Yue Li,Guangquan Xu,Hequn Xian,Longlong Rao,Jiangang Shi

DOI: https://doi.org/10.31209/2019.100000118

2019-01-01

Abstract:In order to prevent the spread of Android malware and protect privacy information from being compromised, this study proposes a novel multidimensional hybrid features extraction and analysis method for Android malware detection. This method is based primarily on a multidimensional hybrid features vector by extracting the information of permission requests, API calls, and runtime behaviors. The innovation of this study is to extract greater amounts of static and dynamic features information and combine them, that renders the features vector for training completer and more comprehensive. In addition, the feature selection algorithm is used to further optimize the extracted information to remove a number of extraneous features, and a new multi-dimensional hybrid features vector is obtained. The multi-dimensional hybrid features vector is then used to train the classification model. Finally, the unknown samples are detected and identified by using the obtained classification model. Our experiment is conducted based on 359 malicious and 500 benign applications as experimental samples, and the results indicate that our proposed method performs better in the accuracy rate of Android malware detection compared with those methods using static methods alone.

Jinran Du,Huajun Chen,Weijie Zhong,Zhen Liu,Aidong Xu

DOI: https://doi.org/10.1109/icsai.2018.8599356

2018-01-01

Abstract:With the rapid spread of wireless networks and 4G networks, the application of mobile intelligent terminals has become more and more widespread. At the same time, there are more and more malicious software for mobile terminals, especially for the Android platform. Aiming at the detection problem of Android malicious code, a dynamic and static combined Android malicious code detection model based on SVM was proposed. Firstly, the dynamic and static features of Android program are extracted. Then, these features were vectored, used for the training and testing of SVM (Support vector machine). As shown in the experiments, the correct detection rate of Android malware is as high as 94.38%, recall rate achieving 98.46%, proved the effectiveness of the method.

Long Wen,Haiyang Yu

DOI: https://doi.org/10.1063/1.4992953

2017-01-01

AIP Conference Proceedings

Abstract:The Android smartphone, with its open source character and excellent performance, has attracted many users. However, the convenience of the Android platform also has motivated the development of malware. The traditional method which detects the malware based on the signature is unable to detect unknown applications. The article proposes a machine learning-based lightweight system that is capable of identifying malware on Android devices. In this system we extract features based on the static analysis and the dynamitic analysis, then a new feature selection approach based on principle component analysis (PCA) and relief are presented in the article to decrease the dimensions of the features. After that, a model will be constructed with support vector machine (SVM) for classification. Experimental results show that our system provides an effective method in Android malware detection.

Haipeng Zhang,Shudong Li,Xiaobo Wu,Weihong Han,Laifu Wang

DOI: https://doi.org/10.1109/DSC53577.2021.00100

2021-01-01

Abstract:With the popularity of smartphones, android quickly occupied the market, and at the same time, millions of android malware increase every year, which caused great losses to users. so it's crucial to detect unknown android malware efficiently before install it. Machine learning has achieved outstanding performance in many fields, and so does android malware detection. Nowadays, many methods of detecting android malware based on machine learning have been proposed. These methods can be classified as dynamic analysis, static analysis, and hybrid analysis according to what kind of features they use. the dynamic analysis will waste a lot of time because it requires running software. What's more, it's hard to get all malicious behaviors because of Anti-Sandbox technology, which means malware might change its behavior to avoid detecting when malware is running in Sandbox. In this paper, we proposed a new android malware detection approach using multi-features and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm. The static features we use cover permissions and API calls of each android application and the size of the android application package. We used BOW(bag of words) to process permission feature, standardization to process packages size feature, and <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$TF-IDF$</tex> algorithm to handle API calls features. Machine-learning algorithms including AdaBoost, LinearSVC, GaussianNB are used for Classification. The experimental results on public datasets demonstrated our system could detect android malware efficiently.

Yuxin Ding,Jieke Hu,Wenting Xu,Xiao Zhang

DOI: https://doi.org/10.1109/ICMLC48188.2019.8949298

2019-01-01

Abstract:In recent years, there is a rapid increase in the number of Android based malware. To protect users from malware attacks, different malware detection methods are proposed. In this paper, a novel static method is proposed to detect malware. We use the static analysis technique to analyze the Android applications and obtain their static behaviors. Two kinds of behaviors are extracted to represent malware. One kind of behaviors is the function call graph and the other kind is opcode sequences. To automatically learn behavioral features, we convert the function call graphs and opcode sequences into two dimensional data, and use deep learning method to build malware classifier. To further improve the performance of the malware classifier, a deep feature fusion model is proposed, which can combine different behavioral features for malware classification. The experimental results show the deep learning method is effective to detect malware and the proposed fusion model outperforms the single behavioral model.

Hanlin Long,Zhicheng Tian,Yang Liu

DOI: https://doi.org/10.1109/csp51677.2021.9357569

2021-01-01

Abstract:The mechanism of running software on virtual machines partly ensures the security of Android system. However, with all kinds of malicious codes being developed, there has been a huge number of massive security incidents caused by malware on Android. Malware has various code patterns, but their behaviors are measurable. In this paper, a new method of detecting Android malware by analyzing malware's behaviors is proposed. The method is characterized by the ability to mine the contextual relationships between system calls and network activities. Besides, the method requires only a small data set to achieve good classification performance. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods. We propose a set of methods for automatically collecting and organizing dynamic features from Android application Based on the collected features, deep neural network is used to classify software samples. We validate the effectiveness of the proposed method on a set of 2210 applications obtained from Androzoo. The experimental results demonstrate that the proposed method has high detection accuracy against wild malware as compared with other methods.

Xuanxia Yao,Yang Li,Zhiguo Shi,Kaijun Liu,XiaoJiang Du

DOI: https://doi.org/10.1002/cpe.7555

2023-01-01

Abstract:SummaryWith the development of mobile communication, Android software has increased sharply. Meanwhile, more and more malware emerges. Identifying malware in time is very important. Currently, most malware identifying methods are static, and the detection accuracy mainly depends on the classification feature and the algorithm. In order to improve the detection accuracy, reducing the dimension and difficulty of feature extraction, we propose a lightweight Android malware detection method based on sensitive features combination. After fully analyzing the static features in Android software, we improve the extraction methods of various features, define four sensitive features, and then form a sensitive features combination to more accurately reflect the characteristics of Android software with fewer features. Finally, four different machine learning classification algorithms were used to evaluate the classification effect of the sensitive features combination. The experiments show that the sensitive features combination has a good classification effect. When combined with the random forest classification algorithm, the accuracy is the highest, which could reach 97.6%.

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Xi Xiao,Peng Fu,Xianni Xiao,Yong Jiang,Qing Li,Runiu Lu

DOI: https://doi.org/10.1109/iccsnt.2015.7490915

2015-01-01

Abstract:Malware in Android has enjoyed a prevalence as Android has taken up a primary market in the mobile devices. In this paper, Adaptive Regularization Of Weights (AROW) and Support Vector Machine (SVM) are used to identify malware with both the static and dynamic analysis. Permissions, control flow graphs and system calls are taken as the application's classification features. Single features, the combination of permissions and control flow graphs, and the combination of the three features are all analyzed thoroughly. Compared with the previous work, AROW and SVM with the combination of the features could increase the TPR and decrease the FPR. Furthermore, the results of AROW and SVM are profoundly evaluated in this paper. As regard to the single features, SVM could perform better with the feature of permissions or system calls, while AROW provides a better result with control flow graphs. For the combination of the features, AROW gives a better result than SVM.

Manzhi Yang,QiaoYan Wen

DOI: https://doi.org/10.1109/icsess.2016.7883038

2016-01-01

Abstract:Nowadays, the amount of the application in Android App Market has grown fast, and the android malwares have been introduced fast into that market, too. In this paper, we use static analysis of a given android application with intensive feature engineering which we focus on different sources and different levels. It means that we not only extract features from the executable file classes.dex but also from the other android resource files such as manifest of the application, more over we expand features at different levels of abstraction of the APK application, rather than using more features at the single level. Finally, we combine these different feature sets into one feature set which is used by the classifiers for training/testing. Our method is compared against other Android malware code detection and found to be more efficient in terms of detection accuracy and false alarm rate.

Shaojie Chen,Bo Lang,Hongyu Liu,Yikai Chen,Yucai Song

DOI: https://doi.org/10.1016/j.eswa.2023.121617

IF: 8.5

2024-01-01

Expert Systems with Applications

Abstract:Currently, Android malware detection methods always focus on one kind of app feature, such as structural, semantic, or other statistical features. This paper proposes a novel Android malware detection method that integrates multiple features of Android applications. First, to effectively extract the structural and semantic features, we propose a new type of call graph named the class-set call graph (CSCG) that uses the sets of Java classes as nodes and the call relationships between class sets as edges, and we design a dynamic adaptive CSCG construction method that can automatically determine the node size for applications with different scales. The topic model is used to mine the source code semantics from the class sets as the node features. Then, we use a graph attention network (GAT) with max pooling to extract the CSCG feature that encompass both the semantic and structural features of the Android application. Furthermore, we construct a deep multimodal feature fusion network to fuse the CSCG features with permission features. Experimental results show that our method achieves a detection accuracy of 97.28%–99.54% on the three constructed datasets, which is better than the existing methods.

Zhen Wang,Xiaoning Han,Weiqiang Kong,Yong Piao,Gang Hou,Masahiko Watanabe,Akira Fukuda

DOI: https://doi.org/10.1109/tase49443.2020.00034

2020-01-01

Abstract:With the increasing popularity of smartphones, the mobile security issues have become serious, and more and more malware has been found. Android applications are often used to handle sensitive information, thus they have become the main targets of malware attacks. In order to efficiently detect Android malware, in this paper, we present a multi-strategy combination framework. We use five types of static features to characterize Android applications from multiple aspects. To improve the classification accuracy and reduce the overfitting of the framework, we use three filter-based feature selection methods to identify the most informative top-k features. Then we input the applications represented by the feature subsets into five classification algorithms to build classifiers. Finally, we predict the classification results by hard voting or soft voting. We have performed many experiments in a well-marked dataset consisting of 41,155 samples. The experimental results show that our approach can achieve over 98% in accuracy, precision, recall and F-score. Compared with other existing methods, our approach has the best malware detection rate of 98.75%.

Wei Zhang,Huan Ren,Qingshan Jiang,Kai Zhang

DOI: https://doi.org/10.1007/978-3-319-25393-0_54

2015-01-01

Abstract:A huge increase in the number of mobile malware brings a serious threat to Internet security, as the adoption rate of mobile device is soaring, especially Android device. A variety of researches have been developed to defense malware, but the mobile device users continuously suffer private information leak or economic losses from malware. Recently, a large number of methods have been proposed based on static or dynamic features analysis combining with machine learning methods, which are considered effective to detect malware on mobile device. In this paper, we propose an effective framework to detect malware on Android device based on feature extraction and neural network calssifier. In this framework, we take use of static features to represent malware and utilize extreme learning machine ELM algorithm to learn the neural network. We first extract features from the malware, and then utilize three different feature extraction methods including principal component analysis PCA, Karhunen-Loève transform KLT and independent component analysis ICA to transform the feature matrix into new feature spaces and generate three new feature matrixes. For each feature matrix, we construct En base classifiers by using ELM. Finally, we utilize Stacking method to combine the results. Experimental results suggest that the proposed framework is effective in detecting malware on Android device.

Wei ZHANG,Huan REN,Kai ZHANG,Chengming LI,Qingshan JIANG

2016-01-01

Abstract:Currently, the number of mobile malware programs is explosively growing, and the increasingly large feature library poses challenges to security solution providers. Traditional detection methods cannot deal with the huge amount of data promptly and effectively. Mobile malware detection methods based on machine learning have problems of excessive numbers of features, low detection accuracy and unbalanced data. In this paper, a feature selection method based on the mean and variance of samples was proposed to reduce the features without affecting classiifcation. Different feature extraction algorithms were implemented to construct an ensemble learning model for high detection accuracy, including Principal Component Analysis,&nbsp;Kaehunen-Loeve Transformation and Independent Component Analysis. To solve the problem of unbalanced data of Android App samples, a multi-level classiifcation model based on the decision tree was also developed. Experimental results show that the proposed methods can detect Android malware effectively, and the accuracy is increased by 6.41%, 3.96% and 3.36%, respectively.

Zhiqiang Wang,Qiulong Yu,Sicheng Yuan

2024-08-29

Abstract:With the widespread adoption of smartphones, Android malware has become a significant challenge in the field of mobile device security. Current Android malware detection methods often rely on feature engineering to construct dynamic or static features, which are then used for learning. However, static feature-based methods struggle to counter code obfuscation, packing, and signing techniques, while dynamic feature-based methods involve time-consuming feature extraction. Image-based methods for Android malware detection offer better resilience against malware variants and polymorphic malware. This paper proposes an end-to-end Android malware detection technique based on RGB images and multi-feature fusion. The approach involves extracting Dalvik Executable (DEX) files, AndroidManifest.xml files, and API calls from APK files, converting them into grayscale images, and enhancing their texture features using Canny edge detection, histogram equalization, and adaptive thresholding techniques. These grayscale images are then combined into an RGB image containing multi-feature fusion information, which is analyzed using mainstream image classification models for Android malware detection. Extensive experiments demonstrate that the proposed method effectively captures Android malware characteristics, achieving an accuracy of up to 97.25%, outperforming existing detection methods that rely solely on DEX files as classification features. Additionally, ablation experiments confirm the effectiveness of using the three key files for feature representation in the proposed approach.

Cryptography and Security,Machine Learning

Tao Ban,Takeshi Takahashi,Shanqing Guo,Daisuke Inoue,Koji Nakao

DOI: https://doi.org/10.1109/asiajcis.2016.29

2016-01-01

Abstract:In light of the rapid growth of malware threats towards the Android platform, there is a pressing need to develop effective solutions. In this paper we explorate the potential of multi-modal features to enhance the detection accuracy while keep the false alarms low. Examined features include the permissions, Application Programming Interface (API) calls, and meta features such as the category information and Application Package (APK) descriptions. These multi-modal features are coded in a way to facilitate efficient learning and testing with the particular classifiers known as the linear support vector machine (SVM). Experiments show that our proposed method can obtain an accuracy more than 94%, over performing the conventional methods by a large margin. By employing high-performance learning tools, the training and testing can be done in a very time-efficient fashion for large scale and high-dimensional data.

Yang Zhao,Guangquan Xu,Yao Zhang

DOI: https://doi.org/10.1007/978-3-319-78078-8_25

2017-01-01

Abstract:Lack of supervision and management of many Android third-party application markets has led to a growing number of malware on android platforms. This causes a serious privacy threat to the user’s sensitive information. To solve this problem, in this paper, a new hybrid features analysis method aiming at Android malware detection is proposed, which obtains a hybrid feature vector by extracting the information of permission requests, API calls and runtime behaviors. The characteristic of this work is the use of machine learning classification algorithms to detect malicious software. In addition, the feature selection algorithm is used to further optimize the extracted information to remove some useless features. Our experiments are based on real-world Apps, and use five different classification algorithms to detect the malware. The experiment results show that our proposed hybrid feature extraction method can improve the accuracy rate of Android malware detection compared with using static methods alone.

Yao Du,Xiaoqing Wang,Junfeng Wang

DOI: https://doi.org/10.1002/sec.1248

IF: 1.968

2015-01-01

Security and Communication Networks

Abstract:The rapid development of mobile malwares makes the traditional signature-based and single-feature based malware detection methods a challenging task. The surge of new malwares with more complex structures and dynamic characteristics leads to efficient fusion of multi-source malicious information more difficult in detection. In this paper, we propose a new multi-source based method to detect Android malwares by emphasizing on the traditional static features, control flow graph, and repacking characteristics. Each category of features is treated as an independent information source in feature extracting rules building and classification. Then, the Dempster-Shafer algorithm is used to fuse these information sources. This method can improve accuracy of malware detection without adding too many instability characteristics that are extracted from disassembled codes, and have better performance in the resistance to code obfuscation technologies. To verify our method, different categories of apps are collected to build the dataset in our experiment. Based on the dataset, our method can achieve 97% detection accuracy and 1.9% false positive rate. Copyright (c) 2015John Wiley & Sons, Ltd.

Ali Muzaffar,Hani Ragab Hassen,Hind Zantout,Michael A Lones

2024-08-26

Abstract:The popularity of Android means it is a common target for malware. Over the years, various studies have found that machine learning models can effectively discriminate malware from benign applications. However, as the operating system evolves, so does malware, bringing into question the findings of these previous studies, many of which report very high accuracies using small, outdated, and often imbalanced datasets. In this paper, we reimplement 18 representative past works and reevaluate them using a balanced, relevant, and up-to-date dataset comprising 124,000 applications. We also carry out new experiments designed to fill holes in existing knowledge, and use our findings to identify the most effective features and models to use for Android malware detection within a contemporary environment. We show that high detection accuracies (up to 96.8%) can be achieved using features extracted through static analysis alone, yielding a modest benefit (1%) from using far more expensive dynamic analysis. API calls and opcodes are the most productive static and TCP network traffic provide the most predictive dynamic features. Random forests are generally the most effective model, outperforming more complex deep learning approaches. Whilst directly combining static and dynamic features is generally ineffective, ensembling models separately leads to performances comparable to the best models but using less brittle features.

Machine Learning,Cryptography and Security

Zhiqiang Wang,Yao Tang,Jing Yao,Rong Qian,Zheng Zhang,Pingchuan Ma

DOI: https://doi.org/10.1145/3207677.3277976

2018-01-01

Abstract:In the1 modern global mobile phone market, Android OS is firmly occupying the first throne with the absolute user base and the proportion of mobile phones, and with the proliferation of android smart phones and other mobile devices, it has also attracted more and more attention from malware developers. There are a large number of malware in several major application markets around the world. In order to solve this problem, this paper proposes a large-scale malware detection system based on multiclass features and machine learning. There are two main problems in the traditional detection schemes, one is how to analyze and extract effectively features which can distinguish malware and benign software, the other is that how to select the most suitable algorithm to detect malware. For the first problem, we select the features that can reflect the android software's maliciousness by extracting android features and removing the features whose degree of distinction are less. For the second problem, we compare seven machine learning algorithms and select the most suitable algorithm that has the highest accuracy for android malware identification. Afterwards, many experiments are done to verify our solutions. First, we extract 234 features and select 76 features. Second, selecting the most suitable algorithm "ensemble learning" by comparing the detection accuracies of 7 algorithms, then adjusting and optimizing the related parameter to achieve the highest accuracy, 99.73%, which proves the effectiveness of our system and scheme.