A Novel Dynamic Android MalwareDetection System With EnsembleLearning
A Novel Dynamic Android MalwareDetection System With EnsembleLearning
ACCORDING to IDC statistic data [1], Android captures85% of smartphones market in Q1 2017. With millionsof applications in different markets, it provides a wealth offunctionality to Android users, such as instant messaging,location-based services, online shopping and gaming. Un-fortunately, smartphones with Android operating system areincreasingly targeted by cybercriminals and infected withmalicious applications. Allowing for installing applicationsfrom untrustworthy third-party markets, Android platformcan be easily attacked by distributing applications with mal-ware. Mcafee security reports [2], in the first quarter of2017, the total number of mobile malware reaches more than16,000,000. There is an urgenneed for effective and efficientness of the permission mechanism. As a consequence, thepermission control mechanism can hardly limit the propaga-tion of malicious applications.Machine learning techniques, which can automaticallyinfer behavior properties of applications when combinedwith program analysis techniques, have become mainstreamin identification of malicious applications. These programanalysis techniques can be roughly categorized into static ap-proaches and dynamic approaches. Drebin [3], ICCDetector[4], and MamaDroid [5] perform static analysis to extractbehavior features such as, requested permissions, API calls,intent types and network addresses from applications andapply standard machine learning algorithm to perform mal-ware classification. Static analysis is advantageous to scanand check malicious applications quickly. In order to escapestatic analysis, many malicious applications adopt a seriesof deformation technologies, such as bytecode encryption,reflection and native code execution. These transformationtechniques greatly challenge static analysis methods. In con-trast, dynamic analysis performing by monitoring runtimebehaviors of applications on real or virtual environments hasbeen becoming promising because of its capability of resist-ing code transformation techniques. Crowdroid [6], Droid-Dolphin [7], and Droidward [8] perform dynamic analysis tomonitor runtime behaviors such as API calls, system calls,and hidden icon operation, and combine supervised learningalgorithms to implement effective malware detection.In this work, we focus on runtime monitoring and profilingon applications for multiple types of behavior features, andimplement highly effective malware detection. We perform abroad dynamic analysis and extract various features coveringa wide variety of malicious behaviors such as personal infor-mation stealing, premium service subscription, malicious ser-vice communication, and complex anti-analysis techniqueslike malicious code encryption and dynamic code loading[9]. As stated in MADAM [10], system calls describe thebehaviors of device at the lowest level. Furthermore, any ac-tion performed by applications is eventually translated into asequence of system calls. Therefore, we integrate system calltrace of application to handle malicious behaviors causingdamage to system or applications such as process tracing,blocking signal to the process, or interfering the executionof other process.Code Shoppy
ACCORDING to IDC statistic data [1], Android captures85% of smartphones market in Q1 2017. With millionsof applications in different markets, it provides a wealth offunctionality to Android users, such as instant messaging,location-based services, online shopping and gaming. Un-fortunately, smartphones with Android operating system areincreasingly targeted by cybercriminals and infected withmalicious applications. Allowing for installing applicationsfrom untrustworthy third-party markets, Android platformcan be easily attacked by distributing applications with mal-ware. Mcafee security reports [2], in the first quarter of2017, the total number of mobile malware reaches more than16,000,000. There is an urgenneed for effective and efficientness of the permission mechanism. As a consequence, thepermission control mechanism can hardly limit the propaga-tion of malicious applications.Machine learning techniques, which can automaticallyinfer behavior properties of applications when combinedwith program analysis techniques, have become mainstreamin identification of malicious applications. These programanalysis techniques can be roughly categorized into static ap-proaches and dynamic approaches. Drebin [3], ICCDetector[4], and MamaDroid [5] perform static analysis to extractbehavior features such as, requested permissions, API calls,intent types and network addresses from applications andapply standard machine learning algorithm to perform mal-ware classification. Static analysis is advantageous to scanand check malicious applications quickly. In order to escapestatic analysis, many malicious applications adopt a seriesof deformation technologies, such as bytecode encryption,reflection and native code execution. These transformationtechniques greatly challenge static analysis methods. In con-trast, dynamic analysis performing by monitoring runtimebehaviors of applications on real or virtual environments hasbeen becoming promising because of its capability of resist-ing code transformation techniques. Crowdroid [6], Droid-Dolphin [7], and Droidward [8] perform dynamic analysis tomonitor runtime behaviors such as API calls, system calls,and hidden icon operation, and combine supervised learningalgorithms to implement effective malware detection.In this work, we focus on runtime monitoring and profilingon applications for multiple types of behavior features, andimplement highly effective malware detection. We perform abroad dynamic analysis and extract various features coveringa wide variety of malicious behaviors such as personal infor-mation stealing, premium service subscription, malicious ser-vice communication, and complex anti-analysis techniqueslike malicious code encryption and dynamic code loading[9]. As stated in MADAM [10], system calls describe thebehaviors of device at the lowest level. Furthermore, any ac-tion performed by applications is eventually translated into asequence of system calls. Therefore, we integrate system calltrace of application to handle malicious behaviors causingdamage to system or applications such as process tracing,blocking signal to the process, or interfering the executionof other process.Code Shoppy
EnDroid consists of two phases, Training Phase and Detec-tion Phase as shown in Fig. 1. In the training phase, EnDroidextracts dynamic behavior features by monitoring operationsof benign and malicious applications, and generates featurevector for every processed application. EnDroid takes thegenerated feature vectors of benign and malicious applica-tions as input and trains a variety of base classifiers. Basedon the prediction probabilities of these base classifiers foreach application, EnDroid trains a final classification modelby adopting a meta-classifier. This classification model canbe used to distinguish between benign and malicious appli-cations, and will be delivered to the detection phase. In thedetection phase, EnDroid generates feature vector for eachunknown application, and the classification model can judgewhether the unknown application is benign or maliciousbased on its feature vector.https://codeshoppy.com/php-projects-titles-topics.html
The Android platform provides several security mecha-nisms that limit the function of malware, most notably theAndroid permission control mechanism. To perform certainsensitive operations, such as obtaining contact information,applications must explicitly declare the permissions theyneed for these operations and obtain user’s consent. However,this mechanism requires an important responsibility on bothdevelopers and users
Comments
Post a Comment