On the Deterioration of Learning-Based Malware Detectors for Android

Classification using machine learning has been a major class of defense solutions against malware. Yet in the presence of a large and growing number of learning-based malware detection techniques for Android, malicious apps keep breaking out, with an increasing momentum, in various Android app markets. In this context, we ask the question "what is it that makes new and emerging malware slip through such a great collection of detection techniques?". Intuitively, performance deterioration of malware detectors could be a main cause—trained on older samples, they are increasingly unable to capture new malware. To understand the question, this work sets off to investigate the deterioration problem in four state-of-the-art Android malware detectors. We confirmed our hypothesis that these existing solutions do deteriorate largely and rapidly over time. We also propose a new classification approach that is built on the results of a longitudinal characterization study of Android apps with a focus on their dynamic behaviors. We evaluated this new approach against the four existing detectors and demonstrated significant advantages of our new solution. The main lesson learned is that studying app evolution provides a promising avenue for long-span malware detection.

[1]  Gianluca Stringhini,et al.  MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version) , 2016, NDSS 2017.

[2]  Haipeng Cai,et al.  Towards sustainable Android malware detection , 2018, ICSE.

[3]  Mansour Ahmadi,et al.  DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware , 2017, CODASPY.

[4]  Vrizlynn L. L. Thing,et al.  Securing Android , 2015, ACM Comput. Surv..

[5]  Vitor Monte Afonso,et al.  Identifying Android malware using dynamically obtained features , 2014, Journal of Computer Virology and Hacking Techniques.

[6]  Sam Malek,et al.  Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware , 2018, ACM Trans. Softw. Eng. Methodol..

[7]  Haipeng Cai,et al.  DroidCat: Effective Android Malware Detection and Categorization via App-Level Profiling , 2019, IEEE Transactions on Information Forensics and Security.

[8]  Haipeng Cai,et al.  Understanding Android Application Programming and Security: A Dynamic Study , 2017, 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).