MOCDroid: multi-objective evolutionary classifier for Android malware detection

Abstract

Malware threats are growing, while at the same time, concealment strategies are being used to make them undetectable for current commercial antivirus. Android is one of the target architectures where these problems are specially alarming due to the wide extension of the platform in different everyday devices. The detection is specially relevant for Android markets in order to ensure that all the software they offer is clean. However, obfuscation has proven to be effective at evading the detection process. In this paper, we leverage third-party calls to bypass the effects of these concealment strategies, since they cannot be obfuscated. We combine clustering and multi-objective optimisation to generate a classifier based on specific behaviours defined by third-party call groups. The optimiser ensures that these groups are related to malicious or benign behaviours cleaning any non-discriminative pattern. This tool, named MOCDroid, achieves an accuracy of 95.15 % in test with 1.69 % of false positives with real apps extracted from the wild, overcoming all commercial antivirus engines from VirusTotal.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5

Notes

  1. 1.

    Available at: https://secure.gd/dl-us-mmwr201504.

  2. 2.

    https://github.com/skylot/jadx.

  3. 3.

    http://www.aptoide.com/.

  4. 4.

    https://www.virusshare.com/.

  5. 5.

    https://www.virustotal.com.

References

  1. Aafer Y, Du W, Yin H (2013) Droidapiminer: mining api-level features for robust malware detection in android. Security and privacy in communication networks. Springer, Berlin, pp 86–103

    Chapter  Google Scholar 

  2. Arp D, Spreitzenbarth M, Hübner M, Gascon H, Rieck K, Siemens CERT (2014) Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of the annual symposium on network and distributed system security (NDSS)

  3. Aung Z, Zaw W (2013) Permission-based android malware detection. Int J Sci Technol Res 2(3):228–234

    Google Scholar 

  4. Aycock J (2006) Computer viruses and malware, vol 22. Springer, Berlin

    Google Scholar 

  5. Bello-Orgaz G, Jung JJ, Camacho D (2016) Social big data: recent achievements and new challenges. Inf Fusion 28:45–59

    Article  Google Scholar 

  6. Bello-Orgaz G, Menéndez HD, Camacho D (2012) Adaptive k-means algorithm for overlapped graph clustering. Int J Neural Syst 22(05):1250018

    Article  Google Scholar 

  7. Brock G, Pihur V, Datta S, Datta S (2008) clValid: an R package for cluster validation. J Stat Softw 25(1):1–22

  8. Collberg C, Thomborson C, Low D (1997) A taxonomy of obfuscating transformations. Technical report, Department of Computer Science, The University of Auckland, New Zealand

  9. Gorla A, Tavecchia I, Gross F, Zeller A (2014) Checking app behavior against app descriptions. In: Proceedings of the 36th international conference on software engineering. ACM, pp 1025–1035

  10. Idika N, Mathur AP (2007) A survey of malware detection techniques. Purdue University, pp 48

  11. Isohara T, Takemori K, Kubota A (2011) Kernel-based behavior analysis for android malware detection. In: Computational intelligence and security (CIS), 2011 seventh international conference on. IEEE, pp 1011–1015

  12. Kang B, Kang B, Kim J, Im EG (2013) Android malware classification method: Dalvik bytecode frequency analysis. In: Proceedings of the 2013 research in adaptive and convergent systems, RACS ’13. ACM, New York, pp 349–350

  13. Larose DT (2014) Discovering knowledge in data: an introduction to data mining. Wiley, New York

    Book  MATH  Google Scholar 

  14. Martín A, Menéndez HD, Camacho D (2016) String-based malware detection for android environments. In: Intelligent distributed computing X—proceedings of the 10th international symposium on intelligent distributed computing—IDC’2016, Paris (in press)

  15. Martín A, Menéndez HD, Camacho D (2016) Studying the influence of static api call for hiding malware. In: MAEB 2016 (XI Congreso Espaol de Metaheursticas, Algoritmos Evolutivos y Bioinspirados (MAEB 2016) (in press)

  16. Martín A, Menéndez HD, Camacho D (2016) Genetic boosting classification for malware detection. In: Evolutionary computation (CEC), 2016 IEEE congress on. IEEE

  17. Mas’ ud MZ, Sahib S, Abdollah MF, Selamat SR, Yusof R (2014) Analysis of features selection and machine learning classifier in android malware detection. In: Information science and applications (ICISA), 2014 international conference on. IEEE, pp 1–5

  18. Menendez HD, Barrero DF, Camacho D (2014) A genetic graph-based approach for partitional clustering. Int J Neural Syst 24(03):1430008

    Article  Google Scholar 

  19. Meyer D, Hornik K, Feinerer I (2008) Text mining infrastructure in R. J Stat Soft 25(5):1–54

    Google Scholar 

  20. Moser A, Kruegel C, Kirda E (2007) Limits of static analysis for malware detection. In: Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual. IEEE, pp 421–430

  21. Petsas T, Voyatzis G, Athanasopoulos E, Polychronakis M, Ioannidis S (2014) Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the seventh European workshop on system security. ACM, p 5

  22. Rastogi V, Chen Y, Jiang X (2013) Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC symposium on information, computer and communications security, ASIA CCS ’13. ACM, New York, pp 329–334

  23. Sahs J, Khan L (2012) A machine learning approach to android malware detection. In: Intelligence and security informatics conference (EISIC), 2012 European, pp 141–147

  24. Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y (2012) Andromaly: a behavioral malware detection framework for android devices. J Intell Inf Syst 38(1):161–190

    Article  Google Scholar 

  25. Sharma M, Chawla M, Gajrani J (2016) A survey of android malware detection strategy and techniques. In: Proceedings of international conference on ICT for sustainable development. Springer, Berlin, pp 39–51

  26. Sikorski M, Honig A (2012) Practical malware analysis: the hands-on guide to dissecting malicious software. No starch press, San Francisco

    Google Scholar 

  27. Suarez-Tangil G, Tapiador JE, Lombardi F, Di Pietro R (2016) ALTERDROID: differential fault analysis of obfuscated smartphone malware. IEEE Trans Mob Comput 15(4):789–802

  28. Tam K, Khan SJ, Fattori A, Cavallaro L (2015) Copperdroid: automatic reconstruction of android malware behaviors. In: Proceedings of the symposium on network and distributed system security (NDSS)

  29. You I, Yim K (2010) Malware obfuscation techniques: a brief survey. In: 2010 International conference on broadband, wireless computing, communication and applications. IEEE, pp 297–300

  30. Zhang M, Duan Y, Yin H, Zhao Z (2014) Semantics-aware android malware classification using weighted contextual api dependency graphs. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM, pp 1105–1116

  31. Zhou Y, Jiang X (2012) Dissecting android malware: characterization and evolution. In: 2012 IEEE symposium on security and privacy, pp 95–109

  32. Zhou Y, Wang Z, Zhou W, Jiang X (2012) Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In: NDSS

  33. Zitzler E, Laumanns M, Thiele L (2001) SPEA2: improving the strength Pareto evolutionary algorithm. In: Eurogen, vol 3242, no 103, pp 95–100

Download references

Acknowledgments

This work has been supported by the next research projects: EphemeCH (TIN2014-56494-C4-4-P) Spanish Ministry of Economy and Competitivity, CIBERDINE S2013/ICE-3095, both under the European Regional Development Fund FEDER and SeMaMatch EP/K032623/1.

Author information

Affiliations

Authors

Corresponding author

Correspondence to David Camacho.

Ethics declarations

Conflict of interest

Alejandro Martín, Héctor D. Menéndez and David Camacho declare that they have no conflict of interest.

Ethical approval

This article does not contain any studies with human participants or animals performed by any of the authors.

Additional information

Communicated by V. Loia.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Martín, A., Menéndez, H.D. & Camacho, D. MOCDroid: multi-objective evolutionary classifier for Android malware detection. Soft Comput 21, 7405–7415 (2017). https://doi.org/10.1007/s00500-016-2283-y

Download citation

Keywords

  • Android
  • Malware
  • Clustering
  • Classification