DroidWard: An Effective Dynamic Analysis Method for Vetting Android Applications
- 301 Downloads
Abstract
As the number of Android malicious applications has explosively increased, effectively vetting Android applications (apps) has become an emerging issue. Traditional static analysis is ineffective for vetting apps whose code have been obfuscated or encrypted. Dynamic analysis is suitable to deal with the obfuscation and encryption of codes. However, existing dynamic analysis methods cannot effectively vet the applications, as a limited number of dynamic features have been explored from apps that have become increasingly sophisticated. In this work, we propose an effective dynamic analysis method called DroidWard in the aim to extract most relevant and effective features to characterize malicious behavior and to improve the detection accuracy of malicious apps. In addition to using the existing 9 features, DroidWard extracts 6 novel types of effective features from apps through dynamic analysis. DroidWard runs apps, extracts features and identifies benign and malicious apps with Support Vector Machine (SVM), Decision Tree (DTree) and Random Forest. 666 Android apps are used in the experiments and the evaluation results show that DroidWard correctly classifies 98.54% of malicious apps with 1.55% of false positives. Compared to existing work, DroidWard improves the TPR with 16.07% and suppresses the FPR with 1.31% with SVM, indicating that it is more effective than existing methods.
Keywords
Android security Malware analysis Malware detection Dynamic analysisNotes
Acknowledgements
This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China, under Grant K14C300020, in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, in part by ZTE Corporation, and in part by the 111 Project under Grant B14005.
References
- 1.F-Secure, Threat Report 2015. https://www.f-secure.com/documents/996508/1030743/Threat_Report_2015.pdf (2015)
- 2.Greenberg, A.: Scanner identifies thousands of malicious Android apps on Google Play, other markets. http://www.scmagazine.com/scanner-identifies-thousands-of-malicious-android-apps-on-google-play-other-markets/article/435387/ (2015)
- 3.Hirst, S.: Lookout Discovers SocialPath Malware in Google Play Store. https://vpncreative.net/2015/01/10/lookout-socialpath-malware-google-play (2015)
- 4.Lockheimer, H.: Android and Security. http://googlemobile.blogspot.com/2014/02/android-and-security.html (2014)
- 5.Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. IEEE Symposium on Security and Privacy, pp. 95–109, 2012Google Scholar
- 6.Enck, W., Gilbert, P., Han, S., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRefGoogle Scholar
- 7.Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. 39th IEEE Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433, 2015Google Scholar
- 8.Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., et al.: Andrubis–1,000,000 apps later: a view on current Android malware behaviors. Third International IEEE Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), p 3-17, 2014Google Scholar
- 9.Felt, A. P., Chin, E., Hanna, S., et al.: Android permissions demystified. 18th ACM Conference on Computer and communications security, pp. 627-638, 2011Google Scholar
- 10.Dietz, M., Shekhar, S., Pisetsky, Y., et al.: QUIRE: lightweight provenance for smart phone operating systems. USENIX Security Symposium, vol. 31, 2011Google Scholar
- 11.Afonso, V.M., de Amorim, M.F., Grégio, A.R.A., et al.: Identifying Android malware using dynamically obtained features. J. Comput. Virol. Hacking Tech. 11(1), 9–17 (2015)CrossRefGoogle Scholar
- 12.Wang, W., Guan, X., Zhang, X.: Processing of massive audit data streams for real-time anomaly intrusion detection. Comput. Commun. 31(1), 58–72 (2008)CrossRefGoogle Scholar
- 13.Wang, W., Liu, J., Pitsilis, G., et al.: Abstracting massive data for lightweight intrusion detection in computer networks. Information Sciences (online first), 2016Google Scholar
- 14.Wang, W., Guyet, T., Quiniou, R., et al.: Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowl.-Based Syst. 70, 103–117 (2014)CrossRefGoogle Scholar
- 15.Wang, W., Battiti, R.: Identifying intrusions in computer networks with principal component analysis, First International Conference on Availability, Reliability and Security. IEEE, p 1-8, 2006Google Scholar
- 16.Zhang, X., Furtlehner, C., Germain-Renaud, C., et al.: Data stream clustering with affinity propagation. IEEE Trans. Knowl. Data Eng. 26(7), 1644–1656 (2014)CrossRefGoogle Scholar
- 17.Zhang, X.L., Lee, T.M.D., Pitsilis, G.: Securing recommender systems against shilling attacks using social-based clustering. J. Comput. Sci. Technol. 28(4), 616–624 (2013)CrossRefGoogle Scholar
- 18.Wang, W., Zhang, X., Gombault, S.: Constructing attribute weights from computer audit data for effective intrusion detection. J. Syst. Softw. 82(12), 1974–1981 (2009)CrossRefGoogle Scholar
- 19.Guan, X., Wang, W., Zhang, X.: Fast intrusion detection based on a non-negative matrix factorization model. J. Netw. Comput. Appl. 32(1), 31–44 (2009)CrossRefGoogle Scholar
- 20.Wang, W., Guan, X., Zhang, X., Yang, L.: Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Comput. Secur. 25(7), 539–550 (2006)CrossRefGoogle Scholar
- 21.Huang, X., Li, J., Li, J., et al.: Securely outsourcing attribute-based encryption with checkability. IEEE Trans. Parallel Distrib. Syst. 25(8), 2201–2210 (2014)CrossRefGoogle Scholar
- 22.Li, J., Li, J., Chen, X., et al.: Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans. Comput. 64(2), 425–437 (2015)MathSciNetCrossRefzbMATHGoogle Scholar
- 23.Li, J., Li, Y.K., Chen, X., et al.: A hybrid cloud approach for secure authorized deduplication. IEEE Trans. Parallel Distrib. Syst. 26(5), 1206–1216 (2015)CrossRefGoogle Scholar
- 24.Li, J., Chen, X., Li, M., et al.: Secure deduplication with efficient and reliable convergent key management. IEEE Trans. Parallel Distrib Syst. 25(6), 1615–1625 (2014)CrossRefGoogle Scholar
- 25.Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android. Technical report, University of Maryland (2009)Google Scholar
- 26.Pandita, R., Xiao, X., Yang, W., et al.: Whyper: towards automating risk assessment of mobile applications, Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 527-542, 2013Google Scholar
- 27.Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. IEEE 25th International Conference on Tools with Artificial Intelligence. IEEE, pp. 300-305, 2013Google Scholar
- 28.Arp, D., Spreitzenbarth, M., Hubner, M., et al.: DREBIN: effective and explainable detection of android malware in your pocket. In: The 2014 Network and Distributed System Security Symposium (NDSS), pp. 1–12Google Scholar
- 29.Apvrille, A., Strazzere, T.: Reducing the window of opportunity for Android malware Gotta catch’em all. J. Comput. Virol. 8(1–2), 61–71 (2012)CrossRefGoogle Scholar
- 30.Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Transactions on Information Forensics and Security 9, pp. 1869–1882 (2014)Google Scholar
- 31.Liu X, Liu J, Wang W, Exploring sensor usage behaviors of Android applications based on data flow analysis. IPCCC, p 1-8, 2015Google Scholar
- 32.Su, D., Wang, W., Wang, X., Liu, J.: Anomadroid: profiling Android applications’ behaviors for identifying unknown malapps. 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom), 2016Google Scholar
- 33.Liu, X., Zhu, S., Wang, W., Liu, J.: Alde: privacy risk analysis of analytics libraries in the android ecosystem. 12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm), 2016Google Scholar
- 34.Spreitzenbarth, M., Freiling, F., Echtler, F., et al.: Mobile-sandbox: having a deeper look into android applications. Proceedings of the 28th Annual ACM Symposium on Applied Computing. ACM, pp. 1808-1815, 2013Google Scholar
- 35.
- 36.Apvrille, A.: Apktool: a tool for reverse engineering android apk files. https://ibotpeaches.github.io/Apktool/
- 37.Ho, T.H., Dean, D., Gu, X., et al.: PREC: practical root exploit containment for android devices. Proceedings of the 4th ACM conference on data and application security and privacy. ACM, pp. 187-198, 2014Google Scholar
- 38.Anzhi Market. http://www.anzhi.com
- 39.Virustotal. https://www.virustotal.com/
- 40.Burges, C.J.C.: A tutorial on support vector machines for pattern recognition. Data Min. Knowl. Discov. 2(2), 121–167 (1998)CrossRefGoogle Scholar
- 41.Quinlan, J.: C4.5: programs for machine learning. Morgan Kaufmann Publishers, Burlington (1993)Google Scholar
- 42.Wang, W., Gombault, S., Guyet, T.: Towards fast detecting intrusions: using key attributes of network traffic, Internet Monitoring and Protection, ICIMP’08. The Third International Conference on. IEEE , p 86–91, 2008Google Scholar
- 43.Wang, W., He, Y., Liu, J., et al.: Constructing important features from massive network traffic for lightweight intrusion detection. IET Inf. Secur. 9(6), 374–379 (2015)CrossRefGoogle Scholar
- 44.Breiman, L.: Random forests. Mach. Learn. 45(1), 5–32 (2001)CrossRefzbMATHGoogle Scholar
- 45.Le Thanh, H.: Analysis of malware families on android mobiles: detection characteristics recognizable by ordinary phone users and how to fix it. J. Inf. Secur. 4(04), 213 (2013)Google Scholar