Continuous Learning for Android Malware Detection

Chen, Yizheng; Ding, Zhoujie; Wagner, David

doi:10.48550/arxiv.2302.04332

Cited by 2 publications

(5 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our current framework relies on the availability of ground truth labels for individual families every month. This is similar to Chen et al [13] where they assume a monthly labeling budget for active learning. Although this is an appropriate assumption for a post-hoc forensics framework, ground truth labels are scarce in real-world deployments.…”

Section: Limitations and Discussionmentioning

confidence: 53%

“…In our settings, drift was mostly caused by a malware family (although which one or whether more were present is irrelevant to the problem at hand). This is either because of the actual evolution of malware behaviors, imprecise abstractions and representations of the datasets, or a combination thereof, which calls for further research on drift detection [11,13,25,35,47] and programs' representations.…”

Section: Discussionmentioning

confidence: 99%

“…Follow-up research thus proposed various approaches to alleviate the impact of concept drift on the classifier's performance, including methods for drift detection [e.g., 11,22,23] and online learning [13,33,35,45]. While these methods compensate for the performance drop to some extent, none of them aims to analyze the root causes of the underlying drift.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Drift Forensics of Malware Classifiers

Chow,

Kan,

Linhardt

et al. 2023

Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

The widespread occurrence of mobile malware still poses a significant security threat to billions of smartphone users. To counter this threat, several machine learning-based detection systems have been proposed within the last decade. These methods have achieved impressive detection results in many settings, without requiring the manual crafting of signatures. Unfortunately, recent research has demonstrated that these systems often suffer from significant performance drops over time if the underlying distribution changes-a phenomenon referred to as concept drift. So far, however, it is still an open question which main factors cause the drift in the data and, in turn, the drop in performance of current detection systems.To address this question, we present a framework for the indepth analysis of dataset affected by concept drift. The framework allows gaining a better understanding of the root causes of concept drift, a fundamental stepping stone for building robust detection methods. To examine the effectiveness of our framework, we use it to analyze a commonly used dataset for Android malware detection as a first case study. Our analysis yields two key insights into the drift that affects several state-of-the-art methods. First, we find that most of the performance drop can be explained by the rise of two malware families in the dataset. Second, we can determine how the evolution of certain malware families and even goodware samples affects the classifier's performance. Our findings provide a novel perspective on previous evaluations conducted using this dataset and, at the same time, show the potential of the proposed framework to obtain a better understanding of concept drift in mobile malware and related settings. CCS CONCEPTS• Computing methodologies → Machine learning; Knowledge representation and reasoning; • Security and privacy → Intrusion/anomaly detection and malware mitigation.

show abstract

Section: Limitations and Discussionmentioning

confidence: 53%

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Drift Forensics of Malware Classifiers

Chow,

Kan,

Linhardt

et al. 2023

Proceedings of the 16th ACM Workshop on Artificial Intelligence and Security

View full text Add to dashboard Cite

show abstract

“…In addition to the considered metrics, a comparison of the False Positive Rate and Detection rate for the proposed work is also used to represent the efficacy of the proposed technique. A False Positive Rate (FPR) also known as Fall-Out is the measurement of accuracy and calculated with equation (17). False Positive Rate is defined as a ratio of false positive with a sum of false positive and true negative.…”

Section: Resultsmentioning

confidence: 99%

“…The behavioral drift is defined in terms of the development of new attack variants with changing behavior over time [15,16]. Behavioral drift is the basis for zero-day attacks [17], by changing the attack attributes (which are also called features) [6,14,18]. For developing variants, changing distribution of features changes the significance of features accordingly.…”

Section: Introductionmentioning

confidence: 99%

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Urooj,

Al-Rimy,

Zainal

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Crypto-ransomware attacks pose a significant cyber threat due to the irreversible effect of encryption employed to deny access to the data on the victim's device. Existing state-of-the-art solutions are developed based on two assumptions: the availability of sufficient data to perform detection during the preencryption phase, and that ransomware behavior is static and does not change over time. However, such assumptions do not hold as data collected during the pre-encryption phase of the ransomware attack are limited and does not contain sufficient patterns needed to identify the attack. Additionally, the evasion techniques like polymorphism and metamorphism used by ransomware lead to behavioral drift that could defeat those solutions. Therefore, this paper addresses these two issues by proposing a weighted Generative Adversarial Networks (wGANs) technique. Firstly, the proposed wGAN was used to generate synthetic data that imitate the behavior of ransomware and simulate the evolution of the attacks. Then, the mutual information was used to estimate the significance of features for different timeframes, thereby helping the detection model to handle the behavioral drift in emerging ransomware variants. Experimental evaluation demonstrates that the proposed wGAN is more robust against behavioral drift compared to the state-of-theart solutions. The wGAN achieved higher accuracy and lower false alarm rates.

show abstract

Continuous Learning for Android Malware Detection

Cited by 2 publications

References 28 publications

Drift Forensics of Malware Classifiers

Drift Forensics of Malware Classifiers

Addressing Behavioral Drift in Ransomware Early Detection Through Weighted Generative Adversarial Networks

Contact Info

Product

Resources

About