Yao ZHENG,Yi-jun WANG,Zhi XUE

DOI: https://doi.org/10.3969/j.issn.1673-629X.2017.03.026

2017-01-01

Abstract:A static feature-based mechanism is studied to provide a static analysis method for detection of the Android malware. In order to identify the intention of different Android malware,all kinds of clustering algorithms are applied to enhance the malware modeling ca-pability to any Android procedure. Besides,a system,called XDroidMat,is developed. The XDroidMat extracts the information from each application' s manifest file and regards components as entry points drilling down for tracing API Calls related to permissions. Then it uses k-means algorithm to strengthen the malware modeling capability. The number of clusters is decided by Singular Value Decomposition ( SVD) method on the low rank approximation. Finally,it uses kNN algorithm to classify the application as benign or malicious. The ex-perimental results show XDroidMat can get 98. 12% accuracy and do well in detecting the Android malware.

Xi Xiao,Shaofeng Zhang,Francesco Mercaldo,Guangwu Hu,Arun Kumar Sangaiah

DOI: https://doi.org/10.1007/s11042-017-5104-0

IF: 2.577

2017-01-01

Multimedia Tools and Applications

Abstract:As Android-based mobile devices become increasingly popular, malware detection on Android is very crucial nowadays. In this paper, a novel detection method based on deep learning is proposed to distinguish malware from trusted applications. Considering there is some semantic information in system call sequences as the natural language, we treat one system call sequence as a sentence in the language and construct a classifier based on the Long Short-Term Memory (LSTM) language model. In the classifier, at first two LSTM models are trained respectively by the system call sequences from malware and those from benign applications. Then according to these models, two similarity scores are computed. Finally, the classifier determines whether the application under analysis is malicious or trusted by the greater score. Thorough experiments show that our approach can achieve high efficiency and reach high recall of 96.6% with low false positive rate of 9.3%, which is better than the other methods.

Wenjun HU,Shuang ZHAO,Jing TAO,Xiaobo MA,Liang CHEN

DOI: https://doi.org/10.7652/xjtuxb201310007

2013-01-01

Abstract:An Android malware detection system is designed and implemented to focus on the problem that malware on Android becomes widespread. The system combines static and dynamic analysis technologies. The APK features such as permission, API call sequences, component, resource and structure are extracted to form a feature vector in static analysis, and a similarity-based method is proposed to detect known malware samples using these features. Android source code is then updated to generate new kernel images in dynamic analysis. The new kernel images can monitor the Android program's behaviors such as file reading and writing, network connection, SMS sending and telephone calling, etc. Thus, unknown malware samples can be successfully identified through analyzing these behaviors. Experimental results show that the proposed system is efficient and performs well on detecting Android malware. The proposed system has been released online and free use of the system is available on the Internet.

Bo FENG,Hang DAI,De-jun MU

DOI: https://doi.org/10.3969/j.issn.1673-629X.2014.02.036

2014-01-01

Abstract:In view of the flood situation for Android malware,propose a method of behavior-based dynamic malware detection. First,get a comprehensive collection of software run-time information,including system information and kernel calls. The kernel call sequences are truncated to fixed length. Second,form all the information as property and values. Taking information gain as an indicator,select proper-ties that have high information gain and different impact by applying the C4. 5 algorithm,and proportionally assign weighting factor to properties based on the size of the information gain. Finally,apply K-Nearest Neighbor algorithm to complete the process of machine learning,making the system identify malicious software that similar to the sample,and regard unknown types of software as suspected malware. The result of experiment shows that the method has a high true positive rate and low false positive rate. Moreover,the result can be further improved with the increase of the learning sample library.

Hanqing Zhang,Senlin Luo,Yifei Zhang,Limin Pan

DOI: https://doi.org/10.1109/access.2019.2919796

IF: 3.9

2019-01-01

IEEE Access

Abstract:According to the recent report, 12 000 new Android malware samples will be generated every day. Efficient identification of evolving malware is an urgent challenge. Traditional methods based on structured features such as permissions and sensitive application programming interface (API) calls lack high-level behavioral semantics to detect evolving malware. The methods based on call graphs (CG) are good at behavioral semantic analysis but face the problem of huge time and space consumption, which leads to low detection efficiency. In this paper, we propose a novel Android malware detection method based on the method-level correlation relationship of application's abstracted API calls. First, we split each Android application's source code into separate function methods and just keep the abstracted API calls of them to form a set of abstracted API calls transactions. And then, we calculate the confidence of association rules between the abstracted API calls, which forms behavioral semantics to describe an application. Finally, we combine machine learning to identify the different behavioral patterns of malicious and benign apps to build the detection system. The results of our empirical evaluation show our system is competitive in terms of classification accuracy and detection efficiency. At dataset Drebin (benign 5.9K and malware 5.6K) and AMD (benign 20.5K and malware 20.8K), our system has achieved 96% and 98% detection results both in accuracy and F-measure. Compared with the state-of-the-art system in detecting evolving malware called MaMaDroid on the dataset of 6.0K benign and 20.5K malicious samples spanning from 2010 to 2017, our system achieves higher accuracy while improving detection efficiency by 15 times (2.9 s versus 45.7 s per sample).

Sanya Chaba,Rahul Kumar,Rohan Pant,Mayank Dave

DOI: https://doi.org/10.48550/arXiv.1709.08805

2017-09-26

Abstract:Static detection technologies based on signature-based approaches that are widely used in Android platform to detect malicious applications. It can accurately detect malware by extracting signatures from test data and then comparing the test data with the signature samples of virus and benign samples. However, this method is generally unable to detect unknown malware applications. This is because, sometimes, the machine code can be converted into assembly code, which can be easily read and understood by humans. Furthuremore, the attacker can then make sense of the assembly instructions and understand the functioning of the program from the same. Therefore we focus on observing the behaviour of the malicious software while it is actually running on a host system. The dynamic behaviours of an application are conducted by the system call sequences at the end. Hence, we observe the system call log of each application, use the same for the construction of our dataset, and finally use this dataset to classify an unknown application as malicious or benign.

Cryptography and Security

Xi Xiao,Xianni Xiao,Yong Jiang,Xuejiao Liu,Runguo Ye

DOI: https://doi.org/10.1002/ett.3016

IF: 3.6

2016-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Parnika Bhat,Sunny Behal,Kamlesh Dutta

DOI: https://doi.org/10.1016/j.cose.2023.103277

2023-05-03

Abstract:The enormous popularity of Android in the smartphone market has gained the attention of malicious actors as well. Also, considering its open system architecture, malicious attacks don't seem to wane anytime soon. Cybercriminals use deceptive attack strategies like obfuscation or dynamic code loading to evade the system. A conventional static analysis approach fails to identify such attacks. Mitigating a wide range of evasive attacks requires excogitating savvy dynamic analysis framework. This paper proposes a precise dynamic analysis approach to identify a slew of malicious attacks. The proposed method focus on behavioral analysis of malware that requires reconstructing the behavior of Android malware. The dynamic behavior features used include system calls, binders, and complex Android objects (composite behavior). For efficient malware detection and classification, a feature selection method is used to remove extraneous features. For classification, we use homogeneous and heterogeneous ensemble machine learning algorithms. The stacking approach has the best classification results with an accuracy rate of 98.08%. The rigorous experimental results show the effectiveness and superiority of the model.

computer science, information systems

Shubham Shakya,Mayank Dave

DOI: https://doi.org/10.48550/arXiv.2208.06130

2022-08-12

Abstract:With the increasing popularity of Android in the last decade, Android is popular among users as well as attackers. The vast number of android users grabs the attention of attackers on android. Due to the continuous evolution of the variety and attacking techniques of android malware, our detection methods should need an update too. Most of the researcher's works are based on static features, and very few focus on dynamic features. In this paper, we are filling the literature gap by detecting android malware using System calls. We are running the malicious app in a monitored and controlled environment using an emulator to detect malware. Malicious behavior is activated with some simulated events during its runtime to activate its hostile behavior. Logs collected during the app's runtime are analyzed and fed to different machine learning models for Detection and Family classification of Malware. The result indicates that K-Nearest Neighbor and the Decision Tree gave the highest accuracy in malware detection and Family Classification respectively.

Cryptography and Security

Hui Li,Hailing Zhang,Xue Chen,Dan Liao,Ming Zhang

DOI: https://doi.org/10.21203/rs.3.rs-1592245/v1

2022-01-01

Abstract:Abstract In recent years, the rapid increase in the number and type of Android malware has brought great challenges and pressure to malware detection systems. As a widely used method in android malware detection, static detecting has been a hot topic in academia and industry. However, in order to improve the accuracy of detection, the existing static detecting methods sacrifice the excessively high analysis complexity and time cost. Moreover, the correlation between static features leads to redundancy of a large amount of data. Therefore, this paper proposes a static detecting method of Android malware based on sensitive pattern. It uses an improved FP-growth algorithm to mine frequent combinations of sensitive permissions and API calls in malicious apps and benign apps, which avoids the generation of redundant information. In addition, this paper adopts multi-layered gradient boosting decision trees algorithm to train the detection model. And a dual similarity combination method is proposed to measure the similarity between different sensitive patterns. The experimental results show that our proposed detection method has high accuracy and great generalization ability.

Ding Yuxin,Zhu Siyi,Xia Xiaoling

DOI: https://doi.org/10.1007/978-3-319-46681-1_9

2016-01-01

Abstract:With the rapid development of mobile Internet, mobile devices have been widely used in people__ daily life, which has made mobile platforms a prime target for malware attack. In this paper we study on Android malware detection method. We propose the method how to extract the structural features of android application from its function call graph, and then use the structure features to build classifier to classify malware. The experiment results show that structural features can effectively improve the performance of malware detection methods. © Springer International Publishing AG 2016.

LUO Wenshuang,CAO Tianjie

DOI: https://doi.org/10.11772/j.issn.1001-9081.2017071835

2018-01-01

Abstract:Considering rapid growth of Android malware and poor capability of detecting malware,a static detection method based on non-user operation sequences was proposed.Firstly,the Application Programming Interface (API) call information of malware was extracted by reverse engineering analysis.Secondly,the malware's function-call graph was established by using breadth-first traversal algorithm;then,non-user operation sequence was extracted from the function-call graph to form malicious behavior database.Finally,the similarity of the detected sample and non-user operation sequence in the malicious behavior database was calculated by using the edit distance algorithm for malware identification.In the detection of 360 malicious samples and 300 normal samples,the proposed method could reach the recall rate of 90.8％ and the accuracy rate of 90.3％.Compared with the Android malware detection system Androguard,the recall rate of the proposed method increased by 30 percentage points in the detection of malicious samples;and compared with the FlowDroid method,the precision rate increased by 11 percentage points in the detection of normal sample and the recall rate increased by 4.4 percentage points in the detection of malicious samples.The experimental results show that the proposed method improves the recall rate of malware detection and promotes the detection effect of malware.

Jiyun Yang,Jiang Tang,Ran Yan,Tao Xiang

DOI: https://doi.org/10.1049/cje.2020.00.217

IF: 1.019

2022-01-01

Chinese Journal of Electronics

Abstract:The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.

Xiaolei Wang,Yuexiang Yang,Yingzhi Zeng

DOI: https://doi.org/10.1186/s40064-015-1356-1

2015-10-07

SpringerPlus

Abstract:As the dominator of the Smartphone operating system market, consequently android has attracted the attention of s malware authors and researcher alike. The number of types of android malware is increasing rapidly regardless of the considerable number of proposed malware analysis systems. In this paper, by taking advantages of low false-positive rate of misuse detection and the ability of anomaly detection to detect zero-day malware, we propose a novel hybrid detection system based on a new open-source framework CuckooDroid, which enables the use of Cuckoo Sandbox's features to analyze Android malware through dynamic and static analysis. Our proposed system mainly consists of two parts: anomaly detection engine performing abnormal apps detection through dynamic analysis; signature detection engine performing known malware detection and classification with the combination of static and dynamic analysis. We evaluate our system using 5560 malware samples and 6000 benign samples. Experiments show that our anomaly detection engine with dynamic analysis is capable of detecting zero-day malware with a low false negative rate (1.16 %) and acceptable false positive rate (1.30 %); it is worth noting that our signature detection engine with hybrid analysis can accurately classify malware samples with an average positive rate 98.94 %. Considering the intensive computing resources required by the static and dynamic analysis, our proposed detection system should be deployed off-device, such as in the Cloud. The app store markets and the ordinary users can access our detection system for malware detection through cloud service.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Shaofeng Zhang,Xi Xiao

DOI: https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.237

2017-01-01

Abstract:The detection of the malicious application or malware on Android platform is a very concerned issue. Many studies have demonstrated their effect from static property analysis and dynamic analysis. However, their accuracy and efficacy still cannot satisfy the demand. In this paper, we propose CSCdroid, an accurate malware detection approach for Android via contribution-level-based system call (SC) categorization. Different from existing works, which use all SCs to construct feature vectors so as to determine the security of applications, CSCdroid first introduces a concept named contribution to quantitatively evaluate SCs relevance for malware identification. Based on the contribution level, CSCdroid can categorize SCs into two types, determinate SCs and normal SCs. Eventually, CSCdroid builds a Markov chain by replacing all normal SCs with one specific SC in the SC sequence. Then it constructs the target feature vector from the probability matrix and use the Support Vector Machine (SVM) to detect Android malware. Such way can effectively reduce the state number of Markov chains, and cut down the dimension of the feature vectors into the SVM classifier. Our evaluation confirms our approach possesses the malware detection ability with a high accuracy rate.