Anomadroid: Profiling Android Applications' Behaviors for Identifying Unknown Malapps

Android has dominated the market of mobile devices. Meanwhile, it has become the main target for attackers. How to detect and analyze Android malicious applications (malapps) is an ongoing challenge. Current malapps have become increasingly sophisticated. In particular, zero-day (unknown) malapps appear very frequently and can evade most detection systems that are based on the signatures or patterns of existing malapps. In this work, we propose a system called Anomadroid (anomaly Android malapp detection system) that profiles the normal behaviors of Android apps based on only benign samples. Any app whose behaviors unacceptably deviate from the normal profile is identified as malicious. We firstly extract 4209 features that are divided into 9 categories such as permissions and APIs, from each app for the profiling. We then use term frequency-inverse document frequency (tf-idf) and employ k-Nearest Neighbor (k-NN) and Principal Component Analysis (PCA) for anomaly detection. We evaluate Anomadroid on a large app set consisting of 15,000 benign apps as well as 1500 malapps. The experimental results show that our system is better than existing methods and achieves a detection rate as 94.08% with false positive rate as 16.15%.

[1]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[2]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[3]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[4]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[5]  Xiangliang Zhang,et al.  Processing of massive audit data streams for real-time anomaly intrusion detection , 2008, Comput. Commun..

[6]  Mohd Faizal Abdollah,et al.  Analysis of Features Selection and Machine Learning Classifier in Android Malware Detection , 2014, 2014 International Conference on Information Science & Applications (ICISA).

[7]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[8]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[9]  Xiangliang Zhang,et al.  Constructing attribute weights from computer audit data for effective intrusion detection , 2009, J. Syst. Softw..

[10]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[11]  Byung-Gon Chun,et al.  Vision: automated security validation of mobile apps at app markets , 2011, MCS '11.

[12]  Gonzalo Álvarez,et al.  PUMA: Permission Usage to Detect Malware in Android , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[13]  Xiangliang Zhang,et al.  Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection , 2014, IEEE Transactions on Information Forensics and Security.

[14]  Lei Zhang,et al.  Attack Tree Based Android Malware Detection with Hybrid Analysis , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[15]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[16]  Wei Wang,et al.  Distance Measures for Anomaly Intrusion Detection , 2007, Security and Management.

[17]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[18]  Ninghui Li,et al.  Android permissions: a perspective combining risks and benefits , 2012, SACMAT '12.

[19]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[20]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.