Fingerprinting Android malware families

The domination of the Android operating system in the market share of smart terminals has engendered increasing threats of malicious applications (apps). Research on Android malware detection has received considerable attention in academia and the industry. In particular, studies on malware families have been beneficial to malware detection and behavior analysis. However, identifying the characteristics of malware families and the features that can describe a particular family have been less frequently discussed in existing work. In this paper, we are motivated to explore the key features that can classify and describe the behaviors of Android malware families to enable fingerprinting the malware families with these features. We present a framework for signature-based key feature construction. In addition, we propose a frequency-based feature elimination algorithm to select the key features. Finally, we construct the fingerprints of ten malware families, including twenty key features in three categories. Results of extensive experiments using Support Vector Machine demonstrate that the malware family classification achieves an accuracy of 92% to 99%. The typical behaviors of malware families are analyzed based on the selected key features. The results demonstrate the feasibility and effectiveness of the presented algorithm and fingerprinting method.

[1]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[2]  Xiangliang Zhang,et al.  Securing Recommender Systems Against Shilling Attacks Using Social-Based Clustering , 2013, Journal of Computer Science and Technology.

[3]  Aziz Mohaisen,et al.  Detecting and classifying method based on similarity matching of Android malware behavior with profile , 2016, SpringerPlus.

[4]  Yu-Jin Zhang,et al.  Study on Discriminant Matrices of Commonly-used Fisher Discriminant Functions: Study on Discriminant Matrices of Commonly-used Fisher Discriminant Functions , 2010 .

[5]  Xiangliang Zhang,et al.  Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection , 2014, IEEE Transactions on Information Forensics and Security.

[6]  Cheng Zheng Study on Discriminant Matrices of Commonly-used Fisher Discriminant Functions , 2010 .

[7]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[8]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[9]  Xiangliang Zhang,et al.  Autonomic intrusion detection: Adaptively detecting anomalies over unlabeled audit data streams in computer networks , 2014, Knowl. Based Syst..

[10]  Roberto Battiti,et al.  Identifying intrusions in computer networks with principal component analysis , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[11]  Xiangliang Zhang,et al.  Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data , 2006, Comput. Secur..

[12]  Ken Dunham,et al.  Android Malware and Analysis , 2014 .

[13]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[14]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[15]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[16]  Huan Liu,et al.  Toward integrating feature selection algorithms for classification and clustering , 2005, IEEE Transactions on Knowledge and Data Engineering.

[17]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[18]  Xiangliang Zhang,et al.  Abstracting massive data for lightweight intrusion detection in computer networks , 2016, Inf. Sci..

[19]  Ying Zou,et al.  Detecting Android Malware Using Clone Detection , 2015, Journal of Computer Science and Technology.

[20]  Siu-Ming Yiu,et al.  DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.

[21]  L. Chou,et al.  An empirical analysis of land property lawsuits and rainfalls , 2016, SpringerPlus.

[22]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[23]  Xiangliang Zhang,et al.  Discovering and understanding android sensor usage behaviors with data flow analysis , 2017, World Wide Web.

[24]  Sencun Zhu,et al.  Alde: Privacy Risk Analysis of Analytics Libraries in the Android Ecosystem , 2016, SecureComm.

[25]  Xiangliang Zhang,et al.  Fast intrusion detection based on a non-negative matrix factorization model , 2009, J. Netw. Comput. Appl..

[26]  Michèle Sebag,et al.  Data Stream Clustering With Affinity Propagation , 2014, IEEE Transactions on Knowledge and Data Engineering.

[27]  Xiangliang Zhang,et al.  Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers , 2018, Future Gener. Comput. Syst..

[28]  Peng Wang,et al.  AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction , 2014, ICSE.

[29]  Xiangliang Zhang,et al.  Constructing attribute weights from computer audit data for effective intrusion detection , 2009, J. Syst. Softw..

[30]  G. Lakpathi,et al.  Identity-Based Encryption with Outsourced Revocation in Cloud Computing , 2016 .

[31]  Alfonso MuIgnacio Android malware detection from Google Play meta-data: Selection of important features , 2015 .

[32]  Jin Li,et al.  A Hybrid Cloud Approach for Secure Authorized Deduplication , 2015, IEEE Transactions on Parallel and Distributed Systems.