UIC-ATC-ScalCom-CBDCom-IoP 2015
API Sequences based Malware Detection for Android
Jiawei Zhu∗†‡ , Zhengang Wu§ , Zhi Guan∗†‡ , Zhong Chen∗†‡
∗ Institute
of Software, School of EECS, Peking University, Beijing, China
[email protected]
,
[email protected]
,
[email protected]
† MoE Key Lab of High Confidence Software Technologies (PKU), Beijing, China
‡ MoE Key Lab of Network and Software Security Assurance (PKU), Beijing, China
§ China Academy of Information and Communications Technology, Beijing, China
[email protected]
Abstract—To mitigate security problem brought by Android
malware, various work has been proposed such as behavior
based malware detection and data mining based malware
detection. In this paper, we put forward a novel Android
malware detection model using data mining techniques. We
design an algorithm with two steps. The first step is modeling
Android application code into graph structure, called API
control flow graph by us. Next step is calculating API sequences
fulfilling minimum intra-family support in each malware family
because malware in malware family usually share similar
behavior pattern. Finally, supervised learning method is took
advantage in building our malware detecting model with API
sequences as input features. We evaluate this model with 1200
applications, half of them are malicious and half are benign,
and find it effective in identifying Android malware and even
unknown malware.
Keywords-Android malware; malware family; data mining;
feature selection;
I. I NTRODUCTION
With the rising number of Android devices held by users
and applications developed by developers, various applica-
tions with malicious purpose began to occur in this envi-
ronment, which brought loss to Android users to different
degree. These malicious applications usually can be used
to destroy devices’ system, steal users’ private information
and even bring loss to their property. Unfortunately, this
condition is still rising now day by day. The statistics showed
that there were more than 75 million new malware samples
detected and 200,000 new strains of malware each day [1].
So more research on the aspect of detection of Android
apps security should be done to protect Android users from
malware.
In this paper, we propose a novel scheme which uses data
mining based malware detection method with fine grained
features to detect Android malware. We use API sequence
which reflects malicious behavior as features. To automat-
ically get these malicious behavior API sequences but not
manually define them, we extract these API sequences inside
each Android malware family fulfilling the minimum intra-
family support. Finally, several machine learning algorithms
Zhi Guan is corresponding author
978-1-4673-7211-4/15 $31.00 © 2015 IEEE
DOI 10.1109/UIC-ATC-ScalCom-CBDCom-IoP.2015.135
are put in this case to get the best model to detect Android
malware.
In summary, our paper makes the following contributions
to the detection of Android malware:
• Automatically generation of Android malicious be-
havior: As mentioned before, behavior based malware
detection method use manually defined behavior mode
to compare with the behavior of the application to be
detected. In our paper, we can automatically generate
Android malicious behavior represented as API se-
quence by extracting frequent API sequence in Android
malware family, which are used as features of the
detecting model.
• Effective detection results: After our experiment, we
find that our model is effective in malware detecting
and can reach a high detecting accuracy. Besides, the
influence of two important arguments in our model -
intra-family minimum support and minimum length of
API sequences are tested to build the best detecting
model.
The following sections of this paper proceeds as follows.
Section 2 describes the related work about Android malware
detection. Section 3 provides the detailed scheme of our
work. Section 4 describes the process of our experiment and
Section 5 concludes.
II. R ELATED W ORK
From the aspect of whether running applications to detect
malware or not, static analysis and dynamic analysis are
two approaches for the detection of malware. In Android
platform, both static analysis and dynamic analysis scheme
have been proposed by researchers in recent years. Because
our work use static analysis to detect Android malware, we
state static analysis related work in this section.
For static analysis, at first, static information like API call
or permission requested is extracted from other representa-
tion of application code, such as AST(Abstract Syntax Tree)
and CFG(Control Flow Graph). Then this static information
is viewed as feature to do with behavior based malware
detection or data mining based malware detection. Many
researchers used behavior based malware detection method
673
as mentioned above [2], [6], [3], [4]. In this case, taint
analysis [5] was the most common technique to proceed
behavior analysis. In detail, FlowDroid [2] was designed
to detect the flow of private personal information with
taint analysis. Enck et al. [6] designed Android decompiled
tool ded decompiling Android application to origin Java
class file, which could be dealed with Java static analysis
tools such as Fortify SCA. Some researchers also pay their
attention to data mining based malware detection method,
which performs quicker than behavior based malware detec-
tion method. The detection of malware can ben transferred
to the classification problem if with various labeled apps.
DroidApiMiner [7] used single API call as the feature with
SVM, kNN, Random Forest and Naive Bayes to build the
detection model. Drebin [8] utilized more features, such
as API call, permission, static string to build the model.
DroidMiner [9] uses similar idea to automatically mine API
sequences which can represent software behavior patterns,
but we introduce a different algorithm to generate frequent
sequences and do more detailed experiment about machine
learning process.
III. M ETHODOLOGY
A. Overview
In this paper, we put forward a data mining based Android
malware detection scheme with behavior API sequences
as features of the detecting model. The overview of our
proposal is shown in Figure 1.
Figure 1. Proposal Overview
B. API CFG Generation
Control flow analysis is done on the decompiled Android
code. The code is analyzed from its entry points, that is the
components which are defined in Android manifest file. Be
different from control flow analysis on Java code, Android
code contains several entry points. Besides, the communi-
cation between components of Android applications should
also be handled to generate an accurate CFG. For this
problem, several papers have provided methods such as [2].
674
After obtaining the CFG of the application file, we only
want to focus on the sensitive API statement nodes and
ignore other nodes because our goal is to generate API
call sequence. Therefore, before mining frequent API call
sequence of each malware family, we model the application
code into API control flow graph. Here, we define the API
CFG as follows:
API Control Flow Graph
• Node: Each node represents a sensitive API call in
Android OS.
• Edge: Each edge represents the control flow in the
program.
To generate this graph, we design an algorithm to trans-
form the CFG into API CFG shown in Algorithm 1. To
correctly deal with the condition with user-defined method,
we use iterative algorithm to solve this problem. For all
user-defined methods in the program, if there is no user-
defined methods or all user-defined methods called by this
caller method have been obtained their API CFG, then
this method can be handled with update function. For the
update algorithm, DFS(Depth First Search) can be used to
traverse the graph of this method(we call it method m). If a
node with sensitive API method is met, it will be added into
the new API CFG graph of m. If a node with user-defined
method um is met, the already obtained API CFG of um
will be inserted. Besides, the new graph should add an edge
from the last legal API node to the new added API node
like.
Algorithm 1 API CFG Generation Algorithm
Require:
Each user-defined method m’s CFG CF G(m)
Each user-defined method m’s caller methods caller(m)
User-defined method set S in which methods have not
been handled yet
Ensure:
API CFG of the whole program
1: repeat
2: for each m ∈ S do
3: f lag = true;
4: for each cm ∈ caller(m) do
5: if cm ∈ S then
6: f lag = false;
7: break;
8: if f lag is true then
9: update(m);
10: remove m from S;
11: until main method is not in set S
C. Frequent Behavior API Sequence Mining
To automatically generate behavior API call sequence set
as the detecting model’s feature, we design an algorithm
to extract the features inside each malware family. Because
there is similar behavior pattern in each malware family,
our proposal try to mine the common API sequences in
each malware family. At first, we handle with the single
malware’s API CFG generated in the last process and gen-
erate the sequence set of this malware. Then the algorithm
merges all of the generated sequences of every malware in
one malware family and calculates the frequent sequences
occurring in this malware family as the features.
Our algorithm contains three steps. The first step is
traversing and recording all key paths in the graph. Here,
we define the key path of a graph meeting the following
properties:
• There is no duplicate node occurring in the key path.
• There is no path in the graph which is the prefix of this
key path.
To get all key paths in the graph, the algorithm traverses
every node in the graph and maintains the path information
of every visited node. If a path cannot traverse forward
which means it is one of the key paths in this graph, then
go back-track and update the path information of the visited
node in this key path until finding another unvisited node.
Finally, all key paths will be recorded in this process.
The second step is extracting every subsequences in key
paths and merging them into a no duplicate set. Here, all
subsequences of every key path are calculated and put into
the subsequence set. After these two steps, we obtain all
API subsequences of one malware from its API CFG.
The last step is choosing all subsequences fulfill intra-
family support threshold. We count the number of every
subsequence and compare this number with the minimum
support. In detail, subsequences generated by all malware
in malware family will be merged into a set at first. Then,
sorting algorithm is used to sort the element in this set.
At last, visiting the sorted element from the first element
to count the number of each sequences and pick up API
sequences fulfilling minimum support as the result. Here, our
proposal can extract frequent API sequences from malware
in malware family, which will be used as the input features
in the detecting model.
D. Learning-based Detection
In our paper, we choose supervised learning method
with labeled Android applications as training examples to
build our model in detecting Android malware. As the
classification problem, malware detection can be viewed
as a classification problem with two classes, benign and
malicious app. Specifically, we try SVM, Naive Bayes and
Decision Tree algorithm to train our model. For the model,
the input features are frequent API sequences mined in the
last procedure. Formally, we define the ai to be the ith app to
be detected and sj to be the binary whether the app contains
jth API sequence in its program. So the training examples
675
is represented as ai = (si1 , si2 , . . . , sin ). The output of this
model is binary number −1 and 1.
IV. E XPERIMENT
A. Dataset
In our work, we use supervised learning method to train
the model so we have to collect enough training examples
to do the experiment. Besides, our proposal need to have
a feature selection procedure for each Android malware
family. Therefore, the malware in our dataset is manually
classified into different Android malware family. Specif-
ically, we select 600 malware from 30 famous malware
families(30 malware for each family, including FakeInstaller,
GingerMaster and Geinimi) and 600 benign applications
collected from Android Market.
B. Evaluation Method
In our experiment, we divide the data set into 5 sets
(formally defined as S1 , S2 , S3 , S4 , S5 ) in average with
6 malware families and 120 benign apps in each set. 5-fold
cross validation is utilized in evaluating the model quality.
The detailed procedure is listed as follows.
• Step 1: Random choose 4 sets in S1 ∼ S5 as training
examples. For the malware in these sets, we generate
frequent API sequences as the input features. Then the
training examples are represented in vector format by
finding whether each input feature exists in training
examples’ API CFG. Build the model with SVM, Naive
Bayes and ID3 algorithm.
• Step 2: Use the remained set as test apps. These
detected apps are still represented as vector format
based on the input features.
• Step 3: Repeat Step 1 for 5 times and calculate the
average accuracy.
We do the experiment in this way because the evaluation
of our model may be not so accurate if we use part of
the applications in all malware family to train the model.
Some of the malware family has to not be used in the
training phase so that the effectiveness in detecting unknown
malware can be tested.
C. Experiment Results
In this section, we evaluate the model with 1,200 Android
apps. We measure the area under the ROC curve (AUC) of
detecting models with different arguments to estimate how
well our method does to detect Android malware.
At first, we try different machine learning algorithm to
train our detecting model. We use WEKA tool [10], which
contains the implementation of several machine learning
algorithms, to do our experiment. After 5-fold cross vali-
dation, we present the AUC of these three models learned
by SVM, Naive Bayes and ID3 algorithm with 100% support
in malware family and minimum sequence length 1 in Table
1. From our data, we find all these three models can obtain
an accurate prediction on malware detection. Furthermore,
SVM algorithm acquires the best model for this dataset.
Later, we use SVM algorithm as the learning algorithm to
test the influence of different arguments in our experiment.
Table I
Q UALITY OF MODELS WITH DIFFERENT LEARNING ALGORITHMS
Algorithm AUC
ID3 0.915
Naive Bayes 0.872
SVM 0.924
The minimum support for each malware family and the
minimum length of API sequences are two arguments which
could be tuned in our experiment to show the influence of
these two arguments. Because there exists some variant of
origin malware which some additional behaviors in malware
family, so we plan to measure the influence of intra-family
support. For the minimum support in malware family, 60%,
70%, 80%, 90% and 100% are used in our model. Table
II (a) shows that when the support in malware family is
90%, the quality of this model obtains the best result.
For the support less than this number, there may contain
many redundant sequences which are not suitable as features
reflecting software behavior. While 100% support condition
contains less features than the condition with 90% support,
which may not cover enough software behavior patterns
for detecting unknown malware. Table II (b) is the results
of different models with different minimum length of API
sequences, which means that choosing API sequences whose
length are greater than 2 obtain the best quality in our
dataset.
Table II
I NFLUENCE OF DIFFERENT ARGUMENTS TO OUR MODEL UNDER SVM
ALGORITHM
(a) Quality of models with (b) Quality of models with
different minimum support minimum sequence length
Min Support AUC Min Sequence Length
60% 0.903 1 0.924
70% 0.889 2 0.930
80% 0.909 3 0.890
90% 0.937
100% 0.924
From this results, we find that when the SVM algorithm
learned model with minimum support as 0.9 and minimum
sequence length as 2 can get the best quality in our dataset,
which is also an effective model for detecting Android
malware from the AUC number we get.
V. C ONCLUSION
In this paper, we put forward a data mining based Android
malware detection model with fine grained features which
uses API sequences as features but not single API call. In our
experiment, we evaluate our model with 1200 applications
(600 malware from 30 malware families and 600 benign
apps). The results shows that all these three models are
able to have an accurate prediction on malware detection,
in which SVM algorithm obtains the best results among
these three algorithms. Besides, we measure the influence
of arguments minimum support in malware family and
minimum API sequence length. We find that the model with
0.9 support and minimum length 2 acquires better effect than
other case.
ACKNOWLEDGMENT
This work was supported by the National Natural Science
Foundation of China under Project Code 61170263.
R EFERENCES
[1] PandaLabs. [Online]. Available: http://www.pandasecurity.
com/
[2] S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein,
Y. Le Traon, D. Octeau, and P. McDaniel, “Flowdroid: Precise
context, flow, field, object-sensitive and lifecycle-aware taint
analysis for android apps,” in Proceedings of the 35th ACM
SIGPLAN Conference on Programming Language Design and
Implementation. ACM, 2014, p. 29.
[3] Z. Yang, M. Yang, Y. Zhang, G. Gu, P. Ning, and X. S. Wang,
“Appintent: Analyzing sensitive data transmission in android
for privacy leakage detection,” in Proceedings of the 2013
ACM SIGSAC conference on Computer & communications
security. ACM, 2013, pp. 1043–1054.
[4] A. P. Fuchs, A. Chaudhuri, and J. S. Foster, “Scan-
droid: Automated security certification of android applica-
tions,” Manuscript, Univ. of Maryland, http://www. cs. umd.
edu/avik/projects/scandroidascaa, vol. 2, no. 3, 2009.
[5] J. Newsome and D. Song, “Dynamic taint analysis for auto-
matic detection, analysis, and signature generation of exploits
on commodity software,” 2005.
different
[6] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A
study of android application security.” in USENIX security
AUC
symposium, vol. 2, 2011, p. 2.
[7] Y. Aafer, W. Du, and H. Yin, “Droidapiminer: Mining api-
level features for robust malware detection in android,” in
Security and Privacy in Communication Networks. Springer,
2013, pp. 86–103.
[8] D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, K. Rieck,
and C. Siemens, “Drebin: Effective and explainable detection
of android malware in your pocket,” 2014.
[9] C. Yang, Z. Xu, G. Gu, V. Yegneswaran, and P. Porras,
“Droidminer: Automated mining and characterization of fine-
grained malicious behaviors in android applications,” in Com-
puter Security-ESORICS 2014. Springer, 2014, pp. 163–182.
[10] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann,
and I. H. Witten, “The weka data mining software: an update,”
ACM SIGKDD explorations newsletter, vol. 11, no. 1, pp. 10–
18, 2009.
676