MineRBS: Detecting Android Malware Based on Runtime Behavior Sequence

The runtime behaviors performed by Android applications reflect their potential characteristics. While the implementation of a malicious attack usually requires the cooperation of multiple runtime behaviors, so mining the association between runtime behavior sequences can effectively detect unknown malicious applications. Most researchers concerned the statistical properties of a single behavior, and there was little work studying the statistical properties of the association between runtime behaviors. In this paper, we present an Android malware detection system MineRBS based on a novel sequential pattern mining method, called RB AprefixSpan (PrefixSpan Abbreviated Project Mining of Runtime Behaviors), to dig out runtime behavior associations. RB AprefixSpan algorithm could discover runtime behavior sequential patterns from known malware families and build the behavior sequential pattern database to detect ma l-ware. What’s more, RB AprefixSpan algorithm uses abbreviated projection database instead of projection database in PrefixSpan to improve the spatial performance. Through experiments, we verity the correctness and effectiveness of our system.

[1]  Aristide Fattori,et al.  CopperDroid: Automatic Reconstruction of Android Malware Behaviors , 2015, NDSS.

[2]  Yajin Zhou,et al.  RiskRanker: scalable and accurate zero-day android malware detection , 2012, MobiSys '12.

[3]  Ramakrishnan Srikant,et al.  Mining Sequential Patterns: Generalizations and Performance Improvements , 1996, EDBT.

[4]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[5]  Insik Shin,et al.  FLEXDROID: Enforcing In-App Privilege Separation in Android , 2016, NDSS.

[6]  Mansour Ahmadi,et al.  DroidScribe: Classifying Android Malware Based on Runtime Behavior , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[7]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[8]  Jianfeng Ma,et al.  Selecting Critical Data Flows in Android Applications for Abnormal Behavior Detection , 2017, Mob. Inf. Syst..

[9]  Umeshwar Dayal,et al.  FreeSpan: frequent pattern-projected sequential pattern mining , 2000, KDD '00.

[10]  Heikki Mannila,et al.  Discovery of Frequent Episodes in Event Sequences , 1997, Data Mining and Knowledge Discovery.

[11]  Qiming Chen,et al.  PrefixSpan,: mining sequential patterns efficiently by prefix-projected pattern growth , 2001, Proceedings 17th International Conference on Data Engineering.

[12]  Christopher Krügel,et al.  Going Native: Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy , 2016, NDSS.

[13]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[14]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[15]  Mansour Ahmadi,et al.  DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware , 2017, CODASPY.

[16]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.