KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Risk Classification Based Approach for Android Malware Detection

  • Ye, Yilin (Institute of Command Information System, PLA University of Science and Technology) ;
  • Wu, Lifa (Institute of Command Information System, PLA University of Science and Technology) ;
  • Hong, Zheng (Institute of Command Information System, PLA University of Science and Technology) ;
  • Huang, Kangyu (Institute of Command Information System, PLA University of Science and Technology)
  • Received : 2015.12.11
  • Accepted : 2016.11.21
  • Published : 2017.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Existing Android malware detection approaches mostly have concentrated on superficial features such as requested or used permissions, which can't reflect the essential differences between benign apps and malware. In this paper, we propose a quantitative calculation model of application risks based on the key observation that the essential differences between benign apps and malware actually lie in the way how permissions are used, or rather the way how their corresponding permission methods are used. Specifically, we employ a fine-grained analysis on Android application risks. We firstly classify application risks into five specific categories and then introduce comprehensive risk, which is computed based on the former five, to describe the overall risk of an application. Given that users' risk preference and risk-bearing ability are naturally fuzzy, we design and implement a fuzzy logic system to calculate the comprehensive risk. On the basis of the quantitative calculation model, we propose a risk classification based approach for Android malware detection. The experiments show that our approach can achieve high accuracy with a low false positive rate using the RandomForest algorithm.

Keywords

References

  1. IDC: Smartphone OS Market share 2015,http://www.idc.com/prodserv/smartphone-os-market-share.jsp
  2. 360: mobile phone security situation report 2014, http://www.199it.com/archives/325900.html
  3. Wei X, Gomez L, Neamtiu I. and Faloutsos M., "Permission evolution in the Android ecosystem," in Proc. of Computer Security Applications Conference, 31-40, 2012.
  4. Au K W Y, Zhou Y F, Huang Z, Lie D., "PScout: analyzing the Android permission specification," in Proc. of the 2012 ACM conference on Computer and communications security. ACM, 217-228, 2012.
  5. Barrera D, Kayacik, H. G, Van Oorschot P C and Somayaji A., "A methodology for empirical analysis of permission-based security models and its application to android," in Proc. of ACM Conference on Computer and Communications Security, CCS 2010, Chicago, Illinois, USA, October. 73-84, 2010.
  6. Johnson R, Wang Z, Gagnon C and Stavrou, "A. Analysis of Android Applications' Permissions," in Proc. of IEEE Sixth International Conference on Software Security and Reliability Companion. 45-46, 2012.
  7. Felt A P, Chin E, Hanna S, Song D and Wagner D., "Android permissions demystified," in Proc. of ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October. 627-638, 2011.
  8. Nauman M, Khan S, Zhang X., "Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints," in Proc. of ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, Beijing, China, April. 328-332, 2010.
  9. Ongtang M, Mclaughlin S, Enck W and McDaniel P., "Semantically Rich Application-Centric Security in Android," Security & Communication Networks, 5(6):658-673, 2009. https://doi.org/10.1002/sec.360
  10. Felt A P, Wang H J, Moshchuk A, Hanna S and Chin E., "Permission re-delegation: attacks and defenses," Usenix Conference on Security. USENIX Association, 22-22, 2011.
  11. Dietz M, Shekhar S, Pisetsky Y, Shu AandWallach DS., "Quire: lightweight provenance for smart phone operating systems," Dissertations & Theses, 23-23, 2011.
  12. Bugiel S, Davi L, Dmitrienko A, Fischer T and Sadeghi AR., "XManAndroid: A new Android evolution to mitigate privilege escalation attacks," Technical Report, Technische Universitat Darmstadt, TR-2011-04, 2011.
  13. Conti M, Nguyen V T N, Crispo B., "CRePE: Context-Related Policy Enforcement for Android," in Proc. of Information Security, International Conference, ISC 2010, Boca Raton, Fl, Usa, October 25-28, 2010, Revised Selected Papers. 331-345, 2010.
  14. Zhou Y, Zhang X, Jiang X and Freeh W V., "Taming Information-Stealing Smartphone Applications (on Android)," in Proc. of Trust and Trustworthy Computing International Conference, Trust 2011, Pittsburgh, Pa, Usa, June 22-24, 2011. Proceedings. 93-107, 2011.
  15. Sakamoto S, Okuda K, Nakatsuka R and Yamauchi T., "DroidTrack: tracking and visualizing information diffusion for preventing information leakage on Android," Journal of Internet Services and Information Security (JISIS) 4.2, 55-69, 2014. https://doi.org/10.22667/JISIS.2014.05.31.055
  16. Nauman M, Khan S, Zhang X and Seifert JP, "Beyond Kernel-Level Integrity Measurement: Enabling Remote Attestation for the Android Platform," in Proc. of Trust and Trustworthy Computing, Third International Conference, TRUST 2010, Berlin, Germany, June 21-23, 2010.
  17. Song F, Touili T., "Model-Checking for Android Malware Detection," Programming Languages and Systems. Springer International Publishing, 216-235, 2014.
  18. Reina A, Fattori A, Cavallaro L., "A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors," Eurosec, 2014.
  19. Zhang Y, Yang M, Xu B, Yang Z and Gu G., "Vetting undesirable behaviors in android apps with permission use analysis," Computer and Communications Security, 9:611-622, 2013.
  20. Lindorfer M, Neugschwandtner M, Weichselbaum L and Fratantonio Y, "ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors," in Proc. of Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, IEEE Computer Society, 3-17, 2014.
  21. Enck W, Gilbert P, Chun B-G, McDaniel P, Sheth A., "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones," ACM Transactions on Computer Systems, 32(2):393-407, 2014.
  22. Droidbox, http:code.google.com/p/droidbox.
  23. Yan, Lok-Kwong, and Heng Yin, "DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis," USENIX security symposium. 2012.
  24. Rastogi V, Chen Y, Enck W., "AppsPlayground: automatic security analysis of smartphone applications," in Proc. of ACM Conference on Data and Application Security and Privacy. 209-220, 2013.
  25. Sun, Mingshen, J. C. S. Lui and X. Jiang, "Design and implementation of an Android host-based intrusion prevention system," in Proc. of the 30th Annual Computer Security Applications Conference. ACM, pp.226-235, 2014.
  26. Blasing T, Batyuk L, Schmidt A D, Camtepe SA., "An Android Application Sandbox system for suspicious software detection," in Proc. of International Conference on Malicious and Unwanted Software. IEEE, S166, 2010.
  27. Enck W, Ongtang M and Mcdaniel P, "On lightweight mobile phone application certification," Computer and Communications Security, 2009.
  28. Liang, Shuang, and Xiaojiang Du, "Permission-combination-based scheme for Android mobile malware detection," in Proc. of the 2014 IEEE International Conference on Communications, Sidney, Australia, pp. 2301-2306, June 2014.
  29. Zhou, W., Zhou, Y., Jiang X. and Ning, P., "DroidMoss: Detecting repackaged smartphone applications in third-party Android marketplaces," in Proc. of the second ACM conference on Data and Application Security and Privacy, CODASPY'12, 2012.
  30. Feng Y, Anand S, Dillig I, Aiken A., "Apposcopy: semantics-based detection of Android malware through static analysis," The ACM Sigsoft International Symposium, 576-587, 2014.
  31. Grace M, Zhou Y, Zhang Q, Zou S and Jiang X., "RiskRanker: scalable and accurate zero-day android malware detection," in Proc. of International Conference on Mobile Systems, Applications, and Services. ACM, 281-294, 2012.
  32. Zhou Y, Wang Z, Zhou W and Jiang X., "Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets," in Proc. of Annual Network & Distributed System Security Symposium, 2012.
  33. Yuan Z, Lu Y, Wang Z, Xue Y., "Droid-Sec: deep learning in android malware detection," ACM Sigcomm Computer Communication Review, 44(4):371-372, 2014. https://doi.org/10.1145/2740070.2631434
  34. Aafer Y, Du W and Yin H., "DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android," Security and Privacy in Communication Networks. Springer International Publishing, 86-103, 2013.
  35. Arp D, Gascon H, Rieck K, Spreitzenbarth M and Hubner M., "DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket," Network and Distributed System Security Symposium. 2014.
  36. Androguard. https://code.google.com/p/androguard/.
  37. Cesare S, Xiang Y., "Classification of malware using structured control flow," Eighth Australasian Symposium on Parallel and Distributed Computing. Australian Computer Society, Inc. 61-70, 2010.
  38. Sarma B P, Li N, Gates C, Potharaju R and Nita-Rotaru C., "Android permissions: A perspective combining risks and benefits," in Proc. of Acm Symposium on Access Control Models & Technologies Ser Sacmat', 13-22, 2012.
  39. Peng H, Gates C, Sarma B, Li N and Qi Y., "Using probabilistic generative models for ranking risks of Android apps," in Proc. of Conference on Computer and Communications Security. 241-252, 2012.
  40. Driankov, Dimiter, Hans Hellendoorn, and Michael Reinfrank, "An introduction to fuzzy control," Springer Science & Business Media, 2013.
  41. Weka, http://www.cs.waikato.ac.nz/ml/weka.
  42. Appchina, http://www.appchina.com.
  43. Anzhi, http://www.anzhi.com.
  44. Virus share, http://www.virusshare.com.
  45. Hassana, Doaa, Matthew Might, and Vivek Srikumar, "A Similarity-Based Machine Learning Approach for Detecting Adversarial Android Malware," Technical report UUCS-14-002, School of Computing, University of Utah, 2014.
  46. Suarez-Tangil G, Tapiador J E, Peris-Lopez P, Blasco J., "Dendroid : A text mining approach to analyzing and classifying code structures in Android malware families," Expert Systems with Applications, 41(4):1104-1117, 2013. https://doi.org/10.1016/j.eswa.2013.07.106
  47. Gascon H, Yamaguchi F, Arp D and Rieck K., "Structural detection of android malware using embedded call graphs," in Proc. of ACM Workshop on Security and Artificial Intelligence. 45-54, 2013.

Cited by

  1. A Secure Encryption-Based Malware Detection System vol.12, pp.4, 2018, https://doi.org/10.3837/tiis.2018.04.022
  2. Method to Analyze Information Leakage Malware using SSL Communication in Android Platform vol.19, pp.3, 2018, https://doi.org/10.7472/jksii.2018.19.3.1
  3. Identification of Counterfeit Android Malware Apps using Hyperledger Fabric Blockchain vol.20, pp.2, 2019, https://doi.org/10.7472/jksii.2019.20.2.61
  4. Detection of Malicious Activities in Internet of Things Environment Based on Binary Visualization and Machine Intelligence vol.108, pp.4, 2017, https://doi.org/10.1007/s11277-019-06540-6
  5. Consortium Blockchain based Forgery Android APK Discrimination DApp using Hyperledger Composer vol.20, pp.5, 2017, https://doi.org/10.7472/jksii.2019.20.5.9