Ma 2016
Ma 2016
Li Ma Xiaolei Wang
College of Computer College of Computer
National University of Defense Technology National University of Defense Technology
Changsha, China Changsha, China
[email protected] [email protected]
Abstract—As Android becoming the most popular smart phone existing detection methods can be roughly classified into two
operating system, malicious applications running on the categories, approaches using static analysis and approaches
Android platform appears very frequently and poses the major using dynamic analysis.
threat to the security of Android. Considering the resources of Drebin [2], RiskRanker [3] and Flowdroid [4] are static
smart phone are severely limited, a stable, simple and quick analysis methods which introduce only small run-time
malware detection method for Android is indispensable. In this overhead. However, static analysis methods are usually not
paper, we propose an ultra-lightweight malware detection very effective for dynamic code loading. Dynamic analysis
method which is able to detect unknown malicious Android methods, such as TaintDroid [5], DroidRanger [6] and
applications with limited resources. Firstly, a few features are DroidScope [7], can monitor the behavior of applications
extracted and divided into three sets for every application.
during the runtime. Although dynamic analysis methods are
Then, these three feature sets are embedded in the
corresponding joint vector spaces and we can get apps’s
usually very effective in identifying malicious activities on
feature vectors. After that, feature vectors of every vector Android, they are suffering from significant overhead and
space are classified using a machine learning algorithm. cannot be directly applied on mobile devices. Furthermore,
Finally, the three classification results are considered as a pure dynamic analysis systems are prone to analysis evasion.
group and embedded in a new space and classified again. We The objective of this paper is to propose a detection
evaluate our detection with 3427 malicious samples and 1550 method based on 2-level Support Vector Machine (SVM)
benign applications. Experimental results show that our which will be effective against new malwares and introduce
detection approach has a stable performance that the detection small runtime. Our detection method performs static analysis,
accuracy (true-positive rate) is always higher than 98% and and extracts some specific features which is contained by the
the detection procedure costs only 30ms per sample. application’s code and manifest. These features are
organized in sets of strings (such as permissions, used
Keywords- 2-level machine learning; SVM; ultra-lightweight; methods etc.) and embedded in relevant joint vector spaces.
Android; smart-phone malware detection These vector spaces are independent and can represent the
behaviors of Android applications in different aspects. As an
I. INTRODUCTION
instance, behaviors like using the camera will be mapped
As one of the most popular platforms for smart-phones into specific regions in the vector spaces. We can describe
today, Android has taken the mammoth market share. these behaviors by combining vectors in each vector spaces.
According to what Sundar Pichai said on Google I/O 2015 in In this way, every Android application is represented by a set
San Francisco, there are roughly 1 billion people running of feature vectors and each feature vector can be fed to
Android operating system on their personal electronic certain machine learning algorithm to obtain a set of results.
devices and almost 8 in every 10 smart-phones use Android. These sets of results can also be regarded as vectors, so we
Unfortunately, smart-phones running Android are feed the result vectors to the machine learning algorithm
increasingly targeted by attackers and infected with again to obtain results.
malwares distribution system. Based on a recently study by Experiments with 1550 benign applications from
G DATA, there were 560671 malicious applications different markets and 3427 recent malware samples
appearing in the second quarter of 2015 [1]. demonstrate the performance of our approach. Our detection
Given the recent mushrooming of Android malware, how
to detect Android malware is becoming pressing. At present,
978-1-5090-2535-0/16
978-1-5090-2534-3 /16$31.00
$31.00©©2016
2016IEEE
IEEE 729
DOI 10.1109/ICISCE.2016.161
method is able to achieve higher detection rate than related makes introspection at different layers of the platform. Both
methods [8,9,10] and 9 in 10 popular antivirus scanners. of the two systems provide detailed information about the
In summary, this paper makes the following behavior of applications, yet they require too many
contributions: resources and cannot be deployed on Android mobiles.
z Ultra-lightweight analysis. Though we apply the As the consequence, the detection methods using
RBF-SVM analysis and learning techniques, our dynamic analysis are usually deployed offline, such as
method still cost very little time to detect Android DroidRanger [6] and AppsPlayground [16] which have been
malware as we dimensionality reduction of the feature employed to study applications with malicious behavior in
vectors by filtering some uncommon features and
different Android markets successfully.
taking the 2-level SVM model. In addition, our
In addition, DroidDolphin [17] combines static analysis
detection approach only extracts about 30000 features
of the required application to be detected, which is far with dynamic analysis and relies on repackaging and
fewer than Drebin[2]. injecting applications with monitoring code. However,
z Effective detection. We introduce a method combining DroidDolphin achieves an accuracy of only 86.1% in the
static analysis and machine learning that is capable of best-case.
identifying Android malware with high detection rate. C. Detection Methodes using Machine Learning
In addition, this method is independent of manually
crafted detection patterns. The Android malware detection approaches using static
z Stable detection. As well as the high detection accuracy, analysis or dynamic analysis are always going with the
our method can always get the stable result. In 10 difficulty of manually crafting and updating detection
experiments, the detection accuracy of new malwares is patterns. In order to get rid of the difficulty, machine
never lower than 98%, and the false-positive rate can learning algorithms are introduced into Android malware
also keep in the low level. Thus, our method can pick detection. Several methods by means of machine learning
the malicious applications out of the unknown have been proposed to detect malicious applications [2, 3,
applications stably. 12, 18, 19]. RiskRanker [3] and DroidAPIMiner [12] use
The rest of this paper is organized as follows: Section II machine learning techniques to detect Android malware
introduces the related work. The detail of our method is with features statically extracted from Android applications.
explained in Section III. Experiments and evaluation are MARVIN [19] and MobileSandbox [20] used static and
presented in Section IV. Limitations and future work are dynamic features by means of machine learning algorithm
discussed together in Section V. In the end, Section VI and achieved high accuracy.
concludes the paper. Overall, previous work usually focuses on improving the
detection accuracy of malwares by adopting machine
II. RELATED WORK learning algorithms. However, other aspects such as
A. Detection Methodes using Static Analysis detection efficiency are not considered. In this paper, we
The first kind of approaches for detecting Android address these aspects and propose an effective and efficient
malware have been inspired by concepts from static method to detect malicious android applications.
program analysis. Numbers of methods that statically III. DETECTION MECHANISM
check-up applications and disassemble their code have been
Our detection procedure is divided into three steps:
proposed [2, 3, 8, 12, 13]. For example, Kirin [8] checks the
a) Extracting static features. In the first step, we inspect a
permission of applications for indications of malicious given Android application statically and extract different
activity. RiskRanker [3] detects high and medium risk apps features from the application’s manifest and dex code. Then
according to several predetermined features. Common these features will be classified into three independent
open-source tools for static analysis are Smali [14] and feature sets.
Androguard [15], which dissect the content of applications b) Embedding in vector spaces. The three extracted
with little effort. feature sets are then mapped to corresponding joint spaces,
Our method is related to this kind of approaches. We where patterns and combinations of features can be
extract similar features to describe malicious behaviors for analyzed geometrically.
identifying malwares. These features (like permissions, c) 2-level machine learning. The embedding of the three
hardware components etc.) are employed to identify feature sets enables us to identify malicious behavior in
malicious applications. relevant aspects using efficient techniques of machine
learning, such as SVM, which enables us to get three groups
B. Detection Methodes using Dynamic Analysis
of results. We gather the results of the same application and
Another kind of research has studied the detection of then embed them in a 3-dimensionvector space. In this way,
Android malware at run-time. TaintDroid [5] and the result vectors allow us to identify the malware by
DroidScope [7] are analysis systems that enable dynamical machine learning algorithm.
application monitoring in a protected environment.
TaintDroid focuses on taint analysis, while DroidScope
730
A. Extracting Static Features hardware (android.hardware.telephony, etc.) will be
Firstly, we extract the static features from the manifest included by S2. Furthermore, how the malware work is also
file and the disassemble dex code, which both can be described as a feature set contained in S3.
obtained by a linear sweep over the application’s content. Firstly, we need to map each feature set to relevant vector
Therefore, the static analysis may take little time and make space, since the machine learning method we adopted
the detection more efficient. As in the following processes, operates on numerical vectors. We define three independent
we classify the applications based on every feature set. These vector spaces corresponding to three different feature sets,
features should be comprehensive and independent. where each dimension is either 0 or 1. As done in Drebin [2],
The extracted features are then divided into three an application x is mapped to each space by constructing the
independent feature sets, i.e. S1, S2, and S3. corresponding vector(φ1(x), φ2(x), φ3(x)), so that for each
S1 Particular method calls: This feature set contains feature s extracted from x the respective dimension is set to 1
some methods which are used by the application we inspect, and all other dimensions are 0. Formally, this map φ can be
such as: native method(m1), reflection method(m2), dynamic defined for a set of applications X as follows:
method(m3), crypto method(m4) and permissions method(m5). : → {1, 0}| | , ( ) ↦ ( ( , ))∈ i ∈ {1, 2, 3}
All these methods contain almost all the API called by the Where the indicator function ( , ) is simply defined
application, the used permissions are represented in as as:
well. Besides the API calls and permissions, the semantic of ( , ) = 1 the application contains feature
methods’ names may also describe the application’s 0 otherwise
behaviors to a certain degree. For example, if two methods In every space, applications with similar features may be
use same name, they maybe have same function. Thus, we placed close to each other, while the ones having different
choose to extract method calls to compose the first feature features are separated by large distances.
set instead of API calls or permissions as usual. C. 2-level Machine Learning
S2 Hardware components & Requested permissions: As
we all know that both hardware components and permissions In the third step, we apply machine learning techniques
play important roles in malwares identification. Nevertheless, for automatically creating a separation between malicious
there will be only a few elements if we separately define two and benign applications. The utilizing of machine learning
different feature sets. Thus, we gather them as one. This techniques enables us to automatically construct detection
feature set can be extracted from the application’s manifest rules for extracted features.
which is a file that provides data supporting the installation As the previous work in Drebin [2], SVM is a suitable
and later execution of the application. classifier for this task. Considering all types of SVM, the
z Hardware components: If an application requests SVM using radial basins function as kernel function
access to hardware modules (such as camera, GPS etc.) (RBF-SVM) is the most effective one. However, the feature
of the mobile, these features will be declared in the vectors got in step 2 have large number of dimensionalities,
manifest. Taking the use of certain combinations of which may lead to lots of time to perform the machine
hardware often reflects harmful behavior. learning. Therefore, we should reduce the dimensionality of
z Requested permissions: Permission system is one of the the vectors by filtering elements. We count the ‘1-element’
most important security mechanisms in Android. As in malicious applications’ feature vectors. If there is only one
shown in literatures [2, 8, 10], malicious software ‘1-element’ corresponding the feature ,then we remove it
requests certain permissions more often than benign from the vector space. On the other hand, we also undock the
ones. features that have the same value in vectors. In this way, we
S3 App components& Intents: There are four different reduce plenty of dimensionalities in the feature vectors,
types of components in an application. They define different which is shown in Table I.
interfaces to the system: activities, services, content TABLE I. THE PERFORMANCE OF REDUCING DIMENSIONALITY.
providers and broadcast receivers. Besides, Intents are
Feature set Original features # Filtered features #
utilized to perform the inter-process and intra-process S1 20663 8828
communication on Android. We extract features of these two S2 271 185
types as a set, so that the application’s process can be S3 13112 3356
roughly described by this feature set.
The classification is conducted by a 2-level machine
B. Embedding in Vector Spaces learning progress.
Malicious activities can usually be reflected in the feature The first-level: At the first-level, we divide each vector
sets we defined above. For example, if a malware send set into two classes, the malicious ones and the benign ones.
premiums SMS messages, the methods If the vector of an application in S1 is classified as malicious
(android.telephony.SmsManager.getDefault(), etc.) it uses one, the application will be treated as malware in S1 aspect
may be contained by S1 and the access to necessary and get a relevant result value. As there are three
permissions (android.permission.SEND_SMS, etc.) and independent vector spaces, each application may get three
result values in this level.
731
The second-level: After the first-level machine learning 100%
classification completed, we gather the three result values of
each application as a result group. Each group of results has 80%
three members, so we can embed these groups in a
3-dimension vector space. Then we perform the second- 60%
level machine learning to divide the result vectors into two 40%
groups and pick out the malicious group. True-positive rate
20% False-positive rate
IV. EVALUATION
0%
In this Section, we evaluate the performance of our 2-level RBF 2-level Linear SVM-NB
detection method through a series of experiments.
Figure 1. Comparison of the approaches pairs
A. Dataset
For all the following experiments, we consider a dataset C. Detection Performance
of real Android applications and real malwares. To acquire In order to prove the detection result is not accidental, a
benign apps, we craw numbers of apps from app stores (such 10 fold validation is performed. The partitioning ensures that
as “appchina.com”, “hapk.hiapk.com”, and so on) by an reported results only refer to malicious applications unknown
Android crawler. Then we submit these applications to during the learning phase of our detection. In table III, we
VirusTotal a website can analyze the suspicious files. We represent the result of each experiment, both the detection
label the benign ones when they don’t response from 55 accuracy (true positive rate) and error rate (false positive
Anti-virus V scanners in VirusTotal. In this way, we collect rates) of each experiment are at the same level, which can
1550 benign apps having passed the test. In the same time, support that our detection approach is stable and universal.
we collect the malware applications from Drebin [2], which
have been collected in the period of August 2010 to October TABLE III. RESULT OF 10 FOLD VALIDATION(2477 TEST SAMPLES)
2012 and were made available to us by the MobileSandbox No. 1 2 3 4 5
project [19]. We select the first 3427 samples of Drebin as
our experimental samples. Thus the whole dataset contains TP rate(%) 98.664 98.549 98.457 98.208 99.012
4977 samples comprising both benign and malicious FP rate(%) 8.069 5.438 5.556 7.631 7.001
applications. Run time(s) 72.655 73.440 73.564 74.380 76.627
We list some top malware families with more than 50 No. 6 7 8 9 10
members in this dataset and represent them in Table II.
TP rate(%) 98.514 98.096 98.217 98.411 98.594
TABLE II. TOP MALWARE FAMILIES IN OUR DATESET (OVER 50). FP rate(%) 5.786 4.436 4.878 5.874 5.065
Run time(s) 72.331 77.006 73.996 75.360 75.574
Id Family # Id Family #
A Adrd 64 G Geinimi 60
B BaseBridge 195 H GinMaster 218
According to the results of the 10 experiments, the
C DroidDream 51 I Iconosys 87 average detection accuracy of our approach achieves 98.47%,
D DroidKungFu 383 J Kmin 89 and the average error rate is 5.97%. The run time of each
E FakeDoc 76 K Opfake 369 experiment stays at a low level.
F FakeInstaller 564 L Plankton 417
The corresponding roc curve of our detection method is
B. Choosing of the Classifier shown in Figure 2. As a comparison, we use the ROC figures
in Drebin [2], as shown in Figure 3. As can be seen clearly
In the first-level machine learning, we choose the SVM from the figures, our detection method outperforms other
as the classifier. However, in the second-level, we embed
result groups in a 3-dimension vector space. As the space is
low-dimensional, we should consider whether SVM is still
suitable in this step.
We consider three pairs of machine learning algorithms,
i.e., SVM-NB (SVM and Naive Bayes), 2-level Linear-SVM
and 2-level RBF-SVM. We randomly select 2500 samples
from the dataset as the training set and consider the rest as
the test set.
Figure 1 shows the classification results of different
machine learning algorithms in the second-level using the
same dataset. As represented in Figure 1, the 2-level
RBF-SVM has the highest detection accuracy (true positive Figure 2 ROC curve of our Figure 3 ROC curve of other detection
detection method methods
rate) of 98.56% and the lowest error rate (false positive rates)
related detection methods with a high detection accuracy and
of 4.04%. So we choose the 2-level RBF-SVM to perform a low false positive rate. Although the performance of our
the detection. detection is not better than Drebin, the cost of our detection
732
method is much smaller than Drebin, which means it may be [4] Arzt S, Rasthofer S, Fritz C, et al. FlowDroid: Precise Context, Flow,
more suitable for smart-phones. When running on a desktop Field, Object-sensitive and Lifecycle-aware Taint Analysis for
Android Apps[J]. Acm Sigplan Notices, 2014, 49(6):259-269.
computer (3.20GHZ Core 2 Duo with 4GB RAM), Drebin
[5] Enck W, Gilbert P, Han S, et al. TaintDroid: An Information-Flow
needs 700ms to achieve the analysis of an application, while Tracking System for Realtime Privacy Monitoring on Smartphones[J].
our detection only takes 30ms to do the same work. Acm Transactions on Computer Systems, 2010, 57(3):393-407.
[6] Zhou Y, Wang Z, Zhou W, et al. Hey, You, Get Off of My Market:
V. LIMITATIONS & FUTURE WORK Detecting Malicious Apps in Official and Alternative Android
The performance of our detection method is Markets[J]. Proceedings of Annual Network & Distributed System
Security Symposium, 2012.
demonstrated in the previous section. However, the false
positive rate of our detection is a little high compared with [7] Yan L K, Yin H. DroidScope: Seamlessly Reconstructing the OS and
Dalvik Semantic Views for Dynamic Android Malware Analysis[C]//
Drebin. There are two reasons may cause this situation, Proceedings of the 21st USENIX conference on Security symposium.
lacking of benign samples and absence of dynamic USENIX Association, 2012:29-29.
inspection. There are only 1550 benign samples in our [8] Enck W, Ongtang M, Mcdaniel P. On lightweight mobile phone
dataset which is one-eighth of Drebin' dataset. The lacking of application certification[C]// ACM Conference on Computer and
benign samples makes us cannot extract enough useful Communications Security, CCS 2009, Chicago, Illinois, Usa,
benign features to identify innocent applications more November. 2009:235-245.
accurately. In other aspect, our detection method only [9] Peng H, Gates C, Sarma B, et al. Using probabilistic generative
models for ranking risks of Android apps[C]// ACM Conference on
focuses on the static features of applications. Some attacks Computer and Communications Security. 2012:241-252.
(like transformations attack) are non-detectable by static [10] Sarma B P, Li N, Gates C, et al. Android permissions: A perspective
analysis, so extracting dynamic features may help us combining risks and benefits[J]. Proceedings of Acm Symposium on
improve our approach. Access Control Models & Technologies Ser Sacmat ’, 2012:13-22.
In a word, in order to reduce the false positive rate of our [11] Zhou Y, Jiang X. Dissecting android malware: Characterization and
detection method, we could enlarge our experiment dataset evolution[C]//Security and Privacy (SP), 2012 IEEE Symposium on.
(particularly the benign samples) and import dynamic IEEE, 2012: 95-109.
analysis in our detection method in further work. [12] Aafer Y, Du W, Yin H. DroidAPIMiner: Mining API-Level Features
for Robust Malware Detection in Android[M]// Security and Privacy
VI. CONCLUSION in Communication Networks. Springer International Publishing,
2013:86-103.
Nowadays, malwares in Android threaten the security of [13] Chakradeo S, Reaves B, Traynor P, et al. MAST: triage for
the most popular mobile platform persistently. Limited by market-scale mobile malware analysis[C]// ACM Conference on
the resource on mobile platform, most detection approaches Security and Privacy in Wireless and Mobile Networks. ACM,
2013:13-24.
of Android need to work on the desktop computer to ensure
[14] B Gruver, et al. smali[CP]. http://code.google.com/p/smali. 2012.
the detection accuracy. In order to work on smart-phones,
[15] Desnos A, Gueguen G. Android: From Reversing to Decompilation[J].
detection methods must be simple, quick and stable. Proc of Black Hat Abu Dhabi, 2011.
In this paper, an ultra-lightweight Android malware [16] Rastogi V, Chen Y, Enck W. AppsPlayground: automatic security
detection method combining machine learning algorithm analysis of smartphone applications[C]// ACM Conference on Data
with static analysis is proposed, which uses the 2-level and Application Security and Privacy. 2013:209-220.
machine learning to optimize the detection. We evaluate our [17] Wu W C, Hung S H. DroidDolphin: a dynamic Android malware
detection framework using big data and machine learning[C]//
detection method with 1550 benign samples and 3427 Conference on Research in Adaptive and Convergent Systems. ACM,
malicious samples. Experimental results show that our 2014:215-216.
method can detect the malwares with a high true positive [18] Afonso V M, Amorim M F D, Grégio A R A, et al. Identifying
rate in fairly short time. Android malware using dynamically obtained features[J]. Journal of
Computer Virology & Hacking Techniques, 2014, 11(1):9-17.
REFERENCES [19] Lindorfer M, Neugschwandtner M, Platzer C. MARVIN: Efficient
and Comprehensive Mobile App Classification through Static and
[1] G-DATA Mobile Malware Report- THREAT REPORT: Q2/2015[R].
Dynamic Analysis[C]// Computer Software and Applications
https://public.gdatasoftware.com/Presse/Publikationen/Malware_Rep
Conference. IEEE, 2015.
orts/G_DATA_MobileMWR_Q2_2015_EN.pdf
[20] Spreitzenbarth, Michael, Freiling, Felix, Echtler, Florian, et al.
[2] Arp D, Gascon H, Rieck K, et al. DREBIN: Effective and
Mobile-sandbox: having a deeper look into android applications[C]//
Explainable Detection of Android Malware in Your Pocket[C]//
Proceedings of the 28th Annual ACM Symposium on Applied
Network and Distributed System Security Symposium. 2014.
Computing. 2013:1808-1815.
[3] Grace M, Zhou Y, Zhang Q, et al. RiskRanker: scalable and accurate
zero-day android malware detection[C]// International Conference on
Mobile Systems, Applications, and Services. ACM, 2012:281-294.
733