Abstract
This article presents Andromaly—a framework for detecting malware on Android mobile devices. The proposed framework realizes a Host-based Malware Detection System that continuously monitors various features and events obtained from the mobile device and then applies Machine Learning anomaly detectors to classify the collected data as normal (benign) or abnormal (malicious). Since no malicious applications are yet available for Android, we developed four malicious applications, and evaluated Andromaly’s ability to detect new malware based on samples of known malware. We evaluated several combinations of anomaly detection algorithms, feature selection method and the number of top features in order to find the combination that yields the best performance in detecting new malware on Android. Empirical results suggest that the proposed framework is effective in detecting malware on mobile devices in general and on Android in particular.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Notes
Also known as Detection Rate in the intrusion detection community.
Also known as False Alarm Rate in the intrusion detection community.
Android uses a proprietary format for Java bytecode called.dex (Dalvik Executable), designed to be more compact and memory-efficient than regular Java class files.
References
Adam, P. F., Chaudhuri, A., & Foster, J. S. (2009). SCanDroid: Automated security certification of android applications. In IEEE symposium of security and privacy.
Bose, A., Hu, X., Shin, K. G., & Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proc. of the 6th international conference on mobile systems, applications, and services.
Botha, R. A., Furnell, S. M., & Clarke, N. L. (2009). From desktop to mobile: Examining the security experience. Computer & Security, 28, 130–137.
Buennemeyer, T. K., et al. (2008). Mobile device profiling and intrusion detection using smart batteries. In International conference on system sciences (pp. 296–296).
Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 1–58.
Chaudhuri, A. (2009). Language-based security on android. In ACM workshop on programming languages and analysis for security (PLAS) (pp. 1–7).
Cheng, J., Wong, S. H., Yang, H., & Lu, S. (2007). SmartSiren: Virus detection and alert for smartphones. In Proceedings of the 5th international conference on mobile systems, applications and services.
Dagon, C., Martin, T., & Starner, T. (2004). Mobile phones as computing devices the viruses are coming. Pervasive Computing, 3, 11–15.
Domingos, P., & Pazzani, M. (1997). On the optimality of simple Bayesian classifier under zero-one loss. Machine Learning, 29, 103–130.
Egele, M., Krugel, C., Kirda, E., Yin, H., & Song, D. (2007). Dynamic spyware analysis. In USENIX annual technical conference (pp. 233–246).
Emm, D. (2006). Mobile malware – new avenues. Network Security, 2006(11), 4–6.
Enck, W., Ongtang, M., & McDaniel, P. (2008). Mitigating android software misuse before it happens. Tech. report NAS-TR-0094–2008, Network and Security Research Ctr., Dept. Computer Science and Eng., Pennsylvania State Univ.
Enck, W., Ongtang, M., & McDaniel, P. (2009). Understanding android security. IEEE Security & Privacy Magazine, 7(1), 50–57.
Endler, D. (1998). Intrusion detection: Applying machine learning to solaris audit data. In Proceedings of the 14th annual computer security applications conference.
Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., & Vazquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1–2), 18–28.
Golub, T., et al. (1999). Molecular classification of cancer: Class discovery and class prediction by gene expression monitoring. Science, 286, 531–537.
Griffin, K., Schneider, S., Hu, X., & Chiueh, T. (2009). Automatic generation of string signatures for malware detection. In Proc. of the 12th international symposium on recent advances in intrusion detection.
Gryaznov, D. (1999). Scanners of the year 2000: Heuritics. The 5th international virus bulletin.
Guo, C., Wang, H. J., & Zhu, W. (2004). Smart-phone attacks and defenses. In HotNets III.
Hwang, S. S., Cho, S., & Park, S. (2009). Keystroke dynamics-based authentication for mobile devices. Computer & Security, 28, 85–93.
Imam, I. F., Michalski, R. S., & Kerschberg, L. (1993). Discovering attribute dependence in databases by integrating symbolic learning and statistical analysis techniques. In Proceeding of the AAAI-93 workshop on knowledge discovery in databases.
Jacob, G., Debar, H., & Filiol, E. (2008). Behavioral detection of malware: From a survey towards an established taxonomy. Journal in Computer Virology, 4, 251–266.
Jacoby, G. A., & Davis, N. J. (2004). Battery-based intrusion detection. In Global telecommunications conference (GLOBECOM’04).
Jain, A. K., Murty, M. N., & Flynn, P. J. (1999). Data clustering. ACM Computing Surveys, 31(3):264–296.
John, G. H., & Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Proc. of the conference on uncertainty in artificial intelligence (pp. 338–345).
Kim, H., Smith, J., & Shin, K. G. (2008). Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on mobile systems, applications, and services.
Koong, K. S., Liu, L. C., Bai, S., & Lin, B. (2008). Identity theft in the USA: Evidence from 2002 to 2006. International Journal of Mobile Communications, 6(2), 199–216.
Leavitt, N. (2005). Mobile phones: The next frontier for hackers? Computer, 38(4), 20–23.
Lee, W., & Xiang, D. (2001). Information-theoretic measures for anomaly detection. In Proc. of the IEEE symposium on security and privacy (pp. 130–143).
Lee, W., Stolfo, S., & Mok, K. (1999). A data mining framework for building intrusion detection models. In Proc. of the 1999 IEEE symposium on security and privacy. Oakland.
Lee, W., Fan, W., Miller, M., Stolfo, S., & Zadok, E. (2002). Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10(1–2), 5–22.
Menahem, E., Shabtai, A., Rokach, L., & Elovici, Y. (2008). Improving malware detection by applying multi-inducer ensemble. Computational Statistics and Data Analysis, 53(4), 1483–1494.
Miettinen, M., Halonen, P., & Hätönen, K. (2006). Host-based intrusion detection for advanced mobile devices. In Proc. of the 20th international conference on advanced information networking and applications.
Mitchell, T. (1997). Machine learning. New York: McGraw-Hill.
Moreau, Y., Preneel, B., Burge, P., Shawe-Taylor, J., Stoermann, C., & Cooke, C. (1997). Novel techniques for fraud detection in mobile telecommunication networks. In ACTS mobile summit.
Moser, A., Kruegel, C., & Kirda, E. (2007). Limits of static analysis for malware detection. In Annual computer security applications conference (pp. 421–430).
Moskovitch, R., Elovici, Y., & Rokach, L. (2008). Detection of unknown computer worms based on behavioral classification of the host. Computational Statistics and Data Analysis, 52(9), 4544–4566.
Muthukumaran, D., et al. (2008). Measuring integrity on mobile phone systems. In Proceedings of the 13th ACM symposium on access control models and technologies.
Nash, D. C., et al. (2005). Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In Pervasive computing and communications workshops.
Neter, J., Kutner, M. H., Nachtsheim, C. J., & Wasserman, W. (1996). Applied linear statistical models. McGraw-Hill.
Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2009). Semantically rich application-centric security in android. In Proceedings of the 25th annual computer security applications conference (ACSAC). Honolulu.
Pearl, J. (1988). Probabilistic reasoning in intelligent systems: Networks of plausible inference. Massachusetts: Morgan Kaufmann.
Piercy, M. (2004). Embedded devices next on the virus target list. IEEE Electronics Systems and Software, 2, 42–43.
Quinlan, J. R. (1993). C4.5: Programs for machine learning. San Francisco: Morgan Kaufmann.
Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Proc. of the conference on detection of intrusions and malware & vulnerability assessment (pp. 108–125).
Russel, S., & Norvig, P. (2002). Artificial intelligence: A modern approach. Prentice Hall.
Samfat, D., & Molva, R. (1997). IDAMN: An intrusion detection architecture for mobile networks. IEEE Journal on Selected Areas in Communications, 15(7), 1373–1380.
Schmidt, A. D., Schmidt, H. G., Yüksel, K. A., Kiraz, O., Camptepe, S. A., & Albayrak, S. (2008). Enhancing security of linux-based android devices. In Proc. of the 15th international linux system technology conference.
Schmidt, A. D., Peters, F., Lamour, F., Scheel, C., Camtepe, S. A., & Albayrak, S. (2009). Monitoring smartphones for anomaly detection. Mobile Networks and Applications (MONET ), 14(1), 92–106.
Shabtai, A., Fledel, Y., & Elovici, Y. (2009a). Detecting malicious applications on android by applying machine learning classifiers to static features (Poster). Presented in the 25th annual computer security applications conference (ACSAC). Honolulu, Hawaii.
Shabtai, A., Fledel, Y., Elovici, Y., & Shahar, Y. (2009b). Knowledge-based temporal abstraction in clinical domains. Journal in Computer Virology, 8(3), 267–298.
Shabtai, A., Moskovitch, R., Elovici, Y., & Glezer, C. (2009c). Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Information Security Technical Report, 14(1):1–34.
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., & Dolev, S. (2009d). Google android: A state-of-the-art review of security mechanisms. CoRR abs/0912.5101.
Shabtai, A., Kanonov, U., & Elovici, Y. (2010a). Intrusion detection on mobile devices using the knowledge based temporal-abstraction method. Journal of Systems and Software, 83(8), 1524–1537.
Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., & Glezer, C. (2010b) Google android: A comprehensive security assessment. IEEE Security and Privacy Magazine. doi:10.1109/MSP.2010.2.
Shannon, C. E. (1948). The mathematical theory of communication. The Bell system Technical Journal, 27(3), 379–423.
Shih, D. H., Lin, B., Chiang, H. S., & Shih, M. H. (2008). Security aspects of mobile phone virus: A critical survey. Industrial Management & Data Systems, 108(4), 478–494.
Yap, T. S., & Ewe, H. T. (2005). A mobile phone malicious software detection model with behavior checker. Lecture Notes in Computer Science, 3597, 57–65.
Yin, H., Song, D., Egele, M., Krugel, C., & Kirda, E. (2007). Panorama: Capturing system-wide information flow for malware detection and analysis. In ACM conference on computer and communications security.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
Rights and permissions
About this article
Cite this article
Shabtai, A., Kanonov, U., Elovici, Y. et al. “Andromaly”: a behavioral malware detection framework for android devices. J Intell Inf Syst 38, 161–190 (2012). https://doi.org/10.1007/s10844-010-0148-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10844-010-0148-x