposes a novel multidimensional hybrid features extraction and analysis method for Android malware detection. This method is based primarily on a multidimensional hybrid features vector by extracting the information of permission requests, API calls, and runtime behaviors. The innovation of this study is to extract greater amounts of static and dynamic features information and combine them, that renders the features vector for training completer and more comprehensive. In addition, the feature selection algorithm is used to further optimize the extracted information to remove a number of extraneous features, and a new multi-dimensional hybrid features vector is obtained. The multi-dimensional hybrid features vector is then used to train the classification model. Finally, the unknown samples are detected and identified by using the obtained classification model. Our experiment is conducted based on 359 malicious and 500 benign applications as experimental samples, and the results indicate that our proposed method performs better in the accuracy rate of Android malware detection compared with those methods using static methods alone.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.