Jie Zhou,Weina Niu,Xiaosong Zhang,Yujie Peng,Hao Wu,Teng Hu

DOI: https://doi.org/10.1109/iccwamtip51612.2020.9317429

2020-01-01

Abstract:With the development of mobile terminals, smartphones have attracted a very huge number of users with their powerful functions. Among them, Android system is famous for its open-source and convenience, which occupies a large market share. But this also leads many attackers to use their malware to gain benefits quickly, which make it necessary to design a practical android malware detection approach. At present, there are not many pieces of research on detecting malware by analyzing Android malicious traffic. This paper examines the characteristics of malicious traffic on the host computer to construct a traffic fingerprint. It combines machine learning algorithms to build a practical detection approach which is also suitable for encrypted traffic. To distinguish similar fuzzy traffic, an additional layer named confusion classifier is added to help further malware classification. This paper uses a realworld dataset called CICAndMal2017 and simulates two classification scenarios: malware binary detection and malware category classification. The experimental results show that the accuracy of the malware binary detection reached 98.8% while the accuracy rate of malware category classification is 95.2%.

Rong Chen,Yangyang Li,Weiwei Fang

DOI: https://doi.org/10.1007/978-3-030-24274-9_26

2019-01-01

Abstract:As numerous new techniques for Android malware attacks have growingly emerged and evolved, Android malware identification is extremely crucial to prevent mobile applications from being hacked. Machine learning techniques have shown extraordinary capabilities in various fields. A common problem with existing research of malware traffic identification based on machine learning approaches is the need to design a set of features that accurately reflect network traffic characteristics. Obtaining a high accuracy for identifying Android malware traffic is also a challenging problem. This paper analyses the Android malware traffic and extract 15 features which is a combination of time-related network flow feature and packets feature. We then use three supervised machine learning methods to identify Android malware traffic. Experimental results show that the feature set we proposed can accurately characterize the traffic and all three classifiers achieve high accuracy.

Jiayin Feng,Limin Shen,Zhen Chen,Yuying Wang,Hui Li

DOI: https://doi.org/10.1109/access.2020.3008081

IF: 3.9

2020-01-01

IEEE Access

Abstract:Because of the characteristic of openness and flexibility, Android has become the most popular mobile platform. However, it has also become the most targeted system by mobile malware. It is necessary for the users to have a fast and reliable detection method. In this paper, a two-layer method is proposed to detect malware in Android APPs. The first layer is permission, intent and component information based static malware detection model. It combines the static features with fully connected neural network to detect the malware and test its effectiveness through experiment, the detection rate of the first layer is 95.22%. Then the result (benign APPs from the first layer) is input into the second layer. In the second layer, a new method CACNN which cascades CNN and AutoEncoder, is used to detect malware through network traffic features of APPs. The detection rate of the second layer is 99.3% in binary classification (2-classifier). Moreover, the new two-layer model can also detect malware by its category (4-classifier) and malicious family (40-classifier). The detection rates are 98.2% and 71.48% respectively. The experimental results show that our two-layer method not only can achieve semi-supervise learning, but also can effectively improve the detection rate of malicious Android APPs.

TianYue Liu,HongQi Zhang,HaiXia Long,Jinmei Shi,YuHua Yao

DOI: https://doi.org/10.1038/s41598-022-18402-6

2022-08-17

Abstract:Deep learning technology is changing the landscape of cybersecurity research, especially the study of large amounts of data. With the rapid growth in the number of malware, developing of an efficient and reliable method for classifying malware has become one of the research priorities. In this paper, a new method, BIR-CNN, is proposed to classify of Android malware. It combines convolution neural network (CNN) with batch normalization and inception-residual (BIR) network modules by using 347-dim network traffic features. CNN combines inception-residual modules with a convolution layer that can enhance the learning ability of the model. Batch Normalization can speed up the training process and avoid over-fitting of the model. Finally, experiments are conducted on the publicly available network traffic dataset CICAndMal2017 and compared with three traditional machine learning algorithms and CNN. The accuracy of BIR-CNN is 99.73% in binary classification (2-classifier). Moreover, the BIR-CNN can classify malware by its category (4-classifier) and malicious family (35-classifier), with a classification accuracy of 99.53% and 94.38%, respectively. The experimental results show that the proposed model is an effective method for Android malware classification, especially in malware category and family classifier.

Hongliang Liang,Yan Song,Da Xiao

DOI: https://doi.org/10.1109/isi.2017.8004891

2017-01-01

Abstract:Malware detection has been a difficult problem for a very long time. Since the wide use of smart devices in recent years, the number of malwares is increasing rapidly. Most existing methods for malware detection rely too much on manual interventions (e.g. pre-defined features and patterns), which can be easily deceived. In this paper, we propose a novel end-to-end deep learning model to detect Android malwares. Our model takes the raw system call sequence, which is generated during the application's runtime, as input and decides whether the sequence is malicious without any manual intervention. We evaluate the model on 14231 Android applications and obtain a detection accuracy of 93.16%, which is 2.81% higher than the contrast experiment in which we implement the method proposed by other researchers.

Yi Zhang,Yuexiang Yang,Xiaolei Wang

DOI: https://doi.org/10.1145/3199478.3199492

2018-01-01

Abstract:With the explosive growth of Android malware, there is a pressure for us to improve the performance of existing malware detection approaches. In this paper, we proposed DeepClassifyDroid, a novel android malware detection system based on deep learning. DeepClassifyDroid takes a three-step approach: feature extraction, feature embedding and deep learning based detection. The first and second steps perform a broad static analysis and generate five different feature sets. The last step performs malware detection based on convolutional neural networks. We evaluated our approach with different feature sets and compared with a variety of machine learning based approaches. Study shows that DeepClassifyDroid outperforms most existing machine learning based approaches and detects 97.4% of the malware with few false alarms. Moreover, our approach is 10 times faster than Linear-SVM and 80 times faster than kNN.

Limin Shen,Jiayin Feng,Zhen Chen,Zhongkui Sun,Dongkui Liang,Hui Li,Yuying Wang

DOI: https://doi.org/10.1007/s10489-022-03523-2

IF: 5.3

2022-04-20

Applied Intelligence

Abstract:To accurately find malware in a large number of mobile APPs, and determine which family it belongs to is one of the most important challenges in Android malware detection. Existed research focuses on using the extracted features to distinguish Android malicious APPs, and less attention is paid to the category and family classification of Android malware. Meanwhile, feature selection has always been a choose-difficult issue in malware detection with machine learning methods. In this paper, SelAttConvLstm was designed to classify android malware by category and family without manually selecting features. To identify Android malware, we first convert all the network traffic flows into grayscale images according to chronological order through data preprocessing. Second, we design SelAttConvLstm, a deep learning model to detect malicious Android APPs with network flows images. This model can consider both the spatial and temporal features of network flow at the same time. In addition, to improve the performance of the model, self-attention weights are added to focus on different features of the input. Finally, comprehensive experiments are conducted to verify the effectiveness of the detection model. Experimental results showed that our method can not only effectively detect malware, but also classify malware in detail and accurately by category and family.

computer science, artificial intelligence

Anran Liu,Zhenxiang Chen,Shanshan Wang,Lizhi Peng,Chuan Zhao,Yuliang Shi

DOI: https://doi.org/10.1007/978-3-030-05063-4_10

2018-01-01

Abstract:Android platform has become the most popular smartphone system due to its openness and flexibility. Similarly, it has also become the target of numerous attackers because of these. Various types of malware are thus designed to attack Android devices. All these cases prompted amounts of researchers to start studying malware detection technologies and some of the groups applied network traffic analysis to their detection models. The majority of these models have considered the detection primarily on network traffic statistical features which can distinguish malicious network traffic from normal one. However, when faces a large amount of network traffic on the detection stage, especially some of the network flows are quite huge as a result of containing too many packets, feature extraction can be extremely time consuming. Therefore, we propose a malware detection approach based on TCP traffic, which can quickly and effectively detect malware behavior. We first employ the traffic collection platform to collect network traffic generated by various apps. After preprocessing (filtering and aggregating) the collected network traffic data, we get a large number of TCP flows. Next we extract early packets’ sizes as features from each TCP flow and then send it to detection model to get the detection result. In our method, the time it takes to extract features from 53108 network flows is reduced from 39321 s to 18041 s, which is a reduction of 54%. Meanwhile, our method achieves a detection rate of 97%.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.

R. E. Davis,Jingsheng Xu,Kaushik Roy

DOI: https://doi.org/10.1109/access.2024.3391022

IF: 3.9

2024-04-30

IEEE Access

Abstract:Network traffic classification plays a crucial role in detecting malware threats. However, most existing research focuses on extracting statistical features from the network traffic, ignoring the rich information contained within raw packet capture (pcap) files. To achieve higher accuracy in malware traffic classification, a novel approach is proposed that fully utilizes the information contained in the pcap files by representing them with images and then training deep Convolutional Neural Networks (CNN) to learn the features automatically and classify them with higher accuracy. Selected fields of the IP headers in network sessions are transformed into RGB images. These images serve as input to CNN, and malware samples are grouped by class or malware name. The model is initially trained and validated on the MCFP dataset with more than 140 malware classes and subsequently tested on separate datasets, namely USTC-TFC2016, Taltech.ee MedBIoT, and IEEE-Mirai. The macro F1 scores and accuracy of this method are significantly higher than the baseline statistical-feature based approach both in the validation dataset and in the test datasets from different sources. The results of this research have the potential to be extended beyond malware classification to enable the classification of various types of network traffic data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Weina Niu,Rong Cao,Xiaosong Zhang,Kangyi Ding,Kaimeng Zhang,Ting Li

DOI: https://doi.org/10.3390/s20133645

2020-06-29

Abstract:Due to the openness of an Android system, many Internet of Things (IoT) devices are running the Android system and Android devices have become a common control terminal for IoT devices because of various sensors on them. With the popularity of IoT devices, malware on Android-based IoT devices is also increasing. People's lives and privacy security are threatened. To reduce such threat, many researchers have proposed new methods to detect Android malware. Currently, most malware detection products on the market are based on malware signatures, which have a fast detection speed and normally a low false alarm rate for known malware families. However, they cannot detect unknown malware and are easily evaded by malware that is confused or packaged. Many new solutions use syntactic features and machine learning techniques to classify Android malware. It has been known that analysis of the Function Call Graph (FCG) can capture behavioral features of malware well. This paper presents a new approach to classifying Android malware based on deep learning and OpCode-level FCG. The FCG is obtained through static analysis of Operation Code (OpCode), and the deep learning model we used is the Long Short-Term Memory (LSTM). We conducted experiments on a dataset with 1796 Android malware samples classified into two categories (obtained from Virusshare and AndroZoo) and 1000 benign Android apps. Our experimental results showed that our proposed approach with an accuracy of 97 % outperforms the state-of-the-art methods such as those proposed by Nikola et al. and Hou et al. (IJCAI-18) with the accuracy of 97 % and 91 % , respectively. The time consumption of our proposed approach is less than the other two methods.

Junwei Tang,Wei Xu,Tao Peng,Sijie Zhou,Qiaosen Pi,Ruhan He,Xinrong Hu

DOI: https://doi.org/10.1016/j.jisa.2024.103721

IF: 4.96

2024-01-01

Journal of Information Security and Applications

Abstract:Mobile applications have been deeply integrated into the daily life of ordinary users. Android malware seriously threatens the privacy and property security of users. However, code obfuscation and other technologies have reduced the effectiveness of traditional static analysis methods, and more and more studies are extracting grayscale image features for malware detection. We propose a classification method for Android malware based on a novel mixed bytecode image and deep neural network combined with attention mechanism. Firstly, for the executable file of the target malware, read one character every 8 bits, fix the line and width, and output it as a vector. Each element in this vector is between 0 and 255, which is the range of values for grayscale images. Furthermore, the executable files are generated into grayscale images and Markov images, respectively. Then a new texture feature space is constructed by the fusion of grayscale and Markov images using the transfer probability, which is mapped to a two-dimensional space to obtain the mixed image feature. The constructed fusion feature space can more clearly characterize Android malware. What is more, the convolutional attention mechanism is added to ResNet to increase the depth of the network and improve the network effect. Finally, experiments are performed on Drebin and CICMalDroid 2020. Our experimental results show that our method can efficiently perform uniform representation of bytecode sequence files and extract and classify feature sequences. On the basis of mixed image features, the accuracy of malware detection can reach 98.67%, which outperforms the classification based on Markov images, grayscale images and other similar methods.

Meilin Liu,Songjie Wei,Pengfei Jiang

DOI: https://doi.org/10.1155/2021/9994588

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The popularity of smart phones has brought significant convenience to people’s lives, but also there are many security problems. In recent years, malicious applications are increasingly rampant, which threaten users and society as security challenges to network reliability and management. However, due to neglecting the sequential features between network flows, existing malicious application recognition methods based on network traffic analysis have low recognition accuracy. Based on the network traffic characteristics of Android applications, this paper firstly applies Long Short-Term Memory network-based variational Auto-Encoder to extract the sequential feature of the application running time. Then, we design the BP neural network for initial classification and connect the class vector output of the BP neural network with the original data. The output is fed into the cascade forest for further feature learning and classification. The integrated methods are easy to implement with data independency and efficiency. We conduct experiments to evaluate the proposed with Android malware dataset CICAndMal2017, with a 97.29% high accuracy, comparatively significant precision and recall rates when benchmarked against other methods.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Seema Sachin Vanjire,Mohandoss Lakshmi

DOI: https://doi.org/10.11591/eei.v13i3.6986

2024-06-01

Bulletin of Electrical Engineering and Informatics

Abstract:The increasing prevalence of malware targeting android mobile devices has raised significant concerns regarding user privacy and security. In response, effective methods for malware classification and detection are crucial to protect users from malicious applications. This paper presents an approach that leverages deep learning techniques and explainable artificial intelligence (XAI) for android mobile malware classification and detection. Convolutional neural networks (CNNs) are deep learning model that has shown impressive performance in several application areas, including image and text classification. In the context of android mobile malware, CNNs have shown promising results in capturing intricate patterns and features inherent in malware samples. By training these models on large datasets of benign and malicious applications, accurate classification can be achieved. To enhance transparency and interpretability, XAI techniques are integrated into the classification process. These techniques provide insights into the decision-making process of the deep learning models, enabling the identification of critical features and characteristics that contribute to the classification results. This research, by combining deep learning and XAI methods, presents a fresh strategy for identifying and categorizing Android malware. This research paper will focus on a fascinating CNN-based malware categorization technique.

Zhixing Xue,Weina Niu,Xixuan Ren,Jie Li,Xiaosong Zhang,Ruidong Chen

DOI: https://doi.org/10.1088/1742-6596/2024/1/012049

2021-01-01

Journal of Physics Conference Series

Abstract:In recent years, smartphones have been developing fast. Android, a mobile platform convenient and open to all, has attracted more audience than any one of its counterpart. However, mobile devices are frequently attacked by malware, which calls to malware detection. Currently, we are lacking studies of Android malware detection based on ensemble learning. In this work, we propose a model to detect Android malware. The model takes the encrypted traffic that the malware generates as input. Through clustering, the model removes the third-party traffic and retains the purity of the first-party traffic. The model extracts traffic features to construct host-level traffic fingerprint and classifies the malware through stacking-based ensemble learning. We use the publicly available dataset CICAndMal2017 to build the classification model. This dataset successfully classifies malware into different categories. In the controlled experiments we use SVM and Random Forest models. The results show that our model is significantly more accurate in classifying malware than SVM and Random Forest models, with an accurate rate of 96.7% in the optimal condition.

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Jaiteg Singh,Deepak Thakur,Farman Ali,Tanya Gera,Kyung Sup Kwak

DOI: https://doi.org/10.3390/s20247013

IF: 3.9

2020-12-08

Sensors

Abstract:The Android operating system has gained popularity and evolved rapidly since the previous decade. Traditional approaches such as static and dynamic malware identification techniques require a lot of human intervention and resources to design the malware classification model. The real challenge lies with the fact that inspecting all files of the application structure leads to high processing time, more storage, and manual effort. To solve these problems, optimization algorithms and deep learning has been recently tested for mitigating malware attacks. This manuscript proposes Summing of neurAl aRchitecture and VisualizatiOn Technology for Android Malware identification (SARVOTAM). The system converts the malware non-intuitive features into fingerprint images to extract the quality information. A fine-tuned Convolutional Neural Network (CNN) is used to automatically extract rich features from visualized malware thus eliminating the feature engineering and domain expert cost. The experiments were done using the DREBIN dataset. A total of fifteen different combinations of the Android malware image sections were used to identify and classify Android malware. The softmax layer of CNN was substituted with machine learning algorithms like K-Nearest Neighbor (KNN), Support Vector Machine (SVM), and Random Forest (RF) to analyze the grayscale malware images. It observed that CNN-SVM model outperformed original CNN as well as CNN-KNN, and CNN-RF. The classification results showed that our method is able to achieve an accuracy of 92.59% using Android certificates and manifest malware images. This paper reveals the lightweight solution and much precise option for malware identification.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Fei WU,Yuan PEI,Xiang-qian WU

DOI: https://doi.org/10.3969/j.issn.1000-1220.2018.02.009

2018-01-01

Abstract:The applications which static analysis methods can not accurately identify and determine,such as the high degree of source code confusion or those wihch use dynamic code loading technology,we extracting the network traffic generated during the Internet connection.Then the information gain algorithm is used to select the discrimination features and set up improved na?ve Bayes classifier with natural logarithm of multiplier and Laplace calibration.After ten-fold cross validation method,the improved Bayes model can reduce the time complexity and achieve 93% accuracy.Comparing with the method based on privilege features,the improved na?ve Bayes classifier based on traffic features has better classification performance,at the same time,this method also provides a new way to detect android mal-wares,accurately.

Pengfei Liu,Weiping Wang,Shigeng Zhang,Hong Song

DOI: https://doi.org/10.1155/2023/5393890

IF: 1.968

2023-01-01

Security and Communication Networks

Abstract:The popularity of the Android platform has led to an explosion in malware. The current research on Android malware mainly focuses on malware detection or malware family classification. These studies need to extract a large number of features, which consumes a lot of manpower and material resources. Moreover, some malware use obfuscation to evade decompiler tools extracting features. To address these problems, we propose ImageDroid, a method based on the image format of Android applications that can not only detect and classify malware without prior knowledge but also detect the obfuscated malware. Furthermore, we utilize the Grad-CAM interpretable mechanism of the deep learning model to automatically label the image that play a key role in determining maliciousness in a visual way. We evaluate ImageDroid over 10,000 Android applications. Experimental results show that the accuracy of malicious detection and multifamily classification achieve 97.2% and 95.1%, respectively, and the detection accuracy of obfuscated malware achieves 94.6%.