Abstract
The explosive growth of Android malware has led to a strong interest in developing efficient and precise malware detection approach. Recent efforts have shown that machine learning-based malware classification is a promising direction, and the API-level features are extremely representative to discriminate malware and have been drastically used in different forms. In this work, we implement a light-weight classification system, CatraDroid, that recovers the semantics at call graph level to classify applications. CatraDroid leverages text mining technique to capture a list of sensitive APIs from the knowledge consisting of exploits databases, code samples, and configurations of codebases. It builds a complete call graph for Android applications and identifies call traces from entry methods to sensitive API calls. Using call traces as features, our classification approach can effectively discriminate Android malware from benign applications. Through the evaluation, we demonstrated that our approach outperforms the state-of-art API-level detection approach, with high-quality features extracted by efficient static analysis.
C. Sun and J. Chen—The first two authors contribute equally to this work.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
TP: the number of malicious apps that are classified as malicious.
- 2.
TN: the number of benign apps that are classified as benign.
- 3.
FP: the number of benign apps that are misclassified as malicious.
- 4.
FN: the number of malicious apps that are misclassified as benign.
References
Androguard - Reverse engineering, malware and goodware analysis of android applications. https://github.com/androguard
Android platform APIs. https://developer.android.com/reference/packages
Androwarn - Yet another static code analyzer for malicious android applications. https://github.com/maaaaz/androwarn
Common vulnerabilities and exposures (CVEs). https://cve.mitre.org
Exploit database. https://www.exploit-db.com/
VirusShare. https://virusshare.com/
WALA-T. J. Watson libraries for analysis. http://wala.sourceforge.net
Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) SecureComm 2013. LNICSSITE, vol. 127, pp. 86–103. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-04283-1_6
Aha, D.W., Kibler, D.F., Albert, M.K.: Instance-based learning algorithms. Mach. Learn. 6, 37–66 (1991)
Allix, K., Bissyandé, T.F., Klein, J., Traon, Y.L.: AndroZoo: collecting millions of android apps for the research community. In: Proceedings of the 13th International Conference on Mining Software Repositories MSR 2016, pp. 468–471 (2016)
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of android malware in your pocket. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014 (2014)
Arzt, S., et al.: FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In: ACM SIGPLAN Conference on Programming Language Design and Implementation PLDI 2014, pp. 259–269 (2014)
Avdiienko, V., et al.: Mining apps for abnormal usage of sensitive data. In: 37th IEEE/ACM International Conference on Software Engineering, ICSE 2015, pp. 426–436 (2015)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for Android. In: SPSM 2011, Proceedings of the 1st ACM Workshop Security and Privacy in Smartphones and Mobile Devices, Co-located with CCS 2011, pp. 15–26 (2011)
Cai, H., Meng, N., Ryder, B.G., Yao, D.: DroidCat: effective android malware detection and categorization via app-level profiling. IEEE Trans. Inf. Forensics Secur. 14(6), 1455–1470 (2019)
Cao, Y., et al.: EdgeMiner: automatically detecting implicit control flow transitions through the android framework. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015 (2015)
Chen, W., Aspinall, D., Gordon, A.D., Sutton, C.A., Muttik, I.: More semantics more robust: improving android malware classifiers. In: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks WISEC 2016, pp. 147–158 (2016)
Cortes, C., Vapnik, V.: Support-vector networks. Mach. Learn. 20(3), 273–297 (1995)
Dash, S.K., et al.: DroidScribe: classifying android malware based on runtime behavior. In: 2016 IEEE Security and Privacy Workshops, SP Workshops 2016, pp. 252–261 (2016)
Dimjasevic, M., Atzeni, S., Ugrina, I., Rakamaric, Z.: Evaluation of android malware detection based on system calls. In: Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, IWSPA@CODASPY 2016, pp. 1–8 (2016)
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: 9th USENIX Symposium on Operating Systems Design and Implementation OSDI 2010, pp. 393–407 (2010)
Feng, P., Ma, J., Sun, C., Xu, X., Ma, Y.: A novel dynamic android malware detection system with ensemble learning. IEEE Access 6, 30996–31011 (2018)
Hou, S., Ye, Y., Song, Y., Abdulhayoglu, M.: HinDroid: an intelligent android malware detection system based on structured heterogeneous information network. In: Proceedings of the 23rd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1507–1515 (2017)
John, G.H., Langley, P.: Estimating continuous distributions in bayesian classifiers. In: UAI 1995: Proceedings of the Eleventh Annual Conference on Uncertainty in Artificial Intelligence, pp. 338–345 (1995)
Li, Y., Shen, T., Sun, X., Pan, X., Mao, B.: Detection, classification and characterization of android malware using API data dependency. In: Thuraisingham, B., Wang, X.F., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 23–40. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_2
Liaw, A., Wiener, M., et al.: Classification and regression by randomForest. R News 2(3), 18–22 (2002)
Meng, G., Xue, Y., Xu, Z., Liu, Y., Zhang, J., Narayanan, A.: Semantic modelling of Android malware for effective malware comprehension, detection, and classification. In: Proceedings of the 25th International Symposium on Software Testing and Analysis ISSTA 2016, pp. 306–317 (2016)
Octeau, D., Jha, S., McDaniel, P.D.: Retargeting Android applications to Java bytecode. In: 20th ACM SIGSOFT Symposium on the Foundations of Software Engineering (FSE-20), SIGSOFT/FSE 2012, p. 6 (2012)
Olejnik, K., Dacosta, I., Machado, J.S., Huguenin, K., Khan, M.E., Hubaux, J.: SmarPer: context-aware and automatic runtime-permissions for mobile devices. In: 2017 IEEE Symposium on Security and Privacy SP 2017, pp. 1058–1076 (2017)
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., Chen, Z.: AutoCog: measuring the description-to-permission fidelity in Android applications. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1354–1365 (2014)
Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing Android sources and sinks. In: 21st Annual Network and Distributed System Security Symposium, NDSS 2014 (2014)
Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: MADAM: effective and efficient behavior-based Android malware detection and prevention. IEEE Trans. Dependable Secur. Comput. 15(1), 83–97 (2016)
Tao, G., Zheng, Z., Guo, Z., Lyu, M.R.: MalPat: mining patterns of malicious and benign Android apps via permission-related APIs. IEEE Trans. Relia. 67(1), 355–369 (2018)
Wei, F., Roy, S., Ou, X., Robby: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of Android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341 (2014)
Wong, M.Y., Lie, D.: IntelliDroid: a targeted input generator for the dynamic analysis of android malware. In: 23rd Annual Network and Distributed System Security Symposium, NDSS 2016 (2016)
Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in Android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 163–182. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_10
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1105–1116 (2014)
Acknowledgment
Supported by National Natural Science Foundation of China (Grant No: 61872279), the China Scholarship Council (Grant No: 201806965002), the Key R&D Program of Shaanxi Province of China (Grant No: 2019ZDLGY12-06).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Sun, C., Chen, J., Feng, P., Ma, J. (2019). CatraDroid: A Call Trace Driven Detection of Malicious Behaiviors in Android Applications. In: Chen, X., Huang, X., Zhang, J. (eds) Machine Learning for Cyber Security. ML4CS 2019. Lecture Notes in Computer Science(), vol 11806. Springer, Cham. https://doi.org/10.1007/978-3-030-30619-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-30619-9_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30618-2
Online ISBN: 978-3-030-30619-9
eBook Packages: Computer ScienceComputer Science (R0)