Dynamic Detection of Malicious Code on Android Based on Improved Multi-feature Gaussian Kernel

  • Qing Yu
  • Xixi Luo
  • Zuohua WangEmail author
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 1075)


In recent years, with the increasing demand for mobile Internet, smartphones represented by the Android system begin to play an increasingly important role in people’s daily life. Due to the payment and social functions of smartphones, users’ property safety and personal privacy are increasingly threatened by malicious mobile apps. Lured by great interests, malicious applications began to spread in the mobile platform, malicious code is escalating, Android-side security is facing great threats. Therefore, it is very important to study the detection of malicious code in Android. This paper studies and analyzes the status of Android malicious code detection. On the basis of dynamic detection, this paper presents a dynamic detection algorithm of multi-feature IGK. The algorithm optimizes feature selection and Gaussian kernel function and applies the improved algorithm to multi-feature training to improve the detection accuracy of malicious code. We track application system calls and system service calls while the system is running, extract features from system call sequences and system service calls. Then we use the improved weighted information gain method to select the features. Finally, in view of the deficiencies of the traditional Gaussian kernel function in recognition rate and processing time, an improved Gaussian kernel function is proposed for machine learning. We evaluated our approach with 800 benign applications and 1200 malicious applications. The experimental results show that by the above two improvements, the highest detection rate is 97.5%, better than the existing methods.


Android Dynamic analysis System call System service Gaussian kernel 


  1. 1.
    Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., Van Der Veen, V., Platzer, C.: Andrubis-1 000000 apps later: a view on current Android malware behaviors. In: Proceedings of the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)Google Scholar
  2. 2.
    DroidBox: Android application sandbox (2011).
  3. 3.
    Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)Google Scholar
  4. 4.
    Steven, A., Siegfried, R., Christian, F., Eric, B.: Flow-droid: precise context flow field object-sensitive and lifecycle-aware taint analysis for Android apps. In: Proceedings of the 35th International Conference on Security (2014)Google Scholar
  5. 5.
    Aafer, Y., Du, W., Yin, H.: DroidAPIMiner: mining API-level features for robust malware detection in Android. In: Zia, T., Zomaya, A., Varadharajan, V., Mao, M. (eds.) Security and Privacy in Communication Networks. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 127, pp. 86–103. Springer, Cham (2013)CrossRefGoogle Scholar
  6. 6.
    Wu, D.J., Mao, C.H., Wei, T.E., Lee, H.M., Wu, K.P.: DroidMat: Android malware detection through manifest and API calls tracing. In: 2012 Seventh Asia Joint Conference on Information Security (Asia JCIS), Tokyo, pp. 62–69. IEEE (2012)Google Scholar
  7. 7.
    Schmidt, A.-D., et al.: Detecting Symbian OS malware through static function call analysis. In: 2009 4th International Conference on Malicious and Unwanted Software (MAL-WARE). IEEE (2009)Google Scholar
  8. 8.
    Liu, J., Wu, H., Wang, H.: A detection method for malicious codes in Android apps. In: 10th International Conference on Wireless Communications, Networking and Mobile Computing (WiCOM 2014), Beijing, vol. 8, no. 2, pp. 514–519 (2014)Google Scholar
  9. 9.
    Jeong, J., Seo, D., Milburn, J.: MysteryChecker: unpredictable attestation to detect repackaged malicious applications in Android. In: 2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE), Fajardo, PR, vol. 10, no. 3, pp. 50–57 (2014)Google Scholar
  10. 10.
    Afonso, V.M., Amorim, M.F.D., Grégio, A.R.A., et al.: Identifying Android malware using dynamically obtained features. J. Comput. Virol. Hacking Tech. 11(1), 9–17 (2015)CrossRefGoogle Scholar
  11. 11.
    Lin, Y.D., Lai, Y.C., Chen, C.H., et al.: Identifying Android malicious repackaged applications by thread-grained system call sequences. Comput. Secur. 39(39), 340–350 (2013)CrossRefGoogle Scholar
  12. 12.
    Wang, W., Wang, X., Feng, D., et al.: Exploring permission-induced risk in Android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)CrossRefGoogle Scholar
  13. 13.
    Xiao, X., Xiao, X., Jiang, Y., et al.: Identifying Android malware with system call co-occurrence matrices. Trans. Emerg. Telecommun. Technol. 27(5), 675–684 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  1. 1.Tianjin Key Laboratory of Intelligence Computing and Network SecurityTianjin University of TechnologyTianjinChina
  2. 2.China Everbright Bank Co., Ltd.TianjinChina

Personalised recommendations