Extracting Android Malicious Behaviors

Khanh-Huu-The Dam, Tayssir Touili

Abstract

The number of Android malwares is increasing quickly. That makes the Android devices more vulnerable while they are the target of malware’s writers. Thus, the challenge nowadays is to detect the malicious Android applications. To this aim, we need to know what are the malicious behaviors that Android malwares apply. In this paper, we introduce a method to automatically extract the malicious behaviors for Android malware detection. We present the behaviors of an Android application by an API call graph and we use a malicious API graph to represent the malicious behaviors. Then, given a set of malicious and benign applications, we compute the malicious behaviors by extracting from the API call graphs the subgraphs that are relevant to the malicious API call graphs but not relevant to the benign ones. This relevance is measured by applying the TFIDF weighting scheme widely used in the Information Retrieval Community. These malicious API graphs are applied to detect malicious applications. We obtained encouraging results with a recall rate of 92% and a precision of 98%.

References

  1. Aafer, Y., Du, W., and Yin, H. (2013). Droidapiminer: Mining api-level features for robust malware detection in android. In International Conference on Security and Privacy in Communication Systems, pages 86-103. Springer.
  2. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., and Rieck, K. (2014). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS.
  3. Aung, Z. and Zaw, W. (2013). Permission-based android malware detection. International Journal of Scientific and Technology Research, 2(3):228-234.
  4. Burguera, I., Zurutuza, U., and Nadjm-Tehrani, S. (2011). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pages 15-26. ACM.
  5. Canfora, G., Medvet, E., Mercaldo, F., and Visaggio, C. A. (2015). Detecting android malware using sequences of system calls. In Proceedings of the 3rd International Workshop on Software Development Lifecycle for Mobile, pages 13-20. ACM.
  6. Cheng, J. Y.-C., Tsai, T.-S., and Yang, C.-S. (2013). An information retrieval approach for malware classification based on windows api calls. In 2013 International Conference on Machine Learning and Cybernetics.
  7. Christopher D. Manning, Prabhakar Raghavan, H. S. (2009). An introduction to information retrieval. Cambridge University Press.
  8. Dam, K.-H.-T. and Touili, T. (2016). Automatic extraction of malicious behaviors. In 11th International Conference on Malicious and Unwanted Software 2016 (MALCON 2016), Fajardo, Puerto Rico.
  9. Dimjas?evic, M., Atzeni, S., Ugrina, I., and Rakamaric, Z. (2015). Android malware detection based on system calls. University of Utah, Tech. Rep.
  10. Jang, J.-w., Kang, H., Woo, J., Mohaisen, A., and Kim, H. K. (2016). Andro-dumpsys: anti-malware system based on the similarity of malware creator and malware centric information. computers & security, 58:125-138.
  11. Malik, S. and Khatter, K. (2016). System call analysis of android malware families. Indian Journal of Science and Technology, 9(21).
  12. Masud, M. M., Khan, L., and Thuraisingham, B. (2008). A scalable multi-level feature extraction technique to detect malicious executables. Information Systems Frontiers.
  13. Robertson, S. and Zaragoza, H. (2009). The probabilistic relevance framework: BM25 and beyond. Now Publishers Inc.
  14. Robertson, S. E., Walker, S., Jones, S., Hancock-Beaulieu, M. M., Gatford, M., et al. (1995). Okapi at trec-3. NIST SPECIAL PUBLICATION SP.
  15. Santos, I., Ugarte-Pedrero, X., Brezo, F., Bringas, P. G., and Gómez-Hidalgo, J. M. (2013). Noa: An information retrieval based malware detection system. Computing and Informatics.
  16. Sharma, A. and Dash, S. K. (2014). Mining api calls and permissions for android malware detection. In International Conference on Cryptology and Network Security, pages 191-205. Springer.
  17. Singhal, A., Buckley, C., and Mitra, M. (1996). Pivoted document length normalization. In Proceedings of the 19th annual international ACM SIGIR conference on Research and development in information retrieval.
  18. Singhal, A., Choi, J., Hindle, D., Lewis, D. D., and Pereira, F. (1999). At&t at trec-7. NIST SPECIAL PUBLICATION SP.
  19. Singhal, A. and Kaszkiel, M. (2001). A case study in web search using trec algorithms. In Proceedings of the 10th international conference on World Wide Web.
  20. Song, F. and Touili, T. (2014). Model-checking for android malware detection. In Asian Symposium on Programming Languages and Systems, pages 216-235. Springer.
  21. Talha, K. A., Alper, D. I., and Aydin, C. (2015). {APK} auditor: Permission-based android malware detection system. Digital Investigation, 13:1 - 14.
  22. Tchakounté, F. (2014). Permission-based malware detection mechanisms on android: Analysis and perspectives. JOURNAL OF COMPUTER SCIENCE, 1(2).
  23. Yao, J., Wang, J., Li, Z., Li, M., and Ma, W.-Y. (2006). Ranking web news via homepage visual layout and cross-site voting. In European Conference on Information Retrieval.
  24. Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X. S., and Zang, B. (2013). Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS 7813, pages 611-622, New York, NY, USA. ACM.
Download


Paper Citation


in Harvard Style

Dam K. and Touili T. (2017). Extracting Android Malicious Behaviors . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 714-723. DOI: 10.5220/0006288807140723


in Bibtex Style

@conference{forse17,
author={Khanh-Huu-The Dam and Tayssir Touili},
title={Extracting Android Malicious Behaviors},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},
year={2017},
pages={714-723},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006288807140723},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - Extracting Android Malicious Behaviors
SN - 978-989-758-209-7
AU - Dam K.
AU - Touili T.
PY - 2017
SP - 714
EP - 723
DO - 10.5220/0006288807140723