Android Malware Family Classification Based on Resource Consumption over Time
Autor: | Luca Massarelli, Roberto Baldoni, Claudio Ciccotelli, Leonardo Aniello, Daniele Ucci, Leonardo Querzoni |
---|---|
Rok vydání: | 2017 |
Předmět: |
FOS: Computer and information sciences
Computer Science - Cryptography and Security Computer science Feature extraction Android malware 0211 other engineering and technologies 02 engineering and technology computer.software_genre Machine learning Mobile malware Software 0202 electrical engineering electronic engineering information engineering Malware analysis Android (operating system) 021110 strategic defence & security studies procfs business.industry Support vector machine Smartphones Applications Malware 020201 artificial intelligence & image processing Artificial intelligence business computer Cryptography and Security (cs.CR) |
Zdroj: | MALWARE |
DOI: | 10.48550/arxiv.1709.00875 |
Popis: | The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behavior. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results. Comment: Extended Version |
Databáze: | OpenAIRE |
Externí odkaz: |