ABSTRACT
As the dominator of the Smartphone operating system market, Android has attracted the attention of malware authors and researchers alike. The number of Android malware is increasing rapidly regardless of the considerable number of proposed malware analysis systems. In this paper, by taking advantages of low false-positive rate of misuse detection and the ability of anomaly detection to detect zero-day malware, we propose a novel hybrid detection system based on a new open-source framework CuckooDroid, which enables the use of Cuckoo Sandbox's features to analyze Android malware through dynamic and static analysis. Our proposed system mainly consist of two parts, a misuse detector performing known malware detection and classification through combining static analysis with dynamic analysis; an anomaly detector performing abnormal apps detection through dynamic analysis. We evaluate our method with 5560 malware samples and 12000 benign samples. Experiments shows that our misuse detector with hybrid analysis can accurately detect and classify malware samples with an average positive rate 98.79%, 98.32% respectively; it is worth noting that our anomaly detector by dynamic analysis is capable of detecting zero-day malware with a low false negative rate (1.24%) and acceptable false positive rate (2.24%). Our proposed detection system is mainly designed for App store markets and the ordinary users who can access our system through mobile cloud service.
- Daniel Arp, Konrad Rieck, et al. "Drebin: Efficient and Explainable Detection of Android Malware in Your Pocket", 21th Annual Network and Distributed System Security Symposium (NDSS), February 2014.Google ScholarCross Ref
- Lindorfer M, et al. MARVIN: Efficient and Comprehensive Mobile App Classification Through Static and Dynamic Analysis{J}.Google Scholar
- E. Protalinski, "A first: Hacked sites with Android drive-by download malware", 2012.Google Scholar
- W. Enck, et al. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 393--407, 2010. Google ScholarDigital Library
- Y. Zhou, et al. Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets. In Proc. Of Network and Distributed System Security Symposium (NDSS), 2012.Google Scholar
- L.-K. et al. Droidscope: Seamlessly reconstructing os and dalvik semantic views for dynamic Android malware analysis. In Proc. of USENIX Security Symposium, 2012. Google ScholarDigital Library
- M. Grace, et al. Riskranker: scalable and accurate zero-day Android malware detection. In Proc. of International Conference on Mobile Systems, Applications, and Services (MOBISYS), pages 281--294, 2012. Google ScholarDigital Library
- OsamahL, et al. "Malware analysis performance enhancement using cloud computing". Journal of Computer Virology and Hacking Techniques, 10(1):1--10,2014.Google ScholarCross Ref
- CuckooDroid - http://cuckoo-droid.readthedocs.org/.Google Scholar
- Sahs J, Khan L. A machine learning approach to Android malware detection. In: European Intelligence and Security Informatics Conference (EISIC). IEEE; 2012. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android malware: Characterization and evolution. In Proc. of IEEE Symposium on Security and Privacy, pages 95--109, 2012. Google ScholarDigital Library
- Y. Aafer, et al. "DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android," in International Conference on Security and Privacy in Communication Networks (SecureComm), 2013.Google Scholar
- S. Chakradeo, et al. "MAST: Triage for Market-scale Mobile Malware Analysis," in ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2013. Google ScholarDigital Library
- W. Enck, et al. Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. of USENIX Symposium on Operating Systems Design and Implementation (OSDI), pages 393--407, 2010. Google ScholarDigital Library
- I. Burguera, et al. "Crowdroid: BehaviorBased Malware Detection System for Android," in ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2011. Google ScholarDigital Library
- V. M. Afonso, et al. "Identifying Android malware using dynamically obtained features," Journal of Computer Virology and Hacking Techniques, 2014.Google Scholar
- N. Srndi, et al, "Practical Evasion of a Learning-Based Classifier: A Case Study," in IEEE Symposium on Security and Privacy (S&P), 2014. Google ScholarDigital Library
- Robotium, "robotium, The world's leading AndroidTM test automation framework," 2014. {Online}. Available: https://code.google.com/p/robotium/.Google Scholar
- http://scikitlearn.org/stable/modules/generated/sklearn.svm.OneClassSVM.html#sklearn.svm.OneClassSVM.Google Scholar
- Michael Spreitzenbarth, et al. "MobileSandbox: Looking Deeper into Android Applications", 28th International ACM Symposium on Applied Computing (SAC), March 2013. Google ScholarDigital Library
- Zhang M, et al. Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs{C}//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. ACM, 2014: 1105--1116. Google ScholarDigital Library
- Pin Lv, Xudong Wang and Ming Xu. Virtual Access Network Embedding in Wireless Mesh Networks. Ad hoc Networks. 10(7): 1362--1378. 2012. Google ScholarDigital Library
- Pin Lv, Zhiping Cai, Jia Xu and Ming Xu. Multicast Service-Oriented Virtual Network Embedding in Wireless Mesh Networks. IEEE Communications Letters. 16 (3): 375--377. 2012.Google ScholarCross Ref
Index Terms
A Novel Hybrid Mobile Malware Detection System Integrating Anomaly Detection With Misuse Detection
Recommendations
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks
In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...
Misuse-based intrusion detection using Bayesian networks
This paper presents an application of Bayesian networks to the process of intrusion detection in computer networks. The presented system, called Bayesian system for intrusion detection (Basset) extends functionality of Snort, an open-source network ...
A novel approach for mobile malware classification and detection in Android systems
With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize ...
Comments