A novel approach for mobile malware classification and detection in Android systems

Abstract

With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.

1 Introduction

With the popularization and rapid development of mobile technologies and the Internet, the growth on the number of smartphones is increasing and explosive. According to Internet Data Center (IDC), the total number of smartphones shipped worldwide in 2016 hit a record number [22]. As known, the Operating System (OS) provides the core phone experience. Based on smartphone vendor market share information provided by Statista, smartphones running Android OS have summed over 80% of all devices shipped worldwide [24]. It has become the most popular operating system for smartphones, pulled greatly the e-commerce and economy of several countries in the globe.

Such an OS has brought to users not only convenience in daily lives but also improvements on the quality of life. Despite these advantages, security issues have also emerged. The focus on the leakage of Android Apps is increasing due to the continuous increase of Android system market share. In 2010, the first SMS (Short Message Service) Trojan in Android system was released by Kaspersky and was used to steal personal property of users. Reports by G DATA showed that the number of malwares in Android systems rose to 2.333 million in 2015, and new malicious application in such a system are produced every 11 s [13]. According to 360 Internet Security Center, they intercepted and added malwares reaching 14.303 million in 2016, 38 thousand new malwares per day (in average). Types of malicious applications mainly include cost consumption, malicious chargeback, privacy theft and remote control. Among these, cost consumption mainly includes advertising and flow consumption [1]. The rapid growth of Android malware not only degrades performance of devices, but also several means of loss.

The harm of malicious actions inspires people to pay more attention on malware detection and avoid unexpected events. In order to control against malwares, mobile devices have adopted traditional approaches such as antivirus, despite not most efficient [23]. As it needs continuous modification of the signature database, attackers can constantly update to circumvent within many different detection methods. With the addition of new malware Apps, data in signature databases are updated regularly, say every day. This process demands excessive memory and power usage, which lead to reducing the smart phone performance. Thereafter, the intrusion detection system is applied to malware detection. Nevertheless, it shows low reliability in the detection of attack activities [14]. The traditional intrusion detection system is capable of identifying unknown attacks based on the traditional rule matching. With difficulties to detect complicate and unknown attacks in the traditional rule matching, it is needed effective detection methods to overcome the above-mentioned problem.

It is presented in this paper application of a novel machine learning algorithm for software classification that utilizes exact features of dynamic analysis from malware samples to classify samples as ‘malicious’ or ‘benign’. The proposed method is developed as a proactive method aimed at uncovering unknown Android malicious sample, to reduce the incidents of Android malware from evading detection. That is, this work is focused on the investigation of malware detection in Android-based systems, by performing dynamic analysis on exact malware behavior with the utilization of novel ML (Machine Learning) classification algorithms. For such, the contributions are as follows:

1. 1)

   Data set of 42 malware family types and 1299 samples are collected from Baidu mobile application market and https://virusshare.com/. Without consideration of any previous data sets publicly available, there are difficulties to analyze Android malware,

2. 2)

   A novel classification algorithm is used to detect malware Apps. Note that there are not available any recent research that apply this novel classification algorithm to detect malicious Apps. The evaluation is performed by assessing nine types of classifiers in this study, namely K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA), Back Propagation (BP) and the proposed machine learning classification algorithm. Among them, Back Propagation (BP) is the typical shallow neural network,

3. 3)

   A detection model was successfully designed and built, and experiments show effective detection rates.

The remaining of this paper is organized as follows. Section 2 presents the related work, Section 3 depicts the proposed strategy for Android malware detection. Experimental results to verify the proposed method are presented in Section 4, and finally, conclusion remarks and directions for future work are shown in Section 5.

2 Related work

Current Android malware detection approaches are layered in two types, as static and dynamic analysis [26]. The former can be used to control flow analysis for disassembly analysis of application files without executing it [3, 9, 11, 12]. Zhou et al. [33] developed a new system namely DroidMOSS to detect malicious applications using a fuzzy hashing technique to find abnormal behavior. In [4], Chan et al. proposed a tool to analyze Android applications named DroidChecker, which adopts the detection way that integrates control flow analysis detection with static stain detection. Wu et al. proposed DroidMat [27], a system that exacted the information related to permission and intent filter, which results showed that such a system could efficiently be applied to detect malware. In [20], Sato et al. used manifest files to detect malware, while Zhang et al. proposed a semantic-based method based on dependency graphs to detect Android malware [30]. Yang et al. proposed AppContext based on the context relationship of sensitivity behavior [28], and finally, Elish et al. developed a static analysis method based on user-trigger dependence [8]. Despite the static analysis has advantages that includes high efficiency, easy to operate and inexpensive, it is difficult to detect malware during its code execution [11].

The latter is the way to monitor the behavior of Android malware in a running environment. To ensure the diversity and integrity of data collected that requires additional processing, researchers usually take additional time for preparation. Hence, dynamic analysis requires larger amount of time than static analysis. Chin et al. [6] provided a detection tool called ComDroid that identify security risk by detecting application communication vulnerabilities. In [15], Isohara et al. proposed a novel dynamic analysis method based on kernel behavior analysis layered, where known samples were analyzed first, then established the rule database. For unknown sample, the behavior of the sample is collected first, then evaluated whether the sample is malicious by matching the rule database. Lin et al. proposed SCSdroid detection mechanism based on public system call sequences, which results showed that this mechanism achieved high detection accuracy of 95.97% [16]. Next, Zheng et al. designed a ptrace based dynamic analysis system called DroidTrace that detect payload behaviors through file access, inter-process communication and system call sequences [32]. Nevertheless, it is pointed out in [11] that it was inconvenient to connect a phone with a computer using Linux commands. In [2], Alzaylaee et al. implemented a tool that automatically extract feature data using next Random Forest, Naive Bayes, Multilayer Perceptron, Simple Logistics, J48 decision tree, PART, and SVM classification algorithm for data classification. Experiments shown that this tool effectively extract dynamic features when compared to emulators. In [17], Mahindru et al. extracted 123 dynamic permission features from 11,000 samples and evaluated five classifiers (Naive Bayes, Decision Tree, Random Forest, Simple Logistic, and K-Star) on the testing dataset for detection of malicious samples. Finally, Das et al. proposed a hardware-enhanced architecture to detect malware at runtime based on field-programmable gate array (FPGA), which major contribution is the support of early prediction [7].

3 Proposed method

In this section, the complete diagram of the proposed detection processing is presented and discussed. First, the benign and malicious information of Android-based Apps are collected, in which runtime system call records data of a set of known benign and malicious Android-based Apps are acquired using a dynamic method and analyzed next through features extraction, building separately one feature vector table for benign Apps and another for malicious Apps. The call records that are different to interface calls can reflect to the behavior of Android-based Apps, being either benign or malware. As to distinguish the features, different labels in feature vector table should be set. Next, benign and malicious Apps feature vector tables are stored and the detection model built, so data stored are used to training the machine learning classifier, as depicted in Fig. 1. For the detection of an unknown Android-based App, data about runtime system calls are acquired first, extracting the feature vector of the App from its system calls data, then input the feature vector into detection model to evaluate the behavior of the Android-based App. The detection model is designed and implemented based on novel machine learning classification algorithm, establishing and refining the model trained with the incoming data dynamically. New data can be detected as malicious or benign, by taking new data into the detection model as input. In this research, the process of establishing the detection model is the process of training the machine learning classification algorithm by learning the benign or the malicious behavior of Android-based Apps.

Fig. 1

Detection stage processing

3.1 Data collection phase

Benign Android-based Apps are downloaded from Baidu Mobile Application market, classified as 10 major categories and the number of Apps is 920, and 379 malicious Android-based Apps belonging to different types are selected and downloaded from https://virusshare.com/, being the pool of Android-based Apps for experimentations randomly varied.

3.2 Feature extraction phase

Considerable number of Android-based Apps are obtained after the stage, as depicted in subsection 3.1. In this research, malware detection is built on the analysis of runtime system calling data, acquired during runtime of Android-based Apps. To obtain useful runtime system calls’ data that requires operating system’s support, Hook Technology [18] is adopted. Ways how the runtime system calls can be acquired are described next.

To record App runtime system calls, Android OS source code should be modified to make sure that the key interface is intercepted, thus locating next such a key interface in OS’s source code. Next, a hook is created, overriding the initZygote method. In addition, Android-based device needs to be updated with related information of intercepted interface, such as: class name, function name and incoming parameters. For such, Android-based smartphone can record App runtime system calls. As depicted in Fig. 2, all Android-based Apps utilize the system call to control hardware such as media and storage. Thereupon, it is known that the behavior of App is denoted by the call records of App’s runtime system, given that an application framework provides basic service for developers to build an Android application, relied on core libraries that eventually use system call interfaces to drive concrete system events (i.e., application operation, such as internet connection) [11].

Fig. 2

System call flowchart

As mentioned, we should make sure that the key interface intercept before recording an App’s runtime system calls. In the proposed design, these key interfaces are of three types: (1) sensitive interface, (2) external interface and (3) special interface.

In (1), privacy information interface contains exiting data from SIM cards, email account, social media accounts, phone records, IP address, multimedia files, and handset models, (2) includes network interface, Bluetooth interface, short message interface, telephone interface, USB interface, communication interface, system interface, Read-Write interface for files, and (3) mainly includes certification interface. To modify OS source code, we must first locate the key interface in Android OS source code information as intercepted key interface name, function description, corresponding location of source code, and corresponding intercepted function name, as listed in Table 1.

Table 1 Some key interface and source location in the framework layer

A Comma-Separated Values (CSV) table including call records is generated by an Android-based App at runtime, which contains the timestamps of the App, calling interfaces, and calling functions. Table 2 shows the call records of App1’s runtime system.

Table 2 The call records of runtime system of App1

Features from the call records of runtime system can be obtained through statistical method. Formally, the feature is denoted by the names of functions. The value of feature is set as 1 if an Android-based App is calling the function, otherwise set as 0. In the feature vector table, an Android-based App is denoted as a feature vector X, where X = (x₁, …x_m) and m the number of features, x_i is the value of ith feature. The label of App is denoted as y ∈ {{1, −1}, {−1, 1}}, with y = {1, −1} for benign Apps and y = {−1, 1} for malware Apps. There are 166 different functions, whereas the first 166 columns of the feature vector table are denoted as the feature of App, whilst the last column of the feature vector table denoted as label of App. A vector representing an App is then fed into the classifiers to detect its status, whether malicious or not. The information for the features of App1 is described as depicted in Fig. 3, where Fun1,  Fun2,  Fun35,  Fun162,  Fun163,  Fun164,  Fun40 Fun60,  Fun61,  Fun70,  Fun63,  Fun88,  Fun108,  Fun109,  Fun115,  Fun71,  Fun89,  Fun166 are invoked by App1 at runtime. At the bottom of Fig. 3, we can see that the values of these functions are 1 in the second row of the feature table. The value of Fun3 is 0 in the second row of the feature table, since {1, −1} is not invoked by App1. The label of App1 is x_j(j = 1, .., M), given that App1 is a benign application.

Fig. 3

Features from the call records of App1 runtime

The features of applications are stored as a table in a database, and these feature vectors are applied to train the classifier. Take the first 166 columns in the feature table as the input of the classifier, and then take the last column in the feature table as the output of the classifier. By the above input-output relation, the design of the classifier detection model is complete, ready to initiate the training processing and testing.

3.3 Machine learning classifier phase

3.3.1 A novel classification algorithm

The architecture of the traditional neural network is composed of three layers: input layer, hidden layer and output layer. As shown in Fig. 4, this research makes use of a type of novel neural network as the underlying architecture, different from the traditional one that consists of bounded weight adjustment in two aspects. One is the adjustment of one parameter every cycle and change weights when error is less than or equal to previous error (threshold), while the other is to fix the weights connecting the hidden layer with the output layer that can control the time consumption. Detailed procedure of the novel neural network is provided next.

Fig. 4

The architecture of the novel neural network

BP is a typical algorithm in the artificial neural network. It adopts gradient decent algorithm to adjust the weights and achieve the convergence, as well the novel neural network adopts Monte Carlo algorithm to adjust the weights and achieve the convergence. In addition, BP changes all weights of weight matrices at a time, while the novel neural network changes one weight of the weight matrices at a time.

Let x_j(j = 1, .., M) the input of the novel neural network, o_l(l = 1, .., L) the output of the novel neural network, as calculated by Formula (4). The y_i(i = 1, .., N) stores the intermediate results of the novel neural network, as deducted by Formula (3).

1. 1)

   Hidden layer:

$$ {q}_i=\sum \limits_{j=1}^M{v}_{ij}{x}_i-{b}_i,i= 1, 2\dots, N $$

(1)

$$ {f}_A(x)={\frac{\mathit{\sin}(x)}{x}}^{\ast}\left(x!= 0\right)+{1}^{\ast}\left(x== 0\right) $$

(2)

$$ {y}_i={f}_A\left({\beta}_i{q}_i\right),i= 1, 2,\dots, N $$

(3)

1. 2)

   Output layer:

$$ {o}_l={f}_l\left(\sum \limits_{i=1}^N{w}_{li}{y}_i\right),l= 1, 2,\dots, L $$

(4)

In Formula (1), v_ij(i = 1, …, N; j = 1, …, M) is the weight matrix connecting the input layer to the hidden layer, b_i(i = 1, .., N) is the bias matrix in the hidden layer, q_i(i = 1, .., N) the activation matrix in the hidden layer, and f_A denoting the activation function in the hidden layer. In Formula (2), f_A is set as sinc. β_i(i = 1, …, N) denoting the coefficient matrix in the hidden layer. w_li(l = 1, …, L;  i = 1, …, N) denotes the weight matrix connecting the hidden layer and the output layer, f_l denotes the activation function in the output layer, In Formula (4), f_l is set as line function. To reduce the computation cost, w_li and f_l are randomly initialized and fixed afterwards in the training process, as well to change the parameters in the hidden layer. Two important results are achieved: one is benign App, and the other is malware App. The mobile malware classification system with a cost function is defined next, as shown in (5).

$$ \Delta F=\frac{1}{L}\sum \limits_{l=1,{o}_l\ast {o}_{l0}<d}^L\left({\left({o}_{l 1}\ast {o}_{l 1 0}-d\right)}^2+{\left({o}_{l 2}\ast {o}_{l 2 0}-d\right)}^2\right) $$

(5)

For the classification problem, the output of the novel neural network has two neurons. o_l1 and o_l2denote the actual output of the novel neural network, o_l10 and o_l20 denote labels of data set, and d denotes the separating margin. If the consequence comes to a benign App, o_l10 and o_l20 are {1, −1}, o_l10 and o_l20 are{−1, 1} otherwise.

H. Zhao et al. recalled the idea of randomly adjusting the parameter values and proposed a novel neural network algorithm [31]. In recent years, H. Chen et al. achieved good performance with this novel neural network algorithm on colon cancer dataset and Heihe River dataset [5], and B. Yong et al. also achieved promising results on time series prediction [29].

The flowchart of algorithm is presented in Fig. 5, and the main procedure of the novel neural network is detailed next, as:

1. 1)

   Weight Initialization

Fig. 5

The flowchart of algorithm

w_li(l = 1, …, L; i = 1, …, N) is randomly initialized as +1 or − 1, f_l is initialized as line function, v_ij(i = 1, …, N; j = 1, …, M) as a random value between +1 and − 1, β_i(i = 1, …, N) and b_i(i = 1, .., N) initialized to a random value between +1 and − 1, e denotes the change value of v_ij, β_i, b_i. e is initialized to be a random value between +0.1 and − 0.1. To different applications, these weights can be initialized with different values.

1. 2)

   Input the samples

The input samples, which are the features of Apps, they are placed in the novel neural network. The category of Apps is the output of the novel neural network.

1. 3)

   Adjust the weights

Discussions on how the weights are adjusted by connecting the hidden layer and the output layer are presented in this section. One group of weight matrix from {v_ij, β_i, b_i} are randomly chosen, and particularly one weight of the selected weight matrix is picked next. e is the small change value. For instance, if one weight of β_i(i = 1, …, N) is adjusted, then β_i(new) = β_i(old) + e. To reduce the computation cost, old value of q_i(i = 1, .., N) and y_i(i = 1, …, N) must be stored, re-calculating the changed weight in the hidden layer. That is, a temporary array should be allocated to store the temporal outputs of hidden nodes, which size (in memory) is equal to the number of hidden nodes. Next, old values of q_i(i = 1, .., N) and y_i(i = 1, …, N) are obtained, and o_l and ΔF are calculated. If the new value of ΔF is less than or equal to the old value of ΔF, then the changed weight is accepted and the new value of q_i, y_i, o_l, ΔF are updated. Otherwise, the changed weight and the value of q_i,y_i,o_l,ΔF are reverted to the old value.

1. 4)

   Repetition of above step to other weights

One group of weight matrix from {v_ij, β_i, b_i} are randomly chosen, as well randomly select one weight of the selected weight matrix. The third step is repeated until the training can aim toward completion conditions.

1. 5)

   Stop training

The training termination condition isΔF ≤ ΔF_O.

3.3.2 Other classification algorithms

In this section, a number of well-known classification algorithms are introduced and briefly presented.

• Back Propagation (BP): BP is an error back propagation algorithm, which is one of most widely applied shallow neural network models and has solved with success several practical problems. Based on ‘Occam razor principle’, BP may choose hidden neurons as small as possible under the high-precision precondition, whilst the proposed classifier algorithm has a broad range of selections in hidden neurons under the high-precision precondition,

• Support Vector Machine (SVM): a typical algorithm of machine learning released in 90’s, based on structural risk minimization and linear optimization theory. It is mainly applied in binary classification problem,

• Decision Tree (DT): a classical supervised learning algorithm, established the tree model by the attribute of the data. Shabtai et al. applied this algorithm and obtained very high detection results [21],

• Random Forest (RF): an extension of crisp decision tree, it ensembles classification algorithm proposed by L. Breiman. This algorithm was applied and produce results with high accuracy [10], used also in malware detection by Su et al. [25],

• K-Nearest Neighbor (KNN): a simple classification algorithm based on the nearest neighbor technique, it is related to the K nearest samples around the area of categorization,

• Naive Bayesian (NB): a classification algorithm based on Bayesian theorem and feature condition independent assumption. It contains three models: Polynomial model, Gaussian model and Bernoulli model,

• Logistic Regression (LR): a common machine learning method. Not only can be used in regression problem, but also can be applied in classification problem, based on the existing data using the regression equation to classify the data,

• Linear Discriminant Analysis (LDA): a line classifier, and introduced into AI in mid-90’s.

4 Experimental results and analysis

The experimental environment is a computer server configured with Intel core i3 M350 2.27GHz CPU, 8G RAM, Windows7 64-bit OS and database MySQL 5.5 installed; and one Android-based OS smartphone with dual-core 1.2GHz CPU, 16G ROM, 1G RAM and Android OS 4.0 installed. Android debugs bridge is used to link computer server and Android-based smart phone. Experiments are developed in Spyder Environment with python programming language to sample classification.

In the experiments, we used the “Hold-Out” validation technique [19], by dividing the dataset into training, validation and testing datasets, as shown in Fig. 6. The dataset is split in the following way: 25% for testing and 75% for training (dataset1), which is then divided again into 25% for validation and 75% for training (dataset2). The training and validation dataset are used to build the proposed detection model, whereas the testing dataset is used to evaluate the performance of the detection model. In the design process of the proposed detection model, the numbers of hidden nodes, the hidden layer activation function and the separating margin are critical parameters, and they are determined by experimental methods. The accuracy of validation dataset is used as a standard to choose the critical parameters. Once the detection model is established, the model is evaluated by comparison of several other models in the testing dataset. In addition, we analyze the call records of malware Android-based Apps’ runtime system to further understand malware Android-based Apps. In addition, the behavior of malicious Apps is analyzed at runtime to defend malware.

Fig. 6

The flowchart of “Hold-Out” validation

4.1 Proposed model

In this proposed method, the number of hidden nodes n, the activation function in the hidden layer f_A, and the separating margin d are important parameters, since the proposed model is constructed by experimentation, as shown in Fig. 6. For such, 166 input units and 2 output units were set.

At the top of Fig. 7, d is set as 10, and smoothly change the number of hidden nodes n from 400 to 9000. In this case, the number of input nodes M, f_A and the number of output nodes L were fixed, while v_ij, β_i and b_i were changed and updated. Still in this figure, we can observe that as n = 7500, the proposed method achieves the highest accuracy on the validation process. Next, in the central part of Fig. 7, as n is set to 7500, we slightly change the separating margin d from 5 to 75. We can observe that, as d = 75 and n = 7500, the proposed method achieves the highest accuracy on the validation dataset. At the bottom of Fig. 7, n is set as 7500, d is set as 75. Different neuron activation functions in the hidden layer are applied, as f_A = sinc, the proposed method achieves the highest accuracy on the validation dataset.

Fig. 7

Different hidden nodes, separate margin and activation function results

4.2 Evaluation measures

For the classification problem, six evaluation metrics to evaluate the performance of different methods are adopted, that includes Accuracy, True-positive rate (TPR), False-positive rate (FPR), Precision, Recall and F-measure. These evaluation metrics are defined as follows:

$$ Accuracy=\frac{TP+ TN}{TP+ FP+ TN+ FN} $$

(6)

$$ TPR=\frac{TP}{TP+ FN} $$

(7)

$$ FPR=\frac{FP}{TN+ FP} $$

(8)

$$ Precision=\frac{TP}{TP+ FP} $$

(9)

$$ Recall= TPR=\frac{TP}{TP+ FN} $$

(10)

$$ F- measure=\frac{2^{\ast }{Recall}^{\ast } Precision}{Recall+ Precision} $$

(11)

where True Positive (TP) is the number of Apps correctly classified as malware, True negative (TN) is the number of Apps correctly classified as benign, False positive (FP) is the number of Apps mistakenly classified as malware, False negative (FN) is the number of Apps mistakenly classified as benign, Accuracy is the proportion of Apps (benign Apps and malware Apps) correctly classified, True-positive rate (TPR) is the proportion of malware Apps correctly classified as malware, False-positive rate (FPR) is the percentage of benign Apps mistakenly classified as malware, Precision is the ratio of TP to all the malware results, Recall is the proportion of TP in all the malware Apps, and finally, F-measure is the weighted harmonic mean of precision and recall.

4.3 Comparison results

Figure 8 shows the Accuracy for nine classifiers over the testing data sets, and identified that the Accuracy of the proposed method is the highest among the nine classifiers achieving 97.85%, with the lowest NB 94.17%. It is depicted in Fig. 9 the TPR for nine classifiers over same testing data sets, and could observe that the TPR of the proposed method is the highest with 98.7%, and the lowest is DT with 95.65%. Additionally, it is shown in Fig. 10 the FPR for nine classifiers, and noted from experiments that the FPR of the proposed method is the lowest among all nine classifiers, achieving 4.21%, with the highest KNN as 9.47%. Figure 11 shows the Precision for classifiers on the testing data sets, and could identify that the Precision of the proposed method is the highest among all classifiers, achieving 0.9827, whilst the lowest KNN with 0.9609. Next, it is depicted in Fig. 12 the Recall for nine classifiers, and it is the highest among the nine classifiers, achieving 0.987, whilst the lowest is KNN with 0.9609. Finally, Fig. 13 shows the F-measure for nine classifiers, from which we note that the F-measure of the proposed method is the highest among all nine classifiers with 0.9848, and lowest 0.9609 with KNN.

Fig. 8

Comparison of Accuracy for nine classifiers

Fig. 9

Comparison of TPR for nine classifiers

Fig. 10

Comparison of FPR for nine classifiers

Fig. 11

Comparison of Precision for nine classifiers

Fig. 12

Comparison of Recall for nine classifiers

Fig. 13

Comparison of F-measure for nine classifiers

4.4 Analysis of call records of app runtime system

In this section, we discuss the call records of known malicious Android-based Apps to further understand malicious Android-based Apps. As mentioned earlier in this work, the feature vector table of Android-based Apps provide us information about calling interfaces. Through statistical analysis, we identified that 100 out of 379 malware Apps are caller to the interfaces and functions, as shown in Table 3. Moreover, top 15 interfaces most used by malware Android-based App can be classified into 4 categories: (1) interfaces used for providing network communication service, (2) interfaces used for providing the store operation, (3) interfaces used for sending SMS message, and (4) interfaces used for storing user or system information. Analyzing further the abovementioned interfaces, we note that the operating system has a low-privileged access policy on these interfaces in Android 4.0 systems. The examples are as follows: (1) applications have access to the device ID, so malicious Apps can easily retrieve the device ID, (2) all information of the system can be found in the /proc. directory. If malicious Apps can access the root permission, it can enter to the /proc. directory to retrieve the system’s information, (3) malicious Apps can easily attack users’ phone, since malicious Apps can easily access to SMS message by simply bypassing authority mechanism. Due to this fact, many security firms focused on the authority mechanism of Android-based App, and such a leakage motivated the introduction of dynamic authority management in Android 6.0 to enhance the security of the systems.

Table 3 The interfaces and function are called by 100 out of 379 malware Apps

4.5 Analysis of the behaviors of malicious Apps

In this subsection, it is analyzed the behaviors of malicious Apps, covering the following three aspects: (1) From the masquerade behavior of malicious App, the Trojan horse can stop users from uninstalling malicious App by hiding icons or masquerades Plug-in App. In such a circumstance, it is sometimes difficult to users to discover these malicious App, (2) From the trigger condition of malicious App, since can steal users’ personal information, it usually has the characteristic of an active attack. During the testing, one-third of malicious App try to send SMS, and more than half of malware App tries to retrieve Device ID, (3) From the purpose of malicious App, since most of the malicious App obtain access to users’ private information and retrieve financial data by sending the malicious messages or controlling the lock screen, another part of malware software attempts to modify system files by obtaining root access.

5 Conclusions and future work

Detecting malicious attacks has been a challenging problem to tackle in the field of computer security. The rising of AI makes the machine learning algorithms widely used for prediction and classification. With the increasing and sophistication of malicious attacks, it is difficult to detect unknown and complicate malicious attacks through traditional rule matching using existing technologies. Machine learning can “learn” the essential part of the investigation under search by training the data, and “new” data not belonging to the training set can be detected as malicious or benign accurately by putting the “new” data into the machine learning detection model.

It is proposed in this paper the design of a novel malware detection system based on a newly-designed machine learning classification algorithm. Different from the previous versions, this novel classification algorithm based on machine learning randomly adjust weights using Monte Carlo algorithm. In addition, weight of the weight matrices in a small range and the range of the new value within the range is changed one at a time, consistent with the structural risk minimization and the design risk minimization. Furthermore, we decide the ideal model based on accuracy value. Without any previous data sets publicly available, there were difficulties to perform Android malware analysis. The significance of this research lies in having applied the self-collected samples. Besides, we have applied a dynamic method to collect the runtime system call records of Android-based Apps. Given that the Apps logical structure never change at runtime, the proposed feature vector cannot be affected by hardware and runtime environment. Evaluation metrics to analyze the performance of the proposed method are designed, and the proposed model is compared to other methods. Comparative experimental results indicate that the proposed method achieved the best performance of Accuracy, TPR, FPR, Precision, Recall and F-measure value.

As future work, the plans to continue the proposed research are fourfold. First, we will further divide the malware Apps according to the behaviors of malware. The system would not only detection malware apps, but also show the details of malware Apps. Since it is a multi-class classification problem, we have only achieved a binary classification problem; Second, the usage of a parallel GPU acceleration technology to improve the efficiency of the proposed system; Third, the machine learning classification algorithm will be improved in the following aspects: (1) to combine the proposed machine learning algorithm with other classical algorithms to construct a composition algorithm, which may achieve a better performance. The key to constructing a composition algorithm is to ensure the weights of different algorithms, (2) to construct an ensemble algorithm based on the proposed machine learning classification algorithm through Bagging or Boosting method. In the recent past years, many applications have showed that such algorithms can achieve better performance than a single algorithm, and (3) the application of Genetic Algorithm (GA) to improve the proposed algorithm, since genetic algorithms have widely been used and achieved effective results BP and SVM optimization. Last, the application of this novel machine learning classification algorithm in other medical and science applications, such as cancer detection and gender identification.