Neural Computing and Applications

, Volume 28, Issue 12, pp 4147–4157 | Cite as

An improved Android malware detection scheme based on an evolving hybrid neuro-fuzzy classifier (EHNFC) and permission-based features

  • Altyeb AltaherEmail author
Original Article


The increasing number of Android devices and users has been attracting the attention of different types of attackers. Malware authors create new versions of malware from previous ones by implementing code obfuscation techniques. Obfuscated malware is potentially contributed to the exponential increase in the number of generated malware variants. Detection of obfuscated malware is a continuous challenge because it can easily evade the signature-based malware detectors, and behaviour-based detectors are not able to detect them accurately. Therefore, an efficient technique for obfuscated malware detection in Android-based smartphones is needed. In the literature on Android malware classification, few malware detection approaches are designed with the capability of detecting obfuscated malware. However, these malware detection approaches were not equipped with the capacity to improve their performance by learning and evolving their malware detection rules. Based on the concept of evolving soft computing systems, this paper proposes an evolving hybrid neuro-fuzzy classifier (EHNFC) for Android malware classification using permission-based features. The proposed EHNFC not only has the capability of detecting obfuscated malware using fuzzy rules, but can also evolve its structure by learning new malware detection fuzzy rules to improve its detection accuracy when used in detection of more malware applications. To this end, an evolving clustering method for adapting and evolving malware detection fuzzy rules was modified to incorporate an adaptive procedure for updating the radii and centres of clustered permission-based features. This modification to the evolving clustering method enhances cluster convergence and generates rules that are better tailored to the input data, hence improving the classification accuracy of the proposed EHNFC. The experimental results for the proposed EHNFC show that the proposal outperforms several state-of-the-art obfuscated malware classification approaches in terms of false negative rate (0.05) and false positive rate (0.05). The results also demonstrate that the proposal detects the Android malware better than other neuro-fuzzy systems (viz., the adaptive neuro-fuzzy inference system and the dynamic evolving neuro-fuzzy system) in terms of accuracy (90%).


Android security Malware Malware detection Evolving clustering algorithm Evolving hybrid neuro-fuzzy classifier 



This work was supported by the Deanship of Scientific Research (DSR), King Abdulaziz University, Jeddah, Saudi Arabia, under Grant No. (830-863-D1435). The author, therefore, gratefully acknowledges the DSR technical and financial support.

Compliance with ethical standards

Conflict of interest

The author declares that he has no conflict of interest.


  1. 1.
    Zhou W, Zhou Y, Jiang X, Ning P (2012) DroidMOSS: detecting repackaged smartphone applications in third-party Android marketplaces. Paper presented at the Proceedings of the second ACM conference on data and application security and privacy. ACM, New York, pp 317–326. doi: 10.1145/2133601.2133640
  2. 2.
    Gartner. Inc. (2014) Android to surpass one billion users across all devices in 2014. Retrieved June, 17, 2016, from
  3. 3.
    Google (2015) Official android market; Google Play. Retrieved Feb 17, 2016, from
  4. 4.
    Oberheide J, Miller C (2012) Dissecting the Android bouncer. Presented at SummerCon2012, New YorkGoogle Scholar
  5. 5.
    Kaspersky Lab (2015) IT threat evolution report for Q1 of 2015. Retrieved June 17, 2016, from
  6. 6.
    Felt AP, Finifter M, Chin E, Hanna S, Wagner D (2011) A survey of mobile malware in the wild. In: Jiang X, Bhattacharya A, Dasgupta P, Enck W (eds) On the 1st ACM workshop on security and privacy in smartphones and mobile devices. ACM, New York, pp 3–14. doi: 10.1145/2046614.2046618 CrossRefGoogle Scholar
  7. 7.
    Elhadi AAE, Maarof MA, Barry BI, Hamza H (2014) Enhancing the detection of metamorphic malware using call graphs. Comput Secur 46:62–78. doi: 10.1016/j.cose.2014.07.004 CrossRefGoogle Scholar
  8. 8.
    Kasabov N, Song Q (2002) DENFIS: dynamic evolving neural-fuzzy inference system and its application for time-series prediction. IEEE Trans Fuzzy Syst 10(2):144–154. doi: 10.1109/91.995117 CrossRefGoogle Scholar
  9. 9.
    Rutkowski L (2008) Computational intelligence: methods and techniques. Springer, BerlinCrossRefzbMATHGoogle Scholar
  10. 10.
    Jang J-S, Sun C-T, Mizutani E (1997) Neuro-fuzzy and soft computing: a computational approach to learning and machine intelligence. Prentice Hall, Upper Saddle RiverGoogle Scholar
  11. 11.
    Mumford CL, Jain LC (2009) Computational intelligence. Springer, BerlinCrossRefzbMATHGoogle Scholar
  12. 12.
    Kruse R, Borgelt C, Klawonn F, Moewes C, Steinbrecher M, Held P (2013) Computational intelligence: a methodological introduction. Springer, BerlinCrossRefzbMATHGoogle Scholar
  13. 13.
    Wang L-X, Mendel JM (1993) Fuzzy basis functions, universal approximation, and orthogonal least squares learning. IEEE Trans Neural Netw 3(5):807–814. doi: 10.1109/72.159070 CrossRefGoogle Scholar
  14. 14.
    Kasabov N (2013) The evolution of the evolving neuro-fuzzy systems: from expert systems to spiking-, neurogenetic-, and quantum inspired. In: Seising R, Trillas E, Moraga C, Termini S (eds) On fuzziness. Springer, Berlin, pp 271–280. doi: 10.1007/978-3-642-35641-4_41 CrossRefGoogle Scholar
  15. 15.
    Angelov P, Filev DP, Kasabov E (eds) (2010) Evolving intelligent systems: methodology and applications. Wiley, HobokenGoogle Scholar
  16. 16.
    Almomani A (2016) Fast-flux hunter: a system for filtering online fast-flux botnet. Neural Comput Appl. doi: 10.1007/s00521-016-2531-1 Google Scholar
  17. 17.
    Jang J-SR (1993) ANFIS: adaptive-network-based fuzzy inference system. IEEE Trans Syst Man Cybern 23(3):665–685. doi: 10.1109/21.256541 CrossRefGoogle Scholar
  18. 18.
    Wu J-D, Hsu C-C, Chen H-C (2009) An expert system of price forecasting for used cars using adaptive neuro-fuzzy inference. Expert Syst Appl 36(4):7809–7817. doi: 10.1016/j.eswa.2008.11.019 CrossRefGoogle Scholar
  19. 19.
    Takagi T, Sugeno M (1985) Fuzzy identification of systems and its applications to modeling and control. IEEE Trans Syst Man Cybern SMC-15(1):116–132. doi: 10.1109/tsmc.1985.6313399 CrossRefzbMATHGoogle Scholar
  20. 20.
    Ubeyli ED (2008) Adaptive neuro-fuzzy inference system employing wavelet coefficients for detection of ophthalmic arterial disorders. Expert Syst Appl 34(3):2201–2209. doi: 10.1016/j.eswa.2007.02.020 CrossRefGoogle Scholar
  21. 21.
    Zhou Y, Jiang X (2012) Android malware genome project. Retrieved Dec 15, 2014, from
  22. 22.
    Zhou Y, Jiang, X (2012) Dissecting Android malware: characterization and evolution. Paper presented at the 2012 IEEE symposium on security and privacy. IEEE, San Francisco, pp 95–109. doi: 10.1109/sp.2012.16
  23. 23.
    Suarez-Tangila G, Tapiadora JE, Peris-Lopeza P, Blasco J (2014) Dendroid: a text mining approach to analyzing and classifying code structures in Android malware families. Expert Syst Appl 41(4):1104–1117. doi: 10.1016/j.eswa.2013.07.106 CrossRefGoogle Scholar
  24. 24.
    Felt AP, Chin E, Hanna S, Song D, Wagner D (2011) Android permissions demystified. In: Chen Y, Danezis G, Shmatikov V (eds) On the 18th ACM conference on computer and communications security. ACM, New York, pp 627–638. doi: 10.1145/2046707.2046779 Google Scholar
  25. 25.
    Fang Z, Han W, Li Y (2014) Permission based Android security: issues and countermeasures. Comput Secur 43:205–218. doi: 10.1016/j.cose.2014.02.007 CrossRefGoogle Scholar
  26. 26.
    Xiong P, Wang X, Niu W, Zhu T, Li G (2014) Android malware detection with contrasting permission patterns. China Commun 11(8):1–14. doi: 10.1109/cc.2014.6911083 CrossRefGoogle Scholar
  27. 27.
    Jang JW, Kang H, Woo J, Mohaisen A, Kim HK (2016) Andro-dumpsys: anti-malware system based on the similarity of malware creator and malware centric information. Comput Secur 58:125–138. doi: 10.1016/j.cose.2015.12.005 CrossRefGoogle Scholar
  28. 28.
    Mori T (2002) Information gain ratio as term weight: the case of summarization of IR results. Paper presented at the proceedings of the 19th international conference on computational linguistics (COLING ’02). Association for Computational Linguistics, Stroudsburg, pp 1–7. doi: 10.3115/1072228.1072246
  29. 29.
    Singh R, Kainthola A, Singh TN (2012) Estimation of elastic constant of rocks using an ANFIS approach. Appl Soft Comput 12(1):40–45. doi: 10.1016/j.asoc.2011.09.010 CrossRefGoogle Scholar
  30. 30.
    Abdulla S, Altaher A (2015) Intelligent approach for android malware detection. KSII Trans Internet Inf Syst 9(8):2964–2983. doi: 10.3837/tiis.2015.08.012 CrossRefGoogle Scholar
  31. 31.
    Grace M, Zhou Y, Zhang Q, Zou, S, Jiang X (2012) Riskranker: scalable and accurate zero-day android malware detection. In: Davies N, Seshan S, Zhong L (eds) On the 10th international conference on Mobile systems, applications, and services. ACM, New York, pp 281–294. doi: 10.1145/2307636.2307663 Google Scholar
  32. 32.
    Arp D, Spreitzenbarth M, Hübner M, Gascon H, Rieck K, Siemens CERT (2014) Drebin: effective and explainable detection of android malware in your pocket. In: Bauer L (ed) On the annual symposium on network and distributed system security (NDSS). doi: 10.14722/ndss.2014.23247
  33. 33.
    Fushiki T (2011) Estimation of prediction error by using K-fold cross-validation. Stat Comput 21(2):137–146. doi: 10.1007/s11222-009-9153-8 MathSciNetCrossRefzbMATHGoogle Scholar
  34. 34.
    Katsis CD, Katertsidis N, Ganiatsas G, Fotiadis DI (2008) Toward emotion recognition in car-racing drivers: a biosignal processing approach. IEEE Trans Syst Man Cybern 38(3):502–512. doi: 10.1109/tsmca.2008.918624 CrossRefGoogle Scholar
  35. 35.
    Witten IH, Frank E, Hall MA (2011) Data mining: practical machine learning tools and techniques. Elsevier Science, BurlingtonGoogle Scholar
  36. 36.
    Fawcett T (2006) An introduction to ROC analysis. Pattern Recognit Lett 27(8):861–874. doi: 10.1016/j.patrec.2005.10.010 MathSciNetCrossRefGoogle Scholar
  37. 37.
    Burguera I, Zurutuza U, Nadjm-Tehrani S (2011) Crowdroid: behavior-based malware detection system for android. In: Jiang X, Bhattacharya A, Dasgupta P, Enck W (eds) On the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, New York, pp 15–26. doi: 10.1145/2046614.2046619 CrossRefGoogle Scholar
  38. 38.
    Dini G, Martinelli F, Saracino A, Sgandurra D (2012) MADAM: a multi-level anomaly detector for Android malware. In: Kotenko I, Skormin V (eds) Computer network security. Springer, Berlin, pp 240–253. doi: 10.1007/978-3-642-33704-8_21 CrossRefGoogle Scholar
  39. 39.
    Elish KO, Shu X, Yao DD, Ryder BG, Jiang X (2015) Profiling user-trigger dependence for Android malware detection. Comput Secur 49:255–273. doi: 10.1016/j.cose.2014.11.001 CrossRefGoogle Scholar
  40. 40.
    Choo KKR (2011) The cyber threat landscape: challenges and future research directions. Comput Secur 30(8):719–731. doi: 10.2139/ssrn.2339821 CrossRefGoogle Scholar
  41. 41.
    Seo SH, Gupta A, Sallam AM, Bertino E, Yim K (2014) Detecting mobile malware threats to homeland security through static analysis. J Netw Comput Appl 38:43–53. doi: 10.1016/j.jnca.2013.05.008 CrossRefGoogle Scholar
  42. 42.
    Griffin K, Schneider S, Hu X, Chiueh TC (2009) Automatic generation of string signatures for malware detection. In: Kirda E, Jha S, Balzarotti D (eds) Recent advances in intrusion detection. Springer, Berlin, pp 101–120. doi: 10.1007/978-3-642-04342-0_6 CrossRefGoogle Scholar
  43. 43.
    Enck W, Ongtang M, McDaniel P (2009) On lightweight mobile phone application certification. In: Al- Shaer E, Jha S, Keromytis AD (eds) On the 16th ACM conference on computer and communications security. ACM, New York, pp 235–245. doi: 10.1145/1653662.1653691
  44. 44.
    Feng Y, Anand S, Dillig I, Aiken A (2014) Apposcopy: semantics-based detection of android malware through static analysis. In: Cheung S, Orso A, Storey M (eds) On the 22nd ACM SIGSOFT international symposium on foundations of software engineering. ACM, New York, pp 576–587. doi: 10.1145/2635868.2635869 Google Scholar
  45. 45.
    Backes M, Gerling S, Hammer C, Maffei M, von Styp-Rekowsky P (2014) AppGuard: fine-grained policy enforcement for untrusted Android applications. In: Garcia-Alfaro J, Lioudakis G, Cuppens-Boulahia N, Foley S, Fitzgerald MW (eds) Data privacy management and autonomous spontaneous security. Springer, Berlin. doi: 10.1007/978-3-642-54568-9_14 Google Scholar
  46. 46.
    Faruki P, Laxmi V, Bharmal A, Gaur MS, Ganmoor V (2015) AndroSimilar: robust signature for detecting variants of Android malware. J Inf Secur Appl 22:66–80. doi: 10.1016/j.jisa.2014.10.011 Google Scholar
  47. 47.
    Rastogi V, Chen Y, Jiang X (2013) Droidchameleon: evaluating android anti-malware against transformation attacks. In: Chen K, Xie Q, Qiu W, Li N, Tzeng W (eds) On the 8th ACM SIGSAC symposium on information, computer and communications security. ACM, New York, pp 329–334. doi: 10.1145/2484313.2484355 Google Scholar
  48. 48.
    Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y (2012) “Andromaly”: a behavioral malware detection framework for android devices. J Intell Inf Syst 38(1):161–190. doi: 10.1007/s10844-010-0148-x CrossRefGoogle Scholar
  49. 49.
    Zhang M, Duan Y, Yin H, Zhao Z (2014) Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Ahn G, Yung M, Li N (eds) On the 2014 ACM SIGSAC conference on computer and communications security. ACM, New York, pp 1105–1116. doi: 10.1145/2660267.2660359 Google Scholar
  50. 50.
    Aafer Y, Du W, Yin H (2013) DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Zia T, Zumaya A, Varadharajan V, Mao M (eds) Security and privacy in communication networks. Springer, Berlin, pp 86–103. doi: 10.1007/978-3-319-04283-1_6 CrossRefGoogle Scholar
  51. 51.
    Enck W, Gilbert P, Han S, Tendulkar V, Chun BG, Cox LP, Jung J, MacDaniel P, Sheth AN (2014) TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans Comput Syst (TOCS) 32(2):5. doi: 10.1145/2619091 CrossRefGoogle Scholar

Copyright information

© The Natural Computing Applications Forum 2016

Authors and Affiliations

  1. 1.Faculty of Computing and Information Technology in RabighKing Abdulaziz UniversityRabighSaudi Arabia

Personalised recommendations