DAPASA: Detecting Android Piggybacked Apps Through Sensitive Subgraph Analysis

Fan, Ming; Li, Jun; Wang, Wei; Li, Haifei; Tian, Zhenzhou; Liu, Ting

doi:10.1109/tifs.2017.2687880

Cited by 112 publications

(44 citation statements)

References 41 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Wang et al [18] evaluated the usefulness of risky permissions for malware detection using SVM, Decision Trees and Random Forest. DAPASA [19] focused on detecting malware piggybacked onto benign apps by utilizing sensitive subgraphs to construct five features depicting invocation patterns. The features are fed into machine learning algorithms i.e.…”

Section: A Static Analysis With Traditional Classifiersmentioning

confidence: 99%

DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection

Yerima

Sezer

2019

IEEE Trans. Cybern.

147

View full text Add to dashboard Cite

Abstract-Android malware has continued to grow in volume and complexity posing significant threats to the security of mobile devices and the services they enable. This has prompted increasing interest in employing machine learning to improve Android malware detection. In this paper we present a novel classifier fusion approach based on a multilevel architecture that enables effective combination of machine learning algorithms for improved accuracy. The framework (called DroidFusion), generates a model by training base classifiers at a lower level and then applies a set of ranking-based algorithms on their predictive accuracies at the higher level in order to derive a final classifier. The induced multilevel DroidFusion model can then be utilized as an improved accuracy predictor for Android malware detection. We present experimental results on four separate datasets to demonstrate the effectiveness of our proposed approach. Furthermore, we demonstrate that the DroidFusion method can also effectively enable the fusion of ensemble learning algorithms for improved accuracy. Finally, we show that the prediction accuracy of DroidFusion, despite only utilizing a computational approach in the higher level, can outperform Stacked Generalization, a well-known classifier fusion method that employs a meta-classifier approach in its higher level.

show abstract

Section: A Static Analysis With Traditional Classifiersmentioning

confidence: 99%

DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection

Yerima

Sezer

2019

IEEE Trans. Cybern.

147

View full text Add to dashboard Cite

show abstract

“…In this field, almost all recently proposed detectors relied on semantic features to model malware behaviours. For example, Fan et al [15] proposed DAPASA, an approach to detect Android piggybacked applications through sensitive subgraph analysis. Xu et al [46] leveraged the inter-component communication patterns to detect Android malware.…”

Section: Android Malware Detectionmentioning

confidence: 99%

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Chen

Wang

et al. 2020

IEEE Trans.Inform.Forensic Secur.

224

142

View full text Add to dashboard Cite

Machine learning based solutions have been successfully employed for automatic detection of malware in Android applications. However, as is known, machine learning models lack robustness to adversarial examples, which are crafted by adding minor, yet carefully chosen, perturbations to the normal inputs. So far, the adversarial examples can only deceive Android malware detectors that rely on syntactic features (e.g., requested permissions, specific API calls, etc.), and the perturbations can only be implemented by simply modifying Android manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective due to the rising challenge in adding perturbations to Dalvik bytecode without affecting their original functionality.In this paper, we introduce a new highly-effective attack that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK using a substitute model (i.e., a Deep Neural Network). Based on the transferability concept, the perturbations that successfully deceive the substitute model are likely to deceive the original models as well (e.g., Support Vector Machine in Drebin or Random Forest in MaMaDroid). We develop an automated tool to generate the adversarial examples without human intervention to apply the attacks. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We evaluated the proposed manipulation methods for adversarial examples by using the same datasets that Drebin and MaMadroid (5879 malware examples) used. Our results show that, the malware detection rates decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just a small distortion generated by our adversarial examples manipulation method.

show abstract

“…This could be attributed to fact that this view extracts much larger number of high-quality features compared to the other two views. Owing to this well-known inference, many works in the past (e.g., [23,27,32,36,37]) have used them for a variety of tasks (incl. malware and clone detection).…”

Section: Single-vs Multi-view Profilesmentioning

confidence: 99%

Apk2vec: Semi-Supervised Multi-view Representation Learning for Profiling Android Applications

Narayanan

Soh

Chen

et al. 2018

2018 IEEE International Conference on Data Mining (ICDM)

View full text Add to dashboard Cite

Building behavior profiles of Android applications (apps) with holistic, rich and multi-view information (e.g., incorporating several semantic views of an app such as API sequences, system calls, etc.) would help catering downstream analytics tasks such as app categorization, recommendation and malware analysis significantly better. Towards this goal, we design a semi-supervised Representation Learning (RL) framework named apk2vec to automatically generate a compact representation (aka profile/embedding) for a given app. More specifically, apk2vec has the three following unique characteristics which make it an excellent choice for largescale app profiling: (1) it encompasses information from multiple semantic views such as API sequences, permissions, etc., (2) being a semi-supervised embedding technique, it can make use of labels associated with apps (e.g., malware family or app category labels) to build high quality app profiles, and (3) it combines RL and feature hashing which allows it to efficiently build profiles of apps that stream over time (i.e., online learning).The resulting semi-supervised multi-view hash embeddings of apps could then be used for a wide variety of downstream tasks such as the ones mentioned above. Our extensive evaluations with more than 42,000 apps demonstrate that apk2vec's app profiles could significantly outperform state-of-the-art techniques in four app analytics tasks namely, malware detection, familial clustering, app clone detection and app recommendation.

show abstract

DAPASA: Detecting Android Piggybacked Apps Through Sensitive Subgraph Analysis

Cited by 112 publications

References 41 publications

DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection

DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Apk2vec: Semi-Supervised Multi-view Representation Learning for Profiling Android Applications

Contact Info

Product

Resources

About