Anomaly-based Mobile Malware Detection: System Calls as Source for Features

Dominik Teubert, Fred Grossmann, Ulrike Meyer

Abstract

Mobile malware nowadays poses a serious threat to end users of mobile devices. Machine learning techniques have a great potential to automate the detection of mobile malware. However, prior work in this area mostly focused on using classifiers that require training with data from both the benign as well as the malicious class. As a consequence, training these models requires feature extraction from large amounts of mobile malware, a task that becomes increasingly difficult considering the obfuscation and emulator detection capabilities of modern mobile malware. In this paper we propose the use of one-class classifiers. The advantage of using these models is that they are exclusively trained with data from the benign class. In particular, we compare generative as well as discriminative modeling approaches, namely Hidden Markov Models and one-class Support Vector Machines. We use system calls as source for our features and compare the discriminatory power of binary feature vectors, frequency vectors, as well as temporally ordered sequences of system calls.

References

  1. Aafer, Y., Du, W., and Yin, H. (2013). Droidapiminer: Mining api-level features for robust malware detection in android. In SecureComm, volume 127 of LNICST, pages 86-103. Springer.
  2. Aldini, A., Martinelli, F., Saracino, A., and Sgandurra, D. (2014). Detection of repackaged mobile applications through a collaborative approach. Concurrency and Computation: Practice and Experience.
  3. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., and Siemens, C. (2014). Drebin: Effective and explainable detection of android malware in your pocket. In Proceedings of NDSS.
  4. Bose, A., Hu, X., Shin, K. G., and Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proceedings of ACM MobiSys, pages 225-238.
  5. Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of ACM SPSM.
  6. Dini, G., Martinelli, F., Matteucci, I., Saracino, A., and Sgandurra, D. (2014). Introducing probabilities in contract-based approaches for mobile application security. In Data Privacy Management and Autonomous Spontaneous Security, pages 284-299. Springer.
  7. Dini, G., Martinelli, F., Saracino, A., and Sgandurra, D. (2012). Madam: A multi-level anomaly detector for android malware. In MMM-ACNS, volume 7531 of LNCS, pages 240-253. Springer.
  8. Eskin, E., Arnold, A., Prerau, M., Portnoy, L., and Stolfo, S. (2002). A geometric framework for unsupervised anomaly detection: Detecting intrusions in unlabeled data. In Applications of Data Mining in Computer Security, pages 77-101. Springer.
  9. Forrest, S., Hofmeyr, S. A., Somayaji, A., and Longstaff, T. A. (1996). A sense of self for unix processes. In Proceedings of IEEE S&P.
  10. Gartner (2014). Gartner says by 2018, more than 50 percent of users will use a tablet or smartphone first for all online activities. http://www.gartner.com/newsroom/ id/2939217.
  11. IDC (2014). Worldwide smartphone growth forecast. http:// www.idc.com/getdoc.jsp?containerId=prUS25282214.
  12. Leslie, C. S., Eskin, E., and Noble, W. S. (2002). The spectrum kernel: A string kernel for SVM protein classification. In Proceedings of Pacific Symposium on Biocomputing, pages 566-575.
  13. Maggi, F., Matteucci, M., and Zanero, S. (2010). Detecting intrusions through system call sequence and argument analysis. IEEE TDSC, 7(4):381-395.
  14. Mutz, D., Valeur, F., Vigna, G., and Kruegel, C. (2006). Anomalous system call detection. ACM TISSEC, 9(1):61-93.
  15. Rabiner, L. R. (1989). A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2):257-286.
  16. Schölkopf, B., Williamson, R. C., Smola, A. J., ShaweTaylor, J., and Platt, J. C. (1999). Support vector method for novelty detection. NIPS, 12:582-588.
  17. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., and Weiss, Y. (2012). A“ndromaly”: a behavioral malware detection framework for android devices. JIIS, 38(1):161- 190.
  18. Warrender, C., Forrest, S., and Pearlmutter, B. (1999). Detecting intrusions using system calls: alternative data models. In Proceedings of IEEE S&P.
  19. Xie, L., Zhang, X., Seifert, J., and Zhu, S. (2010). pBMDS: a behavior-based malware detection system for cellphone devices. In Proceedings of ACM WiSec.
  20. Yeung, D. and Ding, Y. (2003). Host-based intrusion detection using dynamic and static behavioral models. Pattern Recognition, 36(1):229-243.
  21. Zhang, M., Duan, Y., Yin, H., and Zhao, Z. (2014). Semantics-aware android malware classification using weighted contextual api dependency graphs. In Proceedings of ACM CCS.
  22. Zhou, Y. and Jiang, X. (2012). Dissecting Android Malware: Characterization and Evolution. In Proceedings of IEEE S&P.
Download


Paper Citation


in Harvard Style

Teubert D., Grossmann F. and Meyer U. (2016). Anomaly-based Mobile Malware Detection: System Calls as Source for Features . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 26-36. DOI: 10.5220/0005652900260036


in Bibtex Style

@conference{icissp16,
author={Dominik Teubert and Fred Grossmann and Ulrike Meyer},
title={Anomaly-based Mobile Malware Detection: System Calls as Source for Features},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={26-36},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005652900260036},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Anomaly-based Mobile Malware Detection: System Calls as Source for Features
SN - 978-989-758-167-0
AU - Teubert D.
AU - Grossmann F.
AU - Meyer U.
PY - 2016
SP - 26
EP - 36
DO - 10.5220/0005652900260036