CatraDroid: A Call Trace Driven Detection of Malicious Behaiviors in Android Applications

The explosive growth of Android malware has led to a strong interest in developing efficient and precise malware detection approach. Recent efforts have shown that machine learning-based malware classification is a promising direction, and the API-level features are extremely representative to discriminate malware and have been drastically used in different forms. In this work, we implement a light-weight classification system, CatraDroid, that recovers the semantics at call graph level to classify applications. CatraDroid leverages text mining technique to capture a list of sensitive APIs from the knowledge consisting of exploits databases, code samples, and configurations of codebases. It builds a complete call graph for Android applications and identifies call traces from entry methods to sensitive API calls. Using call traces as features, our classification approach can effectively discriminate Android malware from benign applications. Through the evaluation, we demonstrated that our approach outperforms the state-of-art API-level detection approach, with high-quality features extracted by efficient static analysis.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  Yang Liu,et al.  Semantic modelling of Android malware for effective malware comprehension, detection, and classification , 2016, ISSTA.

[3]  Somesh Jha,et al.  Retargeting Android applications to Java bytecode , 2012, SIGSOFT FSE.

[4]  Mansour Ahmadi,et al.  DroidScribe: Classifying Android Malware Based on Runtime Behavior , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[5]  Haipeng Cai,et al.  DroidCat: Effective Android Malware Detection and Categorization via App-Level Profiling , 2019, IEEE Transactions on Information Forensics and Security.

[6]  Xin Sun,et al.  Detection, Classification and Characterization of Android Malware Using API Data Dependency , 2015, SecureComm.

[7]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[8]  Zibin Zheng,et al.  MalPat: Mining Patterns of Malicious and Benign Android Apps via Permission-Related APIs , 2018, IEEE Transactions on Reliability.

[9]  Mohammad Emtiyaz Khan,et al.  SmarPer: Context-Aware and Automatic Runtime-Permissions for Mobile Devices , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[10]  Chao Yang,et al.  DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications , 2014, ESORICS.

[11]  Yanfang Ye,et al.  HinDroid: An Intelligent Android Malware Detection System Based on Structured Heterogeneous Information Network , 2017, KDD.

[12]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..

[13]  Simone Atzeni,et al.  Evaluation of Android Malware Detection Based on System Calls , 2016, IWSPA@CODASPY.

[14]  Eric Bodden,et al.  A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks , 2014, NDSS.

[15]  Jianfeng Ma,et al.  A Novel Dynamic Android Malware Detection System With Ensemble Learning , 2018, IEEE Access.

[16]  Andy Liaw,et al.  Classification and Regression by randomForest , 2007 .

[17]  Jacques Klein,et al.  AndroZoo: Collecting Millions of Android Apps for the Research Community , 2016, 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR).

[18]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[19]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[20]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[21]  David W. Aha,et al.  Instance-Based Learning Algorithms , 1991, Machine Learning.

[22]  David Lie,et al.  IntelliDroid: A Targeted Input Generator for the Dynamic Analysis of Android Malware , 2016, NDSS.

[23]  Heng Yin,et al.  DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android , 2013, SecureComm.

[24]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[25]  Pat Langley,et al.  Estimating Continuous Distributions in Bayesian Classifiers , 1995, UAI.

[26]  Gianluca Dini,et al.  MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention , 2018, IEEE Transactions on Dependable and Secure Computing.

[27]  Mu Zhang,et al.  Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs , 2014, CCS.

[28]  Wei Chen,et al.  More Semantics More Robust: Improving Android Malware Classifiers , 2016, WISEC.

[29]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[30]  Sankardas Roy,et al.  Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps , 2014, CCS.

[31]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.