Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Hui Li,Hailing Zhang,Xue Chen,Dan Liao,Ming Zhang

DOI: https://doi.org/10.21203/rs.3.rs-1592245/v1

2022-01-01

Abstract:Abstract In recent years, the rapid increase in the number and type of Android malware has brought great challenges and pressure to malware detection systems. As a widely used method in android malware detection, static detecting has been a hot topic in academia and industry. However, in order to improve the accuracy of detection, the existing static detecting methods sacrifice the excessively high analysis complexity and time cost. Moreover, the correlation between static features leads to redundancy of a large amount of data. Therefore, this paper proposes a static detecting method of Android malware based on sensitive pattern. It uses an improved FP-growth algorithm to mine frequent combinations of sensitive permissions and API calls in malicious apps and benign apps, which avoids the generation of redundant information. In addition, this paper adopts multi-layered gradient boosting decision trees algorithm to train the detection model. And a dual similarity combination method is proposed to measure the similarity between different sensitive patterns. The experimental results show that our proposed detection method has high accuracy and great generalization ability.

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Huanran Wang,Weizhe Zhang,Hui He

DOI: https://doi.org/10.1016/j.jisa.2022.103159

IF: 4.96

2022-01-01

Journal of Information Security and Applications

Abstract:Recent years have witnessed a significant increase in the use of Android devices in many aspects of our life. However, users can download Android apps from third-party channels, which provides numerous opportunities for malware. Attackers utilize unsolicited permissions to gain access to the sensitive private intelligence of users. Since signature-based antivirus solutions no longer meet practical needs, efficient and adaptable solutions are desperately needed, especially in new variants. As a remedy, we propose a hybrid Android malware detection approach that combines dynamic and static tactics. We firstly adopt static analysis inferring different permission usage patterns between malware and benign apps based on the machine-learning-based method. To classify the suspicious apps further, we extract the object reference relationships from the memory heap to construct a dynamic feature base. We then present an improved state-based algorithm based on DAMBA. Experimental results on a real-world dataset of 21,708 apps show that our approach outperforms the well-known detector with 97.5% F1-measure. Besides, our system is demonstrated to resist permission abuse behaviors and obfuscation techniques.

Hongli Yuan,Yongchuan Tang,Wenjuan Sun,Li Liu

DOI: https://doi.org/10.1371/journal.pone.0238694

IF: 3.7

2020-09-11

PLoS ONE

Abstract:Android is the most widely used mobile operating system (OS). A large number of third-party Android application (app) markets have emerged. The absence of third-party market regulation has prompted research institutions to propose different malware detection techniques. However, due to improvements of malware itself and Android system, it is difficult to design a detection method that can efficiently and effectively detect malicious apps for a long time. Meanwhile, adopting more features will increase the complexity of the model and the computational cost of the system. Permissions play a vital role in the security of the Android apps. Term Frequency—Inverse Document Frequency (TF-IDF) is used to assess the importance of a word for a file set in a corpus. The static analysis method does not need to run the app. It can efficiently and accurately extract the permissions from an app. Based on this cognition and perspective, in this paper, a new static detection method based on TF-IDF and Machine Learning is proposed. The system permissions are extracted in Android application package's (Apk's) manifest file. TF-IDF algorithm is used to calculate the permission value (PV) of each permission and the sensitivity value of apk (SVOA) of each app. The SVOA and the number of the used permissions are learned and tested by machine learning. 6070 benign apps and 9419 malware are used to evaluate the proposed approach. The experiment results show that only use dangerous permissions or the number of used permissions can't accurately distinguish whether an app is malicious or benign. For malware detection, the proposed approach achieve up to 99.5% accuracy and the learning and training time only needs 0.05s. For malware families detection, the accuracy is 99.6%. The results indicate that the method for unknown/new sample's detection accuracy is 92.71%. Compared against other state-of-the-art approaches, the proposed approach is more effective by detecting malware and malware families.

multidisciplinary sciences

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Jiyun Yang,Jiang Tang,Ran Yan,Tao Xiang

DOI: https://doi.org/10.1049/cje.2020.00.217

IF: 1.019

2022-01-01

Chinese Journal of Electronics

Abstract:The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.

Jiawei Zhu,Zhi Guan,Yang,Liangwen Yu,Huiping Sun,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-34129-8_20

2012-01-01

Abstract:Android has become one of the most popular mobile operating system because of numerous applications it provides. Android Market is the official application store which allows users to search and install applications to their Android devices. However, with the increasingly number of applications, malware is also beginning to turn up in app stores. To mitigate the security problem brought by malware, we put forward a novel permission-based abnormal application detection framework which identifies potentially dangerous apps by the reliability of their permission lists. To judge the reliability of app's permissions, we make use of the relation between app's description text and its permission list. In detail, we use Naive Bayes with Multinomial Event Model algorithm to build the relation between the description and the permission list of an application. We evaluate this framework with 5,685 applications in Android Market and find it effective in identifying abnormal application in Android Market.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Shuang Liang,Xiaojiang Du

DOI: https://doi.org/10.1109/ICC.2014.6883666

2014-01-01

Abstract:With the increase use of Android mobile phones, more Android malwares are being developed. Android malware detection becomes a crucial task. In this paper, we present a permission-combination-based scheme for Android malware detection. The Android malware detection scheme is based on permission combinations declared in the application manifest file. We obtain the permission combinations that are requested frequently by malwares but rarely by benign applications. We generate rule sets based on the permission combinations. Our experimental results show that the malware detection rate is up to 96%, and the benign application recognition rate is up to 88%. Our experimental results with real malwares show that the Android malware detection scheme is very efficient and effective.

Jiawei Zhu,Zhengang Wu,Zhi Guan,Zhong Chen

DOI: https://doi.org/10.1109/uic-atc-scalcom-cbdcom-iop.2015.135

2015-01-01

Abstract:To mitigate security problem brought by Android malware, various work has been proposed such as behavior based malware detection and data mining based malware detection. In this paper, we put forward a novel Android malware detection model using data mining techniques. We design an algorithm with two steps. The first step is modeling Android application code into graph structure, called API control flow graph by us. Next step is calculating API sequences fulfilling minimum intra-family support in each malware family because malware in malware family usually share similar behavior pattern. Finally, supervised learning method is took advantage in building our malware detecting model with API sequences as input features. We evaluate this model with 1200 applications, half of them are malicious and half are benign, and find it effective in identifying Android malware and even unknown malware.

Chenkai Guo,Jing Xu,Lei Liu,Sihan Xu

DOI: https://doi.org/10.1109/icsess.2015.7339027

2015-01-01

Abstract:Attackers who designed malware seem to be so cautious that most of the malware are disguised as normal apps. This brings about huge difficulties to detect the malware. Similar with traditional PC testing, there are two main detection methods for Android malware: static analysis and dynamic monitoring. However, these methods inevitably face the challenge of code confusion performance cost. In this paper, a new evaluation algorithm based on the statistic technologies is proposed. By extracting permission features, we propose a reasonable method to judge whether an Android app is malicious or not. Besides, an evaluation prototype system MalDetector is developed to verify the effectiveness of our approach. We took 1260 malware and 10k market apps as "malicious" and "benign" datasets respectively. Sufficient experiments on these datasets show that MalDetector is more accurate and with lower false positive rate compared with other traditional methods.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Guanhong Tao,Zibin Zheng,Ziying Guo,Michael R. Lyu

DOI: https://doi.org/10.1109/tr.2017.2778147

IF: 5.883

2018-01-01

IEEE Transactions on Reliability

Abstract:The dramatic rise of Android application (app) marketplaces has significantly gained the success of convenience for mobile users. Consequently, with the advantage of numerous Android apps, Android malware seizes the opportunity to steal privacy-sensitive data by pretending to provide functionalities as benign apps do. To distinguish malware from millions of Android apps, researchers have proposed sophisticated static and dynamic analysis tools to automatically detect and classify malicious apps. Most of these tools, however, rely on manual configuration of lists of features based on permissions, sensitive resources, intents, etc., which are difficult to come by. To address this problem, we study real-world Android apps to mine hidden patterns of malware and are able to extract highly sensitive APIs that are widely used in Android malware. We also implement an automated malware detection system, MalPat, to fight against malware and assist Android app marketplaces to address unknown malicious apps. Comprehensive experiments are conducted on our dataset consisting of 31 185 benign apps and 15 336 malware samples. Experimental results show that MalPat is capable of detecting malware with a high F-1 score (98.24%) comparing with the state-of-the-art approaches.

Zijun Xu,Meng Li,Yiming Hei,Peiran Li,Jianwei Liu

DOI: https://doi.org/10.1109/cscloud-edgecom52276.2021.00021

2021-01-01

Abstract:Nowadays, Android system is the most popular mobile smart operating system on the market. However, the number of Android malware has increased sharply and Android malware spreads quickly and has lots of variants. The existing traditional Android malware detection systems are mostly based on the explicit relationship between Android applications, and their detection accuracy and detection efficiency need to be improved. In this paper, we establish an heterogeneous information network to represent the structural and semantic relations between Android application entities. Then we combine relation matrices and meta-paths to get entity features, and we propose two aggregation operations to learn Android application features. Finally, we use the Multi-Layer Perception neural network to detect Android malware. Through testing on the real data sets, the results show that our system takes into account both accuracy and efficiency.

Yueqi Jin,Tengfei Yang,Yangyang Li,Haiyong Xie

DOI: https://doi.org/10.1007/978-981-15-8083-3_19

2020-01-01

Abstract:Android, the world’s most widely used mobile operating system, is the target of a large number of malwares. These malwares have brought great trouble to information security and users’ privacy, such as leaking personal information, secretly downloading programs to consume data, and secretly sending deduction SMS messages. With the increase of malwares, detection methods have been proposed constantly. Especially in recent years, the malware detection methods based on deep learning are popular. However, the detection methods based on static features have a low accuracy, and others based on dynamic features take a long time, all this limits its scope.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

Noor Afiza Mohd Ariffin,Hanna Pungo Casinto

DOI: https://doi.org/10.37934/araset.33.3.8697

2023-11-09

Journal of Advanced Research in Applied Sciences and Engineering Technology

Abstract:The increase of mobile device enhancement grows. With this development, mobile phones are supporting many programs, and everyone takes advantage of them. Nevertheless, malware applications are increasing more and more so that people can come across lots of problems. Android is a mobile operating system that is the most used on smart mobile phones. Because it is the most used and open source, it has been the target of attackers. Android security is related to the permissions allowed by users to the applications. There have been many studies on permission-based Android malware detection. In this study, a permission-based Android malware system is analyzed. Unlike other studies, we propose a permission weight approach. Each of the permissions is given a different score using this approach. Then, K-nearest Neighbor (KNN) and Naïve Bayes (NB) algorithms are applied, and the proposed method is compared with the previous studies and the expected experimental results of the proposed approach will be higher.

Xinning Wang,Chong Li

DOI: https://doi.org/10.1016/j.neucom.2020.12.088

IF: 6

2021-01-01

Neurocomputing

Abstract:With the advent of smart phones, the popularity of free Android applications has risen rapidly. This has led to malicious Android apps being involuntarily installed, which violate the user privacy or conduct attack. Malware detection on Android platforms therefore is a growing concern because of the undesirable similarity between malicious behavior and benign behavior, which can lead to slow detection, and allow compromises to persist for comparatively long periods of time in infected phones. The contributions of this paper are first a multiple dimensional, kernel feature-based framework and feature weight-based detection (WBD) designed to categorize and comprehend the characteristics of Android malware and benign apps. Furthermore, our software agent is orchestrated and implemented for the data collection and storage to scan thousands of benign and malicious apps automatically. We examine 112 kernel attributes of executing the task data structure in the Android system and evaluate the detection accuracy with a number of datasets of various dimensions. We find that memory-and signal-related features contribute to more precise classification than schedule-related and other descriptors of task states listed in our paper. Particularly, memory-related features provide fine-grain classification policies for preserving higher classification precision than the signal-related and others. Furthermore, we study and evaluate 80 newly infected attributes of the Android kernel task structure, prioritizing the 70 features of most significance based on dimensional reduction to optimize the efficiency of high-dimensional classification. Our second contribution is that our experiments demonstrate that, as compared to existing techniques with a short list of task structure features (16 or 32 features), our method can achieve 94%-98% accuracy and 2%-7% false positive rate, while detecting malware apps with reduced-dimensional features that adequately abbreviate online malware detections and advance offline malware inspections. (c) 2021 Elsevier B.V. All rights reserved.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).