Countering Android Malware: A Scalable Semi-Supervised Approach for Family-Signature Generation

Atzeni, Andrea; Díaz, Fernando; Marcelli, Andrea; Sánchez, Antonio Bernardo; Squillero, Giovanni; Tonda, Alberto

doi:10.1109/access.2018.2874502

Cited by 23 publications

(13 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Atzeni et al [38] clustered malware samples in families and developed rules of family signatures to allow for the accurate identification of samples. They used both static and dynamic features.…”

Section: Background and Related Work A Structure Of Apk Filesmentioning

confidence: 99%

Efficient Deep Learning Network With Multi-Streams for Android Malware Family Classification

et al. 2022

View full text Add to dashboard Cite

It is important to effectively detect, mitigate, and defend against Android malware attacks, because Android malware has long represented a major threat to Android app security. Characterizing and classifying similar malicious apps into groups plays a particularly crucial role in building a secure Android app ecosystem. The classification of malware families can efficiently enhance the malware detection process and systematically elucidate malware patterns. In this paper, we propose a novel efficient deep learning network with multi-streams for Android malware family classification. We first obtain the input data for a convolutional neural network (CNN) in string format from some main files or sections contained in each Android malicious app. We then classify malware families by applying a 1-dimensional convolution filter-based network for the files or sections. Further, by using gradient analysis to visualize the important files and sections in malicious apps, we attempt to intuitively grasp which files or sections are the most significant for malware family classification. To validate the effectiveness of our approach, we conduct extensive experiments with the well-known DREBIN and AMD malware datasets, and we compare our approach with existing methods. Our experimental results show that the 1D CNN model is more accurate than the 2D CNN model, and that the code_item part in the classes.dex is the most relevant feature for malware classification, as it is more relevant than other parts such as AndroidManifest.xml and certificate. The proposed method achieves the best accuracy of 93.2% by using 1D convolution filters with multistreams for the main files and sections of the malware samples.

show abstract

Section: Background and Related Work A Structure Of Apk Filesmentioning

confidence: 99%

Efficient Deep Learning Network With Multi-Streams for Android Malware Family Classification

et al. 2022

View full text Add to dashboard Cite

show abstract

“…Such analysis is a time-consuming process considering the huge number of malware samples to be detected and analyzed. Papers such as [40,41,45,51,60] have used hybrid analysis and the details on the features used were discussed in Section 4, Features.…”

Section: Hybrid Analysismentioning

confidence: 99%

“…In [41], the static features such as permissions, filename, and activity name are utilized. In the paper [40], a set of static features from the Android manifest in addition to an APK file that is generated from Androguard [101] tool, a Python code to reverse engineer Android files.…”

Section: Static Featuresmentioning

confidence: 99%

See 1 more Smart Citation

Android Malware Family Classification and Analysis: Current Status and Future Directions

Alswaina

Elleithy

2020

Electronics

View full text Add to dashboard Cite

Android receives major attention from security practitioners and researchers due to the influx number of malicious applications. For the past twelve years, Android malicious applications have been grouped into families. In the research community, detecting new malware families is a challenge. As we investigate, most of the literature reviews focus on surveying malware detection. Characterizing the malware families can improve the detection process and understand the malware patterns. For this reason, we conduct a comprehensive survey on the state-of-the-art Android malware familial detection, identification, and categorization techniques. We categorize the literature based on three dimensions: type of analysis, features, and methodologies and techniques. Furthermore, we report the datasets that are commonly used. Finally, we highlight the limitations that we identify in the literature, challenges, and future research directions regarding the Android malware family.

show abstract

“…The Extremely Randomized Trees were used to identify a small number of permissions that could be used to attribute the malware into the malware families. In [42], a set of semi-supervised techniques were introduced with the ultimate goal of facilitating security experts to generate the malware family signatures. A scalable framework was proposed to mine massive of Android applications with the main goal of detecting new malware samples, while reducing false positive rate.…”

Section: B Android Malware Family Classificationmentioning

confidence: 99%

A3CM: Automatic Capability Annotation for Android Malware

et al. 2019

View full text Add to dashboard Cite

Android malware poses serious security and privacy threats to the mobile users. Traditional malware detection and family classification technologies are becoming less effective due to the rapid evolution of the malware landscape, with the emerging of so-called zero-day-family malware families. To address this issue, our paper presents a novel research problem on automatically identifying the security/privacyrelated capabilities of any detected malware, which we refer to as Malware Capability Annotation (MCA). Motivated by the observation that known and zero-day-family malware families share the security/privacyrelated capabilities, MCA opens a new alternative way to effectively analyze zero-day-family malware (the malware that do not belong to any existing families) through exploring the related information and knowledge from known malware families. To address the MCA problem, we design a new MCA hunger solution, Automatic Capability Annotation for Android Malware (A3CM). A3CM works in the following four steps: 1) A3CM automatically extracts a set of semantic features such as permissions, API calls, network addresses from raw binary APKs to characterize malware samples; 2) A3CM applies a statistical embedding method to map the features into a joint feature space, so that malware samples can be represented as numerical vectors; 3) A3CM infers the malicious capabilities by using the multi-label classification model; 4) The trained multi-label model is used to annotate the malicious capabilities of the candidate malware samples. To facilitate the new research of MCA, we create a new ground truth dataset that consists of 6,899 annotated Android malware samples from 72 families. We carry out a large number of experiments based on the four representative security/privacy-related capabilities to evaluate the effectiveness of A3CM. Our results show that A3CM can achieve promising accuracy of 1.00, 0.98 and 0.63 in inferring multiple capabilities of known Android malware, small size-families' malware and zero-day-families' Android malware, respectively.

show abstract

Countering Android Malware: A Scalable Semi-Supervised Approach for Family-Signature Generation

Cited by 23 publications

References 29 publications

Efficient Deep Learning Network With Multi-Streams for Android Malware Family Classification

Efficient Deep Learning Network With Multi-Streams for Android Malware Family Classification

Android Malware Family Classification and Analysis: Current Status and Future Directions

A3CM: Automatic Capability Annotation for Android Malware

Contact Info

Product

Resources

About