EntropLyzer: Android Malware Classification and Characterization Using Entropy Analysis of Dynamic Characteristics

Keyes, David; Li, Beiqi; Kaur, Gurdip; Lashkari, Arash Habibi; Gagnon, François; Massicotte, Frédéric

doi:10.1109/rdaaps48126.2021.9452002

Cited by 48 publications

(17 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When API features are limited, classi cation performance, notably FPR, may increase. In the research [20], a method called EntropLyzer was presented. It uses entropy-based behavioral analysis to detect the behavior of 12 well-known categories of Android malware, as well as 147 malware families taken from the CCCS-CIC-AndMal2020 dataset.…”

Section: Literature Reviewmentioning

confidence: 99%

Comprehensive Analysis of Android Malware detection through Semi-supervised Autoencoder models

Firoz

Tahsin

2023

Preprint

View full text Add to dashboard Cite

Recent years have seen a rapid proliferation of malicious software on mobile devices, notably repackaged Android malware. Grasping Android malware detection via vibrant analysis will provide a thorough read, but we must also establish a connection between the app's features and the elements required to fulfill the category's functionality. In this work, we propose a novel method of detecting malwares. This model is a part of semi-supervised learning. We employed autoencoder training features from noisy input. They generate clusters of malicious predictions utilizing the reconstruction error and helped in dimensionality reduction of the large feature set. The newly reconstructed input features are then fed to the machine learning model and Deep learning models for supervised prediction. Later, we contrast their performance based on performance metrics and accuracy. Three datasets were chosen for this experiment to assess the execution and operation of the proposed model. There were two labels in the ‘class’ attribute such as ‘0’ as Benign and ‘1’ as Malicious. The proposed model achieved superior accuracy and can deliver promising results.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Comprehensive Analysis of Android Malware detection through Semi-supervised Autoencoder models

Firoz

Tahsin

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Dynamic methods extract behavioral features by executing infected binaries on a sandbox [15], [40]. Network traffic analysis approaches extract malicious signature patterns [41], [42] or HTTP, TCP, or UDP flow features [43] using datasets such as malwaretraffic-analysis.net [44] and CICAndMal2020 [45].…”

Section: Related Workmentioning

confidence: 99%

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Saeki

Kitayama

Koga³

et al. 2022

IEEE Access

View full text Add to dashboard Cite

XLoader and FakeSpy, the two major smishing botnets targeting Japan, change their attack strategies over various timescales. Based on recent observations of the botnets and Twitter data, we present empirical facts about their strategies and activity patterns and applied some of these strategic and activity patterns to malware detection and malicious domain detection. All the proposed methods yielded small false positive and negative rates, and are expected to run on user devices owing to their small computational cost. Recent malware detection methods based on traffic analysis extract TCP/IP traffic features if the upper layers of TCP are encrypted. In this study, Frida's hooking capability was employed to decode the upper layers (WebSocket and JSON-RPC) to create a list of all commands flowing over the botnet channel. The command-level traffic analysis presents decisive attack features because commands are transmitted according to strategies developed by the attackers. The proposed malicious domain detection method, on the other hand, exploited the tendency of the attackers to create domains in batches. Previous researchers focused on how benign and malicious domains were registered and used on the name servers. The proposed method, on the other hand, focuses on the arrival rate of SMS messages with URL links. The error rates become significantly small when users do not receive such messages very often.

show abstract

“…AndMal 2020 Dataset [36] [37]: UNB presents a new large android malware dataset for research in detecting android malware in smartphones called CIC-AndMal-2020. The dataset includes 200,000 benign samples and 200,000 malware samples for 400,000 Android applications, with 14 prominent malware categories.…”

Section: Datasetsmentioning

confidence: 99%

“…This section presents experiments with the Semi-WTC on other security domains. The AndMal 2020 Dataset [36] [37] is taken as an example. The experimental results are shown in Table 14.…”

Section: Applications Of Semi-wtc In Other Security Areasmentioning

confidence: 99%

“…In addition, the ACID [11] relies on multiple kernel networks to learn the optimal embedding of data samples and needs to identify the clustering centers accurately, so its performance in high-dimensional datasets is not as good as that of FAREsemiup [10]. Overall, on the AndMal 2020 dataset [36] [37], our proposed Semi-WTC achieves SOTA performance in all three aspects, including accuracy, F1-score, and running time. The improvement of its classification accuracy even reaches 24% compared to the K-Means [39] algorithm.…”

Section: Applications Of Semi-wtc In Other Security Areasmentioning

confidence: 99%

See 1 more Smart Citation

Semi-WTC: A Practical Semi-supervised Framework for Attack Categorization through Weight-Task Consistency

Chen¹,

Wei²,

Luo³

et al. 2022

Preprint

View full text Add to dashboard Cite

Supervised learning has been widely used for attack detection, which requires large amounts of high-quality data and labels. However, the data is often imbalanced and sufficient annotations are difficult to obtain. Moreover, these supervised models are subject to real-world deployment issues, such as defending against unseen artificial attacks. We propose a semi-supervised fine-grained attack categorization framework consisting of an encoder and a two-branch structure to integrate information from labeled and unlabeled data to tackle these practical challenges. This framework can be generalized to different supervised models. The multilayer perceptron with residual connection and batch normalization is used as the encoder to extract features and reduce the complexity. The Recurrent Prototype Module (RPM) is proposed to train the encoder effectively in a semi-supervised manner. To alleviate the problem of data imbalance, we introduce the Weight-Task Consistency (WTC) into the iterative process of RPM by assigning larger weights to classes with fewer samples in the loss function. In addition, to cope with new attacks in real-world deployment, we further propose an Active Adaption Resampling (AAR) method, which can better discover the distribution of the unseen sample data and adapt the parameters of the encoder. Experimental results show that our model outperforms the state-of-the-art semi-supervised attack detection methods with a general 5% improvement in classification accuracy and a 90% reduction in training time.

show abstract

EntropLyzer: Android Malware Classification and Characterization Using Entropy Analysis of Dynamic Characteristics

Cited by 48 publications

References 22 publications

Comprehensive Analysis of Android Malware detection through Semi-supervised Autoencoder models

Comprehensive Analysis of Android Malware detection through Semi-supervised Autoencoder models

Smishing Strategy Dynamics and Evolving Botnet Activities in Japan

Semi-WTC: A Practical Semi-supervised Framework for Attack Categorization through Weight-Task Consistency

Contact Info

Product

Resources

About