Yang Zhao,Guangquan Xu,Yao Zhang

DOI: https://doi.org/10.1007/978-3-319-78078-8_25

2017-01-01

Abstract:Lack of supervision and management of many Android third-party application markets has led to a growing number of malware on android platforms. This causes a serious privacy threat to the user’s sensitive information. To solve this problem, in this paper, a new hybrid features analysis method aiming at Android malware detection is proposed, which obtains a hybrid feature vector by extracting the information of permission requests, API calls and runtime behaviors. The characteristic of this work is the use of machine learning classification algorithms to detect malicious software. In addition, the feature selection algorithm is used to further optimize the extracted information to remove some useless features. Our experiments are based on real-world Apps, and use five different classification algorithms to detect the malware. The experiment results show that our proposed hybrid feature extraction method can improve the accuracy rate of Android malware detection compared with using static methods alone.

Zhiyao Yang,Xu Yang,Heng Zhang,Haipeng Jia,Mingliang Zhou,Qin Mao,Cheng Ji,Xuekai Wei

DOI: https://doi.org/10.1142/s0218126623502997

2023-01-01

Abstract:Most of the existing static analysis-based detection methods adopt one or few types of typical static features for avoiding the problem of dimensionality and computational resource consumption. In order to further improve detecting accuracy with reasonable resource consumption, in this paper, a new Android malware detection model based on multiple features with feature selection method and feature vectorization method are proposed. Feature selection method for each type of features reduces the dimensionality of feature set. Weight-based feature vectorization method for API calls, intent and permission is designed to construct feature vector. Co-occurrence matrix-based vectorization method is proposed to vectorize opcode sequence. To demonstrate the effectiveness of our method, we conducted comprehensive experiments with a total of 30,000 samples. Experimental results show that our method outperforms state-of-the-art methods.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Haofeng Jiao,Xiaohong Li,Lei Zhang,Guangquan Xu,Zhiyong Feng

DOI: https://doi.org/10.1007/978-3-319-23829-6_40

2014-01-01

Abstract:The growth of malicious applications poses a great threat to the Android platform. In order to detect Android malware, this paper proposes a hybrid detection method based on permission. Firstly, applications are detected according to their permissions so that benign and malicious applications can be discriminated. Secondly, suspicious applications are run in order to collect the function calls related to sensitive permissions. Then suspicious applications are represented in a vector space model and their feature vectors are calculated by TF-IDF algorithm. Finally, the detection of suspicious applications is completed via security detection techniques adopting Euclidean distance and cosine similarity. At the end of this paper, an experiment including 982 samples is used as an empirical validation. The result shows that our method has a true positive rate at 91.2 % and a false positive rate at 2.1 %.

Chenkai Guo,Jing Xu,Lei Liu,Sihan Xu

DOI: https://doi.org/10.1109/icsess.2015.7339027

2015-01-01

Abstract:Attackers who designed malware seem to be so cautious that most of the malware are disguised as normal apps. This brings about huge difficulties to detect the malware. Similar with traditional PC testing, there are two main detection methods for Android malware: static analysis and dynamic monitoring. However, these methods inevitably face the challenge of code confusion performance cost. In this paper, a new evaluation algorithm based on the statistic technologies is proposed. By extracting permission features, we propose a reasonable method to judge whether an Android app is malicious or not. Besides, an evaluation prototype system MalDetector is developed to verify the effectiveness of our approach. We took 1260 malware and 10k market apps as "malicious" and "benign" datasets respectively. Sufficient experiments on these datasets show that MalDetector is more accurate and with lower false positive rate compared with other traditional methods.

Fei Tong,Zheng Yan

DOI: https://doi.org/10.1016/j.jpdc.2016.10.012

IF: 4.542

2017-01-01

Journal of Parallel and Distributed Computing

Abstract:Android security incidents occurred frequently in recent years. This motivates us to study mobile app security, especially in Android open mobile operating system. In this paper, we propose a novel hybrid approach for mobile malware detection by adopting both dynamic analysis and static analysis. We collect execution data of sample malware and benign apps using a net_link technology to generate patterns of system calls related to file and network access. Furthermore, we build up a malicious pattern set and a normal pattern set by comparing the patterns of malware and benign apps with each other. For detecting an unknown app, we use a dynamic method to collect its system calling data. We then compare them with both the malicious and normal pattern sets offline in order to judge the unknown app. Based on the test on a set of mobile malware and benign apps, we found that our approach achieves better detection success rate than some methods using either static analysis or dynamic analysis. What is more, the proposed approach is generic, which can detect different types of malware effectively. Its detection accuracy can be further improved since the pattern sets can be automatically optimized through self-learning.

Xuanxia Yao,Yang Li,Zhiguo Shi,Kaijun Liu,XiaoJiang Du

DOI: https://doi.org/10.1002/cpe.7555

2023-01-01

Abstract:SummaryWith the development of mobile communication, Android software has increased sharply. Meanwhile, more and more malware emerges. Identifying malware in time is very important. Currently, most malware identifying methods are static, and the detection accuracy mainly depends on the classification feature and the algorithm. In order to improve the detection accuracy, reducing the dimension and difficulty of feature extraction, we propose a lightweight Android malware detection method based on sensitive features combination. After fully analyzing the static features in Android software, we improve the extraction methods of various features, define four sensitive features, and then form a sensitive features combination to more accurately reflect the characteristics of Android software with fewer features. Finally, four different machine learning classification algorithms were used to evaluate the classification effect of the sensitive features combination. The experiments show that the sensitive features combination has a good classification effect. When combined with the random forest classification algorithm, the accuracy is the highest, which could reach 97.6%.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.

Long Wen,Haiyang Yu

DOI: https://doi.org/10.1063/1.4992953

2017-01-01

AIP Conference Proceedings

Abstract:The Android smartphone, with its open source character and excellent performance, has attracted many users. However, the convenience of the Android platform also has motivated the development of malware. The traditional method which detects the malware based on the signature is unable to detect unknown applications. The article proposes a machine learning-based lightweight system that is capable of identifying malware on Android devices. In this system we extract features based on the static analysis and the dynamitic analysis, then a new feature selection approach based on principle component analysis (PCA) and relief are presented in the article to decrease the dimensions of the features. After that, a model will be constructed with support vector machine (SVM) for classification. Experimental results show that our system provides an effective method in Android malware detection.

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Jiyun Yang,Jiang Tang,Ran Yan,Tao Xiang

DOI: https://doi.org/10.1049/cje.2020.00.217

IF: 1.019

2022-01-01

Chinese Journal of Electronics

Abstract:The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Jiayin Feng,Limin Shen,Zhen Chen,Yu Lei,Hui Li

DOI: https://doi.org/10.1016/j.aej.2024.11.068

IF: 6.626

2025-01-01

Alexandria Engineering Journal

Abstract:The malicious infestations of Android malware caused huge economic losses to users over the past few years. Machine learning-based malware detection enhances the accuracy and partially mitigates these security threats. However, when the static or dynamic features cannot effectively represent software behavior, the accuracy of the model will be reduced. For this issue, a multi-features hybrid malware detection and category classification method HGDetector is proposed, this approach provides a more comprehensive representation of software behavior. HGDetector first extracts the software static function call graph and constructs the network behavior function call graph, then applies the dynamic network traffic features of the software to build the node interaction graph and edge-node graph; Subsequently, these features were fused and converted into a vector representation employing graph embedding method; Finally, combined with the proposed HGDetector, different classifiers were used to test the accuracy of malware detection and category classification. The experimental results demonstrate that the fusion of hybrid features can enhance malware detection accuracy by approximately 4 % when network traffic features effectively capture APP's behavior. Conversely, in cases where network traffic features alone are insufficient to represent software's network behavior, the application of hybrid features can improve malware detection accuracy by 21 %-26 %.

Yi Zhang,Yuexiang Yang,Xiaolei Wang

DOI: https://doi.org/10.1145/3199478.3199492

2018-01-01

Abstract:With the explosive growth of Android malware, there is a pressure for us to improve the performance of existing malware detection approaches. In this paper, we proposed DeepClassifyDroid, a novel android malware detection system based on deep learning. DeepClassifyDroid takes a three-step approach: feature extraction, feature embedding and deep learning based detection. The first and second steps perform a broad static analysis and generate five different feature sets. The last step performs malware detection based on convolutional neural networks. We evaluated our approach with different feature sets and compared with a variety of machine learning based approaches. Study shows that DeepClassifyDroid outperforms most existing machine learning based approaches and detects 97.4% of the malware with few false alarms. Moreover, our approach is 10 times faster than Linear-SVM and 80 times faster than kNN.

Zhen Wang,Xiaoning Han,Weiqiang Kong,Yong Piao,Gang Hou,Masahiko Watanabe,Akira Fukuda

DOI: https://doi.org/10.1109/tase49443.2020.00034

2020-01-01

Abstract:With the increasing popularity of smartphones, the mobile security issues have become serious, and more and more malware has been found. Android applications are often used to handle sensitive information, thus they have become the main targets of malware attacks. In order to efficiently detect Android malware, in this paper, we present a multi-strategy combination framework. We use five types of static features to characterize Android applications from multiple aspects. To improve the classification accuracy and reduce the overfitting of the framework, we use three filter-based feature selection methods to identify the most informative top-k features. Then we input the applications represented by the feature subsets into five classification algorithms to build classifiers. Finally, we predict the classification results by hard voting or soft voting. We have performed many experiments in a well-marked dataset consisting of 41,155 samples. The experimental results show that our approach can achieve over 98% in accuracy, precision, recall and F-score. Compared with other existing methods, our approach has the best malware detection rate of 98.75%.

Yao Du,Xiaoqing Wang,Junfeng Wang

DOI: https://doi.org/10.1002/sec.1248

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:The rapid development of mobile malwares makes the traditional signature-based and single-feature based malware detection methods a challenging task. The surge of new malwares with more complex structures and dynamic characteristics leads to efficient fusion of multi-source malicious information more difficult in detection. In this paper, we propose a new multi-source based method to detect Android malwares by emphasizing on the traditional static features, control flow graph, and repacking characteristics. Each category of features is treated as an independent information source in feature extracting rules building and classification. Then, the Dempster-Shafer algorithm is used to fuse these information sources. This method can improve accuracy of malware detection without adding too many instability characteristics that are extracted from disassembled codes, and have better performance in the resistance to code obfuscation technologies. To verify our method, different categories of apps are collected to build the dataset in our experiment. Based on the dataset, our method can achieve 97% detection accuracy and 1.9% false positive rate. Copyright (c) 2015John Wiley & Sons, Ltd.

Huanran Wang,Weizhe Zhang,Hui He

DOI: https://doi.org/10.1016/j.jisa.2022.103159

IF: 4.96

2022-01-01

Journal of Information Security and Applications

Abstract:Recent years have witnessed a significant increase in the use of Android devices in many aspects of our life. However, users can download Android apps from third-party channels, which provides numerous opportunities for malware. Attackers utilize unsolicited permissions to gain access to the sensitive private intelligence of users. Since signature-based antivirus solutions no longer meet practical needs, efficient and adaptable solutions are desperately needed, especially in new variants. As a remedy, we propose a hybrid Android malware detection approach that combines dynamic and static tactics. We firstly adopt static analysis inferring different permission usage patterns between malware and benign apps based on the machine-learning-based method. To classify the suspicious apps further, we extract the object reference relationships from the memory heap to construct a dynamic feature base. We then present an improved state-based algorithm based on DAMBA. Experimental results on a real-world dataset of 21,708 apps show that our approach outperforms the well-known detector with 97.5% F1-measure. Besides, our system is demonstrated to resist permission abuse behaviors and obfuscation techniques.

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Qixin Wu,Zheng Qin,Jinxin Zhang,Hui Yin,Guangyi Yang,Kuangsheng Hu

DOI: https://doi.org/10.1007/978-981-10-6385-5_23

2017-01-01

Abstract:Nowadays, analysis methods based on big data have been widely used in malicious software detection. Since Android has become the dominator of smartphone operating system market, the number of Android malicious applications are increasing rapidly as well, which attracts attention of malware attackers and researchers alike. Due to the endless evolution of the malware, it is critical to apply the analysis methods based on machine learning to detect malwares and stop them from leakaging our privacy information. In this paper, we propose a novel Android malware detection method based on binary texture feature recognition by Local Binary Pattern and Principal Component Analysis, which can visualize malware and detect malware accurately. Also, our method analyzes malware binary directly without any decompiler, sandbox or virtual machines, which avoid time and resource consumption caused by decompiler or monitor in this process. Experimentation on 5127 benigns and 5560 malwares shows that we obtain a detection accuracy of 90%.