DroidScribe: Classifying Android Malware Based on Runtime Behavior

Dash, Santanu Kumar; Suárez-Tangil, Guillermo; Khan, Salahuddin J.; Tam, Kimberly; Ahmadi, Mansour; Kinder, Johannes; Cavallaro, Lorenzo

doi:10.1109/spw.2016.25

Cited by 130 publications

(75 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Reina et al [20] implemented CopperDroid, a framework to execute Android apps and collect information about system calls. DroidScribe [5] uses CopperDroid as building block to execute Android apps and trace performed system calls. DroidScribe is the most notable work on Android malware family classification, purely based on dynamic analysis and machine learning, that shares most similarities with our objectives.…”

Section: Related Workmentioning

confidence: 99%

“…It is a public collection of malware samples that can be used for research purposes, that contains 5,560 malicious applications from 179 different families. The Drebin dataset has been widely employed in the related literature [8,3,5,11,22]. Since we compare our solution to DroidScribe, in our experiments we selected the same families as DroidScribe.…”

Section: Datasetmentioning

confidence: 99%

“…During each run, it collects resource consumption metrics from the proc file system, and processes them through detrended fluctuation analysis (DFA) [18] and Pearson's correlation [16]. At the time of writing, the most important work on Android malware family classification, based on dynamic analysis, is DroidScribe [5]. We compare our methodology to that of DroidScribe by carrying out an extensive experimental evaluation on the same dataset as DroidScribe.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Android malware family classification based on resource consumption over time

Massarelli

Aniello

Ciccotelli

et al. 2017

2017 12th International Conference on Malicious and Unwanted Software (MALWARE)

View full text Add to dashboard Cite

The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behavior. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Datasetmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Android malware family classification based on resource consumption over time

Massarelli

Aniello

Ciccotelli

et al. 2017

2017 12th International Conference on Malicious and Unwanted Software (MALWARE)

View full text Add to dashboard Cite

show abstract

“…For instance, Symantec reports [1] discovering 430 million new malware in 2015 which is a 36% increase over 2014. Also their capabilities have grown from simple phone cloning, sending premium-rated SMS to complex botnets, cryptolocker and ransomware [29]- [32]. Besides this, attackers continuously enhance the sophistication of malware to evade novel detection techniques.…”

Section: Introductionmentioning

confidence: 99%

“…Machine Learning based malware detection. For over a decade, Machine Learning (ML) techniques have been predominantly used to perform malware detection in various platforms (such as Windows and Android) [12]- [17,21,29]- [32,39,50]. This is because, ML methods automatically learn the characteristics that distinguish malicious behavior, when trained using a collection of malware and benign samples making them amenable for automated detection.…”

Section: Introductionmentioning

confidence: 99%

Context-Aware, Adaptive, and Scalable Android Malware Detection Through Online Learning

Narayanan

Chandramohan

Chen

et al. 2017

IEEE Trans. Emerg. Top. Comput. Intell.

View full text Add to dashboard Cite

It is well-known that Android malware constantly evolves so as to evade detection. This causes the entire malware population to be non-stationary. Contrary to this fact, most of the prior works on Machine Learning based Android malware detection have assumed that the distribution of the observed malware characteristics (i.e., features) does not change over time.In this work, we address the problem of malware population drift and propose a novel online learning based framework to detect malware, named CASANDRA (Context-aware, Adaptive and Scalable ANDRoid mAlware detector). In order to perform accurate detection, a novel graph kernel that facilitates capturing apps' security-sensitive behaviors along with their context information from dependency graphs is proposed. Besides being accurate and scalable, CASANDRA has specific advantages: (i) being adaptive to the evolution in malware features over time (ii) explaining the significant features that led to an app's classification as being malicious or benign. In a large-scale comparative analysis, CASANDRA outperforms two state-of-the-art techniques on a benchmark dataset achieving 99.23% F-measure. When evaluated with more than 87,000 apps collected in-the-wild, CASANDRA achieves 89.92% accuracy, outperforming existing techniques by more than 25% in their typical batch learning setting and more than 7% when they are continuously retained, while maintaining comparable efficiency.

show abstract

UpDroid: Updated Android Malware and Its Familial Classification

Şen

2018

Secure IT Systems

View full text Add to dashboard Cite

DroidScribe: Classifying Android Malware Based on Runtime Behavior

Cited by 130 publications

References 23 publications

Android malware family classification based on resource consumption over time

Android malware family classification based on resource consumption over time

Context-Aware, Adaptive, and Scalable Android Malware Detection Through Online Learning

UpDroid: Updated Android Malware and Its Familial Classification

Contact Info

Product

Resources

About