MALWARE DETECTION TECHNIQUE

FOR ANDROID IoT DEVICES

PRESENTED BY-
Tellakula Hima Bindu
Reg No. 221003100
AGENDA
• Abstract
• Introduction
• Literature Review
• Dataset Description
• Methodology
• Proposed workflow
• Evaluation measures
• Comparison graphs
• Future challenges
ABSTRACT

• The struggle between security analyst and malware developer is a

never-ending battle.
• IoT is revolutionizing this world with its evolving applications.
• Rapid increase in threat and malware attacks on Android devices.
• Combines both ML techniques and blockchain technology to
improve the malware detection.
• ML automatically extracts the malware information using
clustering and classification technique.
 ABSTRACT
• Clustering includes calculation of weights for feature set and
iterative reduction of unnecessary features with small weights.
• Classification algorithm is implemented to extract the various
features of Android malware using naive Bayes classifier.
• Proposed framework uses the permissioned blockchain to store
authentic information of extracted features in a distributed
malware database blocks.
• Increase run-time detection of malware with speed and accuracy.
INTRODUCTION

• Android devices are attractive target for hackers due to

extensive use of the Android platform in IoT devices.
• The hacker exploits android application features to break the
security and privacy of device.
• Poses a serious threat towards leakage of personal data.
• Blockchain and machine learning are posing a momentum
around the world towards their use for intelligent model
training and secure information exchange.
INTRODUCTION

• Internal architecture of this new type of technology is based on

a distributed computing paradigm.
• First phase - Distinguishing the malware and benign, refines
them using enhanced clustering methods.
• Second phase - multi-feature Naive Bayes algorithm for
classification of malware.
• Blockchain db for storing de-tracked information of malware
features, which are automatically generating new blocks that
can identify the new type of malware for IoT devices.
LITERATURE REVIEW
Three main methods for detecting malicious software:
• Signature based method – Each file is analyzed, assigned
hash or signature (unique alphanumeric way to identify
malware)
• Heuristic based methods – Method of examining code for
suspicious properties. Designed to spot new unknown viruses.
• Behavior-based methods – The behaviors observed during the
execution of the software are generally system calls that are
issued to the operating system.
DATASET DESCRIPTION
For weight analysis of Android applications.
Extraction of features(strings) from different categories.
 METHODOLOGY

• Proposed ML technique provides efficient approach to train model.

• Stores & exchanges the trained model results throughout blockchain
network for spreading the information of newly generated malware.
• The proposed framework runs in recurring way in 3 steps as below:
1) Hackers create a new type of malware.
2) Machine learning identify the malware and re-train the model.
3) New type of malware information stores in blockchain database.
PROPOSED FRAMEWORK
MODIFIED FEATURE REDUCTION USING
CLUSTERING ALGORITHM

• Feature extraction is an essential factor for high-dimensional data.

• By feature reduction it takes less time for the large dataset and
low-cost computation in the training process.
• KNN is very popular clustering algorithm.
• Process of clustering takes the following steps:
1) Calculating the weights for each feature set.
2) Developing a parametric study for optimization.
3) Iterative reduction of unnecessary feature having small weights.
MODIFIED FEATURE REDUCTION USING
CLUSTERING ALGORITHM

• Similarity-based features are extracted from API and Opcode.

• Used during feature vector generation to achieve reduced
feature set.
• Measure distance of malicious feature by centroid of cluster.
• Similarity is measured by calculating the minimum distance.
• By evaluating the similarity values, it can be observed that
each feature matrix can contain similarities to the centroids of
multiple clusters computed with known malware applications
CLUSTERING OF BENIGN & MALWARE
NAIVE BAYES CLASSIFIER FOR MULTI-FEATURE

• Some methods were used for static analysis to build datasets

based on application permissions, API and other features.
• Previous research shows the Random Forest achieved the
best performance in malware detection.
• Random forest is the collection of decision trees or more
precisely it makes the forest of decision trees.
• Therefore, we enhanced the Naive Bayes classifier based on
decision trees.
NAIVE BAYES CLASSIFIER FOR MULTI-FEATURE
BLOCK–CHAIN BASED MALWARE DETECTION

• Vital technology that comes from the consensus mechanism,

such as fault-tolerant distributed computing system.
• We design a technique which uses permissioned block-chain
based framework for storing information of malware features.
• Proposed architecture describes that Link nodes can
communicate through a P2P connection between devices at the
network layer.
• Synchronous block uses information through the nodes and
build a request and response pattern.
BLOCK–CHAIN BASED MALWARE DETECTION
• Decentralization consensus mechanism offers some critical
benefits such as security, fault tolerance between the
communication nodes.
• Every node connected with each other and transfer the
information to their neighbour node.
• The synchronous block uses information through the nodes
and build a request and response pattern.
• Every block stores the malware features such as risky
permission, suspicious API.
BLOCK–CHAIN BASED MALWARE DETECTION
EVALUATION MEASURES

• Classification methods are evaluating such as True Positive Rate

(TPR) False Positive Rate (FPR) and classification accuracy.
• True positives for malicious applications using the following
formulas:

• False Positive rate is the proportion of negative instance for the

benign apps.

• The accuracy is defined as below equation.

COMPARISON GRAPHS
FUTURE CHALLENGES
• Reliable labeled data is important for malware detection, as
process of labeling a file is very time-consuming process.
• Malicious software has to constantly evolve to avoid
detection by anti-malware engines.
• Attacker’s aim is to fool the ML detector by camouflaging a
piece of malware in feature space by inducing a feature
representation highly correlated to benign behavior.
• Adversarial ML is a technique employed to attempt to fool by
automatically crafting adversarial examples.
THANK YOU.