EC2: Ensemble Clustering and Classification for Predicting Android Malware Families

Chakraborty, Tanmoy; Pierazzi, Fabio; Subrahmanian, V. S.

doi:10.1109/tdsc.2017.2739145

Cited by 80 publications

(62 citation statements)

References 47 publications

(105 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…We figured out interesting directions for our future work as follows. Since AndroClass utilizes the features representing the actual functionalities and underlying behaviors of apps, we can apply it to malware detection [15,21] and malware classification (i.e., detecting the malware family) [52,53] as well. However, we need to make some minor changes in AndroClass to make it adapted to the aforementioned topics.…”

Section: Resultsmentioning

confidence: 99%

AndroClass: An Effective Method to Classify Android Applications by Applying Deep Neural Networks to Comprehensive Features

Hamedani

Shin

Lee

et al. 2018

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

Android application (app) stores contain a huge number of apps, which are manually classified based on the apps’ descriptions into various categories. However, the predefined categories or apps descriptions are usually not very accurate to reflect the real functionalities of apps, thereby leading to misclassify the apps, which may cause serious security issues and unreliability problem in the app store. Therefore, the automatic app classification is an important demand to construct a secure, reliable, integrated, and easy to navigate app store. In this paper, we propose an effective method called AndroClass to automatically classify apps based on their real functionalities by using rich and comprehensive features representing the actual functionalities of the apps. AndroClass performs three steps of feature extraction, feature refinement, and classification. In the feature extraction step, we extract 14 various features for each app by utilizing a unified tool suite. In the feature refinement step, we apply Random Forest algorithm to refine the features. In the classification step, we combine refined features into a single one and AndroClass is equipped with K-Nearest Neighbor, Naive Bayes, Support Vector Machine, and Deep Neural Network to classify apps. On the contrary to the existing methods, all the utilized features in AndroClass are stable and clearly represent the actual functionalities of the app, AndroClass does not pose any issues to the user privacy, and our method can be applied to classify unreleased or newly released apps. The results of extensive experiments with two real-world datasets and a dataset constructed by human experts demonstrate the effectiveness of AndroClass where the classification accuracy of AndroClass with the latter dataset is 83.5%.

show abstract

Section: Resultsmentioning

confidence: 99%

AndroClass: An Effective Method to Classify Android Applications by Applying Deep Neural Networks to Comprehensive Features

Hamedani

Shin

Lee

et al. 2018

Wireless Communications and Mobile Computing

View full text Add to dashboard Cite

show abstract

“…With a large number of malware samples being accumulated and publicly available, data mining and machine learning techniques provide an alternative perspective to detect and analyse malicious applications [2]- [10]. In this setting, the issue of malware detections can be treated as a problem of classification, which can be tackled effectively by training an optimal classifier over massive malware samples.…”

Section: A Challengesmentioning

confidence: 99%

“…To represent the behaviour patterns of malware families and samples, we shall first capture the essence of the program and present a concise but comprehensive description for the application to be analysed. Some works adopt a set of typical permissions [7] [8], (bigrams of) API calls [2] [9] [11], or system broadcasts [8] [9] to characterize the behaviours of Android applications; some works employ graphical forms, such as call graphs [12], control flow graphs [9], or other kinds of graphs [13]- [15], to represent the structure and behaviour of an application. Different descriptions will lead to different computational overheads and generate classfiers with different performance.…”

Section: A Challengesmentioning

confidence: 99%

Multifamily Classification of Android Malware With a Fuzzy Strategy to Resist Polymorphic Familial Variants

Liu

Lei

et al. 2020

IEEE Access

View full text Add to dashboard Cite

“…However, he used the MalGenome dataset [41] to evaluate the method, which is outdated and only has small subset of DREBIN that is used in our work. EC2 [42] performs Android malware families prediction through static and dynamic features with the ensemble of supervised and unsupervised classifiers. e closest research studies to our work are presented by Kang et al [19,20], Shen et al [21], and Arp et al [12].…”

Section: Malware Family Identificationmentioning

confidence: 99%

“…Like getDeviceId(), a special API provided by Android can be used to obtain the International Mobile Equipment Identity (IMEI) of devices. We ignore other static features like app components and filtered intents used in [12]; this is because the name of them can be easily obfuscated and they are not discriminative in malware classification as they introduce more noisy information [42].…”

Section: Api Callsmentioning

confidence: 99%

MobiSentry: Towards Easy and Effective Detection of Android Malware on Smartphones

Ren

Liu

Cheng

et al. 2018

Mobile Information Systems

View full text Add to dashboard Cite

Android platform is increasingly targeted by attackers due to its popularity and openness. Traditional defenses to malware are largely reliant on expert analysis to design the discriminative features manually, which are easy to bypass with the use of sophisticated detection avoidance techniques. Therefore, more effective and easy-to-use approaches for detection of Android malware are in demand. In this paper, we present MobiSentry, a novel lightweight defense system for malware classification and categorization on smartphones. Besides conventional static features such as permissions and API calls, MobiSentry also employs the N-gram features of operation codes (n-opcode). We present two comprehensive performance comparisons among several state-of-the-art classification algorithms with multiple evaluation metrics: (1) malware detection on 184,486 benign applications and 21,306 malware samples, and (2) malware categorization on DREBIN, the largest labeled Android malware datasets. We utilize the ensemble of these supervised classifiers to design MobiSentry, which outperforms several related approaches and gives a satisfying performance in the evaluation. Furthermore, we integrate MobiSentry with Android OS that enables smartphones with Android to extract features and to predict whether the application is benign or malicious. Experimental results on real smartphones show that users can easily and effectively protect their devices against malware through this system with a small run-time overhead.

show abstract

EC2: Ensemble Clustering and Classification for Predicting Android Malware Families

Cited by 80 publications

References 47 publications

AndroClass: An Effective Method to Classify Android Applications by Applying Deep Neural Networks to Comprehensive Features

AndroClass: An Effective Method to Classify Android Applications by Applying Deep Neural Networks to Comprehensive Features

Multifamily Classification of Android Malware With a Fuzzy Strategy to Resist Polymorphic Familial Variants

MobiSentry: Towards Easy and Effective Detection of Android Malware on Smartphones

Contact Info

Product

Resources

About