Enhancing malware detection for Android systems using a system call filtering and abstraction process

Improving anomaly-based malware detection techniques has been widely studied in recent years. Most of these efforts have focused on the dataset available for analysis and/or the algorithms used to distinguish between normal or abnormal behavior. These factors have major impacts on the accuracy performance of the detection techniques as well as on their time and space complexities. In this paper, we revisit a classical anomaly-based malware detection approach (i.e., database of normal behavior) analyzing Android system calls with two conflicting objectives: reducing the time and space complexities of the selected approach without decreasing its accuracy performance. To achieve this goal, we introduce a filtering and abstraction process, which (i) removes irrelevant system calls to describe the main behavior of an Android application and (ii) unifies system calls having the same functionality but different names. This process is used to build a database describing a canonical normal behavior model of Android applications. This model is based on the 200 most popular free Android applications available in the Android market. It represents the last line of defense of an in-depth protection strategy for smartphone systems. The results of our experimentations show that our filtering and abstraction process has positive impacts on the performance and the accuracy of the selected malware detection approach. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Sahin Albayrak,et al.  Static Analysis of Executables for Collaborative Malware Detection on Android , 2009, 2009 IEEE International Conference on Communications.

[2]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[3]  Steven A. Hofmeyr,et al.  Intrusion Detection via System Call Traces , 1997, IEEE Softw..

[4]  Chamseddine Talhi,et al.  Enhancing Smartphone Malware Detection Performance by Applying Machine Learning Hybrid Classifiers , 2012 .

[5]  Jean-Marc Robert,et al.  Smartphone malware detection: From a survey towards taxonomy , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[6]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[7]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[8]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[9]  Jean-Pierre Seifert,et al.  pBMDS: a behavior-based malware detection system for cellphone devices , 2010, WiSec '10.

[10]  Jean-Marc Robert,et al.  Impact of Dataset Representation on Smartphone Malware Detection Performance , 2013, IFIPTM.

[11]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[12]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[13]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[14]  Stephanie Forrest,et al.  Intrusion Detection Using Sequences of System Calls , 1998, J. Comput. Secur..

[15]  Ye Du,et al.  A Useful Anomaly Intrusion Detection Method Using Variable-length Patterns and Average Hamming Distance , 2010, J. Comput..

[16]  Michel Dagenais,et al.  A Stateful Approach to Generate Synthetic Events from Kernel Traces , 2012, Adv. Softw. Eng..

[17]  Mark Shtern,et al.  Clustering Methodologies for Software Engineering , 2012, Adv. Softw. Eng..

[18]  Songwu Lu,et al.  SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[19]  Sahin Albayrak,et al.  Monitoring Smartphones for Anomaly Detection , 2008, Mob. Networks Appl..

[20]  Stephanie Forrest,et al.  The Evolution of System-Call Monitoring , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[21]  Joseph G. Tront,et al.  Mobile Device Profiling and Intrusion Detection Using Smart Batteries , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[22]  Waseem Fadel,et al.  Techniques for the Abstraction of System Call Traces to Facilitate the Understanding of the Behavioural Aspects of the Linux Kernel , 2010 .

[23]  Deborah Estrin,et al.  Performance evaluation of android IPC for continuous sensing applications , 2013, MOCO.

[24]  Sahin Albayrak,et al.  Detecting Symbian OS malware through static function call analysis , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[25]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[26]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[27]  Huanguo Zhang,et al.  Research on android malware detection and interception based on behavior monitoring , 2012, Wuhan University Journal of Natural Sciences.