Identifying Android malware with system call co‐occurrence matrices

With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co-occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co-occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd.

[1]  Koby Crammer,et al.  Adaptive regularization of weight vectors , 2009, Machine Learning.

[2]  Masayoshi Aritsugi,et al.  An SVM-Based Masquerade Detection Method with Online Update Using Co-occurrence Matrix , 2006, DIMVA.

[3]  Jules White,et al.  Applying machine learning classifiers to dynamic Android malware detection at scale , 2013, 2013 9th International Wireless Communications and Mobile Computing Conference (IWCMC).

[4]  Wenke Lee,et al.  CHEX: statically vetting Android apps for component hijacking vulnerabilities , 2012, CCS.

[5]  Pedro M. Domingos,et al.  On the Optimality of the Simple Bayesian Classifier under Zero-One Loss , 1997, Machine Learning.

[6]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[7]  Yuan-Cheng Lai,et al.  Identifying android malicious repackaged applications by thread-grained system call sequences , 2013, Comput. Secur..

[8]  Xiangyu Zhang,et al.  Plagiarizing Smartphone Applications: Attack Strategies and Defense Techniques , 2012, ESSoS.

[9]  Zhenlong Yuan,et al.  Droid-Sec: deep learning in android malware detection , 2015, SIGCOMM 2015.

[10]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[11]  Thomas M. Cover,et al.  Estimation by the nearest neighbor rule , 1968, IEEE Trans. Inf. Theory.

[12]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[13]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[14]  Ayumu Kubota,et al.  Kernel-based Behavior Analysis for Android Malware Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[15]  Xingquan Zhu,et al.  Machine Learning for Android Malware Detection Using Permission and API Calls , 2013, 2013 IEEE 25th International Conference on Tools with Artificial Intelligence.

[16]  Kazuhiko Kato,et al.  Anomaly Detection Using Layered Networks Based on Eigen Co-occurrence Matrix , 2004, RAID.

[17]  Ninghui Li,et al.  Android permissions: a perspective combining risks and benefits , 2012, SACMAT '12.

[18]  Elisa Bertino,et al.  Detecting mobile malware threats to homeland security through static analysis , 2014, J. Netw. Comput. Appl..

[19]  Shih-Hao Hung,et al.  DroidDolphin: a dynamic Android malware detection framework using big data and machine learning , 2014, RACS '14.

[20]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[21]  Siu-Ming Yiu,et al.  DroidChecker: analyzing android applications for capability leak , 2012, WISEC '12.

[22]  Latifur Khan,et al.  A Machine Learning Approach to Android Malware Detection , 2012, 2012 European Intelligence and Security Informatics Conference.

[23]  Joshua Saxe,et al.  Malware Similarity Identification Using Call Graph Based System Call Subsequence Features , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops.

[24]  Xi Xiao,et al.  Detecting Mobile Malware with TMSVM , 2014, SecureComm.

[25]  Ninghui Li,et al.  Using probabilistic generative models for ranking risks of Android apps , 2012, CCS.

[26]  Lucas C.K. Hui,et al.  A privilege escalation vulnerability checking system for android applications , 2011, 2011 IEEE 13th International Conference on Communication Technology.

[27]  Xiangliang Zhang,et al.  Exploring Permission-Induced Risk in Android Applications for Malicious Application Detection , 2014, IEEE Transactions on Information Forensics and Security.

[28]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[29]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[30]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[31]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.