Qing Yang,Xiaoliang Wang,Jing Zheng,Wenqi Ge,Ming Bai,Frank Jiang

DOI: https://doi.org/10.3837/tiis.2021.06.014

2021-01-01

KSII Transactions on Internet and Information Systems

Abstract:With the rapid development of mobile Internet, smart phones have been widely popularized, among which Android platform dominates. Due to it is open source, malware on the Android platform is rampant. In order to improve the efficiency of malware detection, this paper proposes deep learning Android malicious detection system based on behavior features. First of all, the detection system adopts the static analysis method to extract different types of behavior features from Android applications, and extract sensitive behavior features through Term frequency-inverse Document Frequency algorithm for each extracted behavior feature to construct detection features through unified abstract expression. Secondly, Long Short-Term Memory neural network model is established to select and learn from the extracted attributes and the learned attributes are used to detect Android malicious applications, Analysis and further optimization of the application behavior parameters, so as to build a deep learning Android malicious detection method based on feature analysis. We use different types of features to evaluate our method and compare it with various machine learning-based methods. Study shows that it outperforms most existing machine learning based approaches and detects 95.31% of the malware.

Ali Muzaffar,Hani Ragab Hassen,Hind Zantout,Michael A Lones

2024-01-30

Abstract:The growing popularity of Android requires malware detection systems that can keep up with the pace of new software being released. According to a recent study, a new piece of malware appears online every 12 seconds. To address this, we treat Android malware detection as a streaming data problem and explore the use of active online learning as a means of mitigating the problem of labelling applications in a timely and cost-effective manner. Our resulting framework achieves accuracies of up to 96\%, requires as little of 24\% of the training data to be labelled, and compensates for concept drift that occurs between the release and labelling of an application. We also consider the broader practicalities of online learning within Android malware detection, and systematically explore the trade-offs between using different static, dynamic and hybrid feature sets to classify malware.

Cryptography and Security,Artificial Intelligence

Tianliang Lu,Yanhui Du,Li Ouyang,Qiuyu Chen,Xirui Wang

DOI: https://doi.org/10.1155/2020/8863617

IF: 1.968

2020-08-28

Security and Communication Networks

Abstract:In recent years, the number of malware on the Android platform has been increasing, and with the widespread use of code obfuscation technology, the accuracy of antivirus software and traditional detection algorithms is low. Current state-of-the-art research shows that researchers started applying deep learning methods for malware detection. We proposed an Android malware detection algorithm based on a hybrid deep learning model which combines deep belief network (DBN) and gate recurrent unit (GRU). First of all, analyze the Android malware; in addition to extracting static features, dynamic behavioral features with strong antiobfuscation ability are also extracted. Then, build a hybrid deep learning model for Android malware detection. Because the static features are relatively independent, the DBN is used to process the static features. Because the dynamic features have temporal correlation, the GRU is used to process the dynamic feature sequence. Finally, the training results of DBN and GRU are input into the BP neural network, and the final classification results are output. Experimental results show that, compared with the traditional machine learning algorithms, the Android malware detection model based on hybrid deep learning algorithms has a higher detection accuracy, and it also has a better detection effect on obfuscated malware.

computer science, information systems,telecommunications

Mohammed K. Alzaylaee,Suleiman Y. Yerima,Sakir Sezer

DOI: https://doi.org/10.1016/j.cose.2019.101663

2019-11-23

Abstract:The Android operating system has been the most popular for smartphones and tablets since 2012. This popularity has led to a rapid raise of Android malware in recent years. The sophistication of Android malware obfuscation and detection avoidance methods have significantly improved, making many traditional malware detection methods obsolete. In this paper, we propose DL-Droid, a deep learning system to detect malicious Android applications through dynamic analysis using stateful input generation. Experiments performed with over 30,000 applications (benign and malware) on real devices are presented. Furthermore, experiments were also conducted to compare the detection performance and code coverage of the stateful input generation method with the commonly used stateless approach using the deep learning system. Our study reveals that DL-Droid can achieve up to 97.8% detection rate (with dynamic features only) and 99.6% detection rate (with dynamic + static features) respectively which outperforms traditional machine learning techniques. Furthermore, the results highlight the significance of enhanced input generation for dynamic analysis as DL-Droid with the state-based input generation is shown to outperform the existing state-of-the-art approaches.

Cryptography and Security,Machine Learning,Neural and Evolutionary Computing

Nikola Milosevic,Junfan Huang

DOI: https://doi.org/10.48550/arXiv.1910.10660

2019-10-24

Abstract:In the past decade, the cyber-crime related to mobile devices has increased. Mobile devices, especially the ones running on Android operating system are particularly interesting to malware creators, as the users often keep the biggest amount of personal information on their mobile devices, such as their contacts, social media profiles, emails, and bank accounts. Both dynamic and static malware analysis is necessary to prevent and detect malware, as both techniques have their benefits and shortcomings. In this paper, we propose a deep learning technique that relies on LSTM and encoder-decoder neural network architectures for dynamic malware analysis based on CPU, memory and battery usage. The proposed system is able to detect and notify users about anomalies in system that is likely consequence of malware behaviour. The method was implemented as a part of OWASP Seraphimdroids anti-malware mechanism and notifies users about anomalies on their devices. The method proved to perform with an F1-score of 79.2%.

Cryptography and Security,Computers and Society,Machine Learning

Gang Zhang,Hao Li,Zhenxiang Chen,Lizhi Peng,Yuhui Zhu,Chuan Zhao

DOI: https://doi.org/10.1109/trustcom53373.2021.00097

2021-01-01

Abstract:Android platform is facing serious malware threats due to its popularity, as evidenced by the drastic increase on the number of mobile malware families and variants in recent years. Detecting malware variants and zero-day malware is a critical challenge that must be addressed to protect mobile devices against malware attacks. In this study, we present AndroCreme, a novel network intrusion detection system (NIDS) that can identify unseen malware by analyzing the network behavior of Android malware. To address the temporal bias issue in NIDS, we propose a method for rapid iterative update of the model based on data selection and data size limitation. The selection of effective data is carried out by induction and conformal technology, and the data scale is controlled by the method of time window and data cycle selection. To further achieve fast training speed and high efficiency, we leverage a gradient boosting framework that uses a tree-based learning algorithm, namely, LightGBM, as the meta predictor. We evaluate the performance of AndroCreme over 400K real-world network flows, which are collected from over 30K Android benignware and 21K malware applications. The experimental results show that, compared with the retraining method using all data, AndroCreme requires only a small amount of datareduce more than 3x to obtain better detection performance, which effectively solves the temporal bias.

Annamalai Narayanan,Liu Yang,Lihui Chen,Liu Jinliang

DOI: https://doi.org/10.48550/arXiv.1606.07150

2016-09-26

Abstract:It is well-known that malware constantly evolves so as to evade detection and this causes the entire malware population to be non-stationary. Contrary to this fact, prior works on machine learning based Android malware detection have assumed that the distribution of the observed malware characteristics (i.e., features) do not change over time. In this work, we address the problem of malware population drift and propose a novel online machine learning based framework, named DroidOL to handle it and effectively detect malware. In order to perform accurate detection, security-sensitive behaviors are captured from apps in the form of inter-procedural control-flow sub-graph features using a state-of-the-art graph kernel. In order to perform scalable detection and to adapt to the drift and evolution in malware population, an online passive-aggressive classifier is used. In a large-scale comparative analysis with more than 87,000 apps, DroidOL achieves 84.29% accuracy outperforming two state-of-the-art malware techniques by more than 20% in their typical batch learning setting and more than 3% when they are continuously re-trained. Our experimental findings strongly indicate that online learning based approaches are highly suitable for real-world malware detection.

Cryptography and Security,Machine Learning

Tianshi Mu,Huajun Chen,Jinran Du,Aidong Xu

DOI: https://doi.org/10.1109/imcec46724.2019.8983860

2019-01-01

Abstract:With the in-depth development of the Internet industry, the mobile Internet has been effectively integrated into daily work. However, Android has many extremely serious security issues. In our work, we apply text classification technology to the detection of Android malware, based on the deep learning. We extract the Android malware API sequence based on the Cuckoo sandbox, and use the text processing technology to solve the detection problem of Android malware. To evaluating the performance of our system, we compared it with Dalvik based on the Bi-LSTM. The accuracy of API extraction method using Cuckoo is higher than Dalvik, reaching the accuracy of 96.74%. To further verify the effects of different models, we compared it with GRU, BGRU and LSTM using Cuckoo Sandbox as API extraction method. The result demonstrate the Bi-LSTM has the highest accuracy.

Buket Doğan,Esra Calik Bayazit,O. K. Sahingoz

DOI: https://doi.org/10.1109/hora55278.2022.9800057

2022-06-09

Abstract:In recent years, smart mobile devices have become indispensable due to the availability of office applications, the Internet, game applications, vehicle guidance or similar most of our daily lives applications in addition to traditional services such as voice calls, SMSs, and multimedia services. Due to Android's open source structure and easy development platforms, the number of applications on Google Play, the official Android app store increased day by day. This also brig some security related issues for the end users. The increased popularity of Android operating system on mobile devices, and the associated financial benefits attracted attackers for developing some malware for these devices, which results a significant increase in the number of Android malware applications. To detect this type of security threats, signature based detection (static detection) in generally preferred due to its easy applicability and fast identification ability. Therefore in this study it is aimed to implement an up-to-date, effective, and reliable malware detection system with the help of some deep learning algorithms. In the proposed system, RNN-based LSTM, BiLSTM and GRU algorithms are evaluated on CICInvesAndMal2019 data set which contains 8115 static features for malware detection. Experimental results show that the BiLSTM model outperforms other proposed RNN-based deep learning methods with an accuracy rate of 98.85 %.

Computer Science

Hui-Juan Zhu,Liang-Min Wang,Sheng Zhong,Yang Li,Victor S. Sheng,Huijuan Zhu,Liangmin Wang

DOI: https://doi.org/10.1109/tkde.2021.3067658

IF: 9.235

2021-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Android is a growing target for malicious software (malware) because of its popularity and functionality. Malware poses a serious threat to users' privacy, money, equipment and file integrity. A series of data-driven malware detection methods were proposed. However, there exist two key challenges for these methods: (1) how to learn effective feature representation from raw data; (2) how to reduce the dependence on the prior knowledge or human labors in feature learning. Inspired by the success of deep learning methods in the feature representation learning community, we propose a malware detection framework which starts with learning rich-features by a novel unsupervised feature learning algorithm Merged Sparse Auto-Encoder (MSAE). In order to extract more compact and discriminative feature from the rich-features to further boost the malware detection capability, a hybrid deep network learning algorithm Stacked Hybrid Learning MSAE and SDAE (SHLMD) is established by further incorporating a classical deep learning method Stacked Denoising Auto-encoders (SDAE). After that, we feed the feature learned by MSAE and SHLMD respectively to classification algorithms, e.g., Support Vector Machine (SVM) or K-NearestNeighbor (KNN), to train a malware detection model. Evaluation results on two real-world datasets demonstrate that SHLMD achieves 94.46 and 90.57 percent accuracy respectively, which outperforms the classical unsupervised feature representation learning Sparse Auto-encoder (SAE). MSAE performs similarly to SAE. SHLMD can further improve the performance of MSAE and the supervised fine-tuned method SDAE. Besides, we compare the performance of our methods with that of state-of-the-art detection approaches, including classical deep-learning-based methods. Extensive experiments show that our proposed methods are effective enough to detect Android malware.

computer science, information systems, artificial intelligence,engineering, electrical & electronic

Chao Ding,Nurbol Luktarhan,Bei Lu,Wenhui Zhang

DOI: https://doi.org/10.3390/e23081009

2021-08-03

Abstract:With the popularity of Android, malware detection and family classification have also become a research focus. Many excellent methods have been proposed by previous authors, but static and dynamic analyses inevitably require complex processes. A hybrid analysis method for detecting Android malware and classifying malware families is presented in this paper, and is partially optimized for multiple-feature data. For static analysis, we use permissions and intent as static features and use three feature selection methods to form a subset of three candidate features. Compared with various models, including k-nearest neighbors and random forest, random forest is the best, with a detection rate of 95.04%, while the chi-square test is the best feature selection method. After using feature selection to explore the critical static features contained in this dataset, we analyzed a subset of important features to gain more insight into the malware. In a dynamic analysis based on network traffic, unlike those that focus on a one-way flow of traffic and work on HTTP protocols and transport layer protocols, we focused on sessions and retained protocol layers. The Res7LSTM model is then used to further classify the malicious and partially benign samples detected in the static detection. The experimental results show that our approach can not only work with fewer static features and guarantee sufficient accuracy, but also improve the detection rate of Android malware family classification from 71.48% in previous work to 99% when cutting the traffic in terms of the sessions and protocols of all layers.

Zhuo Ma,Haoran Ge,Zhuzhu Wang,Yang Liu,Ximeng Liu

DOI: https://doi.org/10.48550/arXiv.2002.03594

2020-02-10

Cryptography and Security

Abstract:Android malware detection is a critical step towards building a security credible system. Especially, manual search for the potential malicious code has plagued program analysts for a long time. In this paper, we propose Droidetec, a deep learning based method for android malware detection and malicious code localization, to model an application program as a natural language sequence. Droidetec adopts a novel feature extraction method to derive behavior sequences from Android applications. Based on that, the bi-directional Long Short Term Memory network is utilized for malware detection. Each unit in the extracted behavior sequence is inventively represented as a vector, which allows Droidetec to automatically analyze the semantics of sequence segments and eventually find out the malicious code. Experiments with 9616 malicious and 11982 benign programs show that Droidetec reaches an accuracy of 97.22% and an F1-score of 98.21%. In all, Droidetec has a hit rate of 91% to properly find out malicious code segments.

Li Chen,Mingwei Zhang,Chih-Yuan Yang,Ravi Sahita

DOI: https://doi.org/10.48550/arXiv.1704.05948

2017-04-20

Abstract:A growing number of threats to Android phones creates challenges for malware detection. Manually labeling the samples into benign or different malicious families requires tremendous human efforts, while it is comparably easy and cheap to obtain a large amount of unlabeled APKs from various sources. Moreover, the fast-paced evolution of Android malware continuously generates derivative malware families. These families often contain new signatures, which can escape detection when using static analysis. These practical challenges can also cause traditional supervised machine learning algorithms to degrade in performance. In this paper, we propose a framework that uses model-based semi-supervised (MBSS) classification scheme on the dynamic Android API call logs. The semi-supervised approach efficiently uses the labeled and unlabeled APKs to estimate a finite mixture model of Gaussian distributions via conditional expectation-maximization and efficiently detects malwares during out-of-sample testing. We compare MBSS with the popular malware detection classifiers such as support vector machine (SVM), $k$-nearest neighbor (kNN) and linear discriminant analysis (LDA). Under the ideal classification setting, MBSS has competitive performance with 98\% accuracy and very low false positive rate for in-sample classification. For out-of-sample testing, the out-of-sample test data exhibit similar behavior of retrieving phone information and sending to the network, compared with in-sample training set. When this similarity is strong, MBSS and SVM with linear kernel maintain 90\% detection rate while $k$NN and LDA suffer great performance degradation. When this similarity is slightly weaker, all classifiers degrade in performance, but MBSS still performs significantly better than other classifiers.

Cryptography and Security,Machine Learning

J.S. Panman de Wit,J. van der Ham,D. Bucur

DOI: https://doi.org/10.1145/3484246

2021-07-23

Abstract:Mobile malware are malicious programs that target mobile devices. They are an increasing problem, as seen in the rise of detected mobile malware samples per year. The number of active smartphone users is expected to grow, stressing the importance of research on the detection of mobile malware. Detection methods for mobile malware exist but are still limited. In this paper, we provide an overview of the performance of machine learning (ML) techniques to detect malware on Android, without using privileged access. The ML-classifiers use device information such as the CPU usage, battery usage, and memory usage for the detection of 10 subtypes of Mobile Trojans on the Android Operating System (OS). We use a real-life dataset containing device and malware data from 47 users for a year (2016). We examine which features, i.e. aspects, of a device, are most important to monitor to detect (subtypes of) Mobile Trojans. The focus of this paper is on dynamic hardware features. Using these dynamic features we apply state-of-the-art machine learning classifiers: Random Forest, K-Nearest Neighbour, and AdaBoost. We show classification results on different feature sets, making a distinction between global device features, and specific app features. None of the measured feature sets require privileged access. Our results show that the Random Forest classifier performs best as a general malware classifier: across 10 subtypes of Mobile Trojans, it achieves an F1 score of 0.73 with a False Positive Rate (FPR) of 0.009 and a False Negative Rate (FNR) of 0.380. The Random Forest, K-Nearest Neighbours, and AdaBoost classifiers achieve F1 scores above 0.72, an FPR below 0.02 and, an FNR below 0.33, when trained separately to detect each subtype of Mobile Trojans.

Cryptography and Security,Machine Learning

Zhenlong Yuan,Yongqiang Lu,Yibo Xue

DOI: https://doi.org/10.1109/tst.2016.7399288

2016-01-01

Tsinghua Science & Technology

Abstract:Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine (DroidDetector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test DroidDetector and perform an indepth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. DroidDetector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.

Zhenlong Yuan,Yongqiang Lu,Zhaoguo Wang,Yibo Xue

DOI: https://doi.org/10.1145/2740070.2631434

IF: 1.937

2014-01-01

ACM SIGCOMM Computer Communication Review

Abstract:As smart:phones and mobile devices are rapidly becoming indispensable for many network users, mobile malware has become a serious threat in the network security and privacy. Especially on the popular Android platform, many malicious apps are hiding in a large number of normal apps, which makes the malware detection more challenging. In this paper, we propose a ML-based method that utilizes more than 200 features extracted from both static analysis and dynamic analysis of Android app for malv -are detection. The comparison of modeling results demonstrates that the deep learning technique is especially suitable for Android mahvare detection and can achieve a high level of 96% accuracy with real-world Android application sets.

Joshua Abah,Waziri O.V,Abdullahi M.B,Arthur U.M,Adewale O.S

DOI: https://doi.org/10.5121/ijnsa.2015.7602

2015-12-14

Abstract:The emergence of mobile platforms with increased storage and computing capabilities and the pervasive use of these platforms for sensitive applications such as online banking, e-commerce and the storage of sensitive information on these mobile devices have led to increasing danger associated with malware targeted at these devices. Detecting such malware presents inimitable challenges as signature-based detection techniques available today are becoming inefficient in detecting new and unknown malware. In this research, a machine learning approach for the detection of malware on Android platforms is presented. The detection system monitors and extracts features from the applications while in execution and uses them to perform in-device detection using a trained K-Nearest Neighbour classifier. Results shows high performance in the detection rate of the classifier with accuracy of 93.75%, low error rate of 6.25% and low false positive rate with ability of detecting real Android malware.

Cryptography and Security

Annamalai Narayanan,Mahinthan Chandramohan,Lihui Chen,Yang Liu

DOI: https://doi.org/10.1007/s10664-017-9539-8

IF: 3.762

2017-08-30

Empirical Software Engineering

Abstract:Many existing Machine Learning (ML) based Android malware detection approaches use a variety of features such as security-sensitive APIs, system calls, control-flow structures and information flows in conjunction with ML classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps’ behaviors with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterize several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevents them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localization. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps’ dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid’s unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Malicious code localization caters several important applications such as supporting human analysts studying malware behaviors, engineering malware signatures, and other counter-measures. Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localization experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall. Our work opens up two new avenues in malware research: (i) enables the research community to elegantly look at Android malware behaviors in multiple perspectives simultaneously, and (ii) performing precise and scalable malicious code localization.

computer science, software engineering

Qijing Qiao,Ruitao Feng,Sen Chen,Fei Zhang,Xiaohong Li

DOI: https://doi.org/10.1109/TDSC.2022.3213689

2024-10-09

Abstract:The existing malware classification approaches (i.e., binary and family classification) can barely benefit subsequent analysis with their outputs. Even the family classification approaches suffer from lacking a formal naming standard and an incomplete definition of malicious behaviors. More importantly, the existing approaches are powerless for one malware with multiple malicious behaviors, while this is a very common phenomenon for Android malware in the wild. So, neither of them can provide researchers with a direct and comprehensive enough understanding of malware. In this paper, we propose MLCDroid, an ML-based multi-label classification approach that can directly indicate the existence of pre-defined malicious behaviors. With an in-depth analysis, we summarize six basic malicious behaviors from real-world malware with security reports and construct a labeled dataset. We compare the results of 70 algorithm combinations to evaluate the effectiveness (best at 73.3%). Faced with the challenge of the expensive cost of data annotation, we further propose an active learning approach based on data augmentation, which can improve the overall accuracy to 86.7% with a data augmentation of 5,000+ high-quality samples from an unlabeled malware dataset. This is the first multi-label Android malware classification approach intending to provide more information on fine-grained malicious behaviors.

Cryptography and Security

Jiayin Feng,Limin Shen,Zhen Chen,Yuying Wang,Hui Li

DOI: https://doi.org/10.1109/access.2020.3008081

IF: 3.9

2020-01-01

IEEE Access

Abstract:Because of the characteristic of openness and flexibility, Android has become the most popular mobile platform. However, it has also become the most targeted system by mobile malware. It is necessary for the users to have a fast and reliable detection method. In this paper, a two-layer method is proposed to detect malware in Android APPs. The first layer is permission, intent and component information based static malware detection model. It combines the static features with fully connected neural network to detect the malware and test its effectiveness through experiment, the detection rate of the first layer is 95.22%. Then the result (benign APPs from the first layer) is input into the second layer. In the second layer, a new method CACNN which cascades CNN and AutoEncoder, is used to detect malware through network traffic features of APPs. The detection rate of the second layer is 99.3% in binary classification (2-classifier). Moreover, the new two-layer model can also detect malware by its category (4-classifier) and malicious family (40-classifier). The detection rates are 98.2% and 71.48% respectively. The experimental results show that our two-layer method not only can achieve semi-supervise learning, but also can effectively improve the detection rate of malicious Android APPs.