HADM: Hybrid Analysis for Detection of Malware

  • Lifan Xu
  • Dongping Zhang
  • Nuwan Jayasena
  • John Cavazos
Conference paper
Part of the Lecture Notes in Networks and Systems book series (LNNS, volume 16)


Android is the most popular mobile operating system with a market share of over 80% [1]. Due to its popularity and also its open source nature, Android is now the platform most targeted by malware, creating an urgent need for effective defense mechanisms to protect Android-enabled devices.

In this paper, we propose a novel Android malware classification method called HADM, Hybrid Analysis for Detection of Malware. We first extract static and dynamic information, and convert this information into vector-based representations. It has been shown that combining advanced features derived by deep learning with the original features provides significant gains [2]. Therefore, we feed both the original dynamic and static feature vector sets to a Deep Neural Network (DNN) which outputs a new set of features. These features are then concatenated with the original features to construct DNN vector sets. Different kernels are then applied onto the DNN vector sets. We also convert the dynamic information into graph-based representations and apply graph kernels onto the graph sets. Learning results from various vector and graph feature sets are combined using hierarchical Multiple Kernel Learning (MKL) [3] to build a final hybrid classifier.


Android malware Hybrid analysis Deep learning Graph representation 


  1. 1.
    Mawston, N.: Android captured record 85 percent share of global smartphone shipments in q2 2014. Smartphone report, Strategy Analystics (2014)Google Scholar
  2. 2.
    Sarikaya, R., Hinton, G.E., Deoras, A.: Application of deep belief networks for natural language understanding. IEEE/ACM Trans. Audio Speech Lang. Proces. 22(4), 778–784 (2014)CrossRefGoogle Scholar
  3. 3.
    Gonen, M., Alpaydin, E.: Multiple kernel learning algorithms. J. Mach. Learn. Res. 12, 2211–2268 (2011)MathSciNetzbMATHGoogle Scholar
  4. 4.
    IDC. Smartphone OS market share, q1 2015. Technical report (2015)Google Scholar
  5. 5.
    PulseSecure. 2015 mobile threat report. Technical report (2015)Google Scholar
  6. 6.
    Wu, D., Mao, C., Wei, T., Lee, H., Droidmat, K.: Android malware detection through manifest and API calls tracing. In: Proceedings of the 7th Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69, August 2012Google Scholar
  7. 7.
    Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys) (2012)Google Scholar
  8. 8.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)Google Scholar
  9. 9.
    Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM Conference on Computer and Communications Security (CCS) (2014)Google Scholar
  10. 10.
    Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Computer Security - ESORICS 2014. Lecture Notes in Computer Science (2014)Google Scholar
  11. 11.
    Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI) (2010)Google Scholar
  12. 12.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 15–26 (2011)Google Scholar
  13. 13.
    Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Security Symposium (2012)Google Scholar
  14. 14.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  15. 15.
    Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on Systems Security (EuroSec) (2013)Google Scholar
  16. 16.
    Tam, S., Khan, J., Fattori, A., Cavallaro, L.: Copperdroid: automatic reconstruction of android malware behaviors. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2015)Google Scholar
  17. 17.
    Dimjaševic, M., Atzeni, S., Ugrina, I., Rakamaric, Z.: Android malware detection based on system calls. Technical report, University of Utah (2015)Google Scholar
  18. 18.
    Bläsing, T., Batyuk, L., Schmidt, A.D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALCON), pp. 55–62, October 2010Google Scholar
  19. 19.
    Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing UI-based trigger conditions in android applications. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), New York, NY, USA, pp. 93–104 (2012)Google Scholar
  20. 20.
    Spreitzenbarth, M., Schreck, T., Echtler, F., Arp, D., Hoffmann, J.: Mobile-sandbox: combining static and dynamic analysis with machine-learning techniques. Int. J. Inf. Secur. 14, 141–153 (2014)CrossRefGoogle Scholar
  21. 21.
    Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)Google Scholar
  22. 22.
    Weichselbaum, L., Neugschwandtner, M., Lindorfer, M., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis: android malware under the magnifying glass. Vienna University of Technology, Techical report, TRISECLAB-0414-001 (2014)Google Scholar
  23. 23.
    Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: Proceedings of the 39th Annual International Computers, Software and Applications Conference (COMPSAC) (2015)Google Scholar
  24. 24.
    Zhao, S., Li, X., Xu, G., Zhang, L., Feng, Z.: Attack tree based android malware detection with hybrid analysis. In: Proceedings of the IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (2014)Google Scholar
  25. 25.
    Rastogi, V., Chen, Y., Jiang, X.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)CrossRefGoogle Scholar
  26. 26.
    Feizollah, A., Anuar, N.B., Salleh, R., Wahab, A.W.A.: A review on feature selection in mobile malware detection. Digital Invest. 13, 22–37 (2015)CrossRefGoogle Scholar
  27. 27.
    Deng, L., Yu, D.: Deep learning: methods and applications. Found. Trends Signal Process. 7, 197–387 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Hinton, G.E.: A practical guide to training restricted Boltzmann machines. In: Neural Networks: Tricks of the Trade. Lecture Notes in Computer Science. Springer, Heidelberg (2012)Google Scholar
  29. 29.
    Krizhevsky, A., Hinton, G.E.: Using very deep autoencoders for content-based image retrieval. In: Proceedings of the European Symposium on Artificial Neural Networks (ESANN) (2011)Google Scholar
  30. 30.
    Ranzato, M., Boureau, Y., Cun, Y.L.: Sparse feature learning for deep belief networks. In: Proceedings of the Neural Information Processing Systems (NIPS), pp. 1185–1192 (2007)Google Scholar
  31. 31.
    Le Roux, N., Bengio, Y.: Representational power of restricted boltzmann machines and deep belief networks. Neural Comput. 20(6), 1631–1649 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  32. 32.
    Deng, L., Seltzer, M.L., Yu, D., Acero, A., Mohamed, A.R., Hinton, G.E.: Binary coding of speech spectrograms using a deep auto-encoder. In: INTERSPEECH, pp. 1692–1695 (2010)Google Scholar
  33. 33.
    Borgwardt, K.M., Kriegel, H.P.: Shortest-path kernels on graphs. In: Proceedings of the IEEE International Conference on Data Mining (ICDM), pp. 74–81 (2005)Google Scholar
  34. 34.
    Xu, L., Wei, W., Alvarez, M.A., Cavazos, J., Zhang, D.: Parallelization of shortest path graph kernels on multi-core CPUS and GPUS, In: Proceedings of the Programmability Issues for Heterogeneous Multicores (MultiProg), Vienna, Austria (2014)Google Scholar
  35. 35.
    Cristianini, N., Shawe-Taylor, J.: An introduction to support vector machines and other kernel-based learning methods. Cambridge University Press (2000)Google Scholar
  36. 36.
    Scholkopf, B., Smola, A.J.: Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, Cambridge (2001)Google Scholar
  37. 37.
    Jain, A., Vishwanathan, S.V.N., Varma, M.: SPG-GMKL: generalized multiple kernel learning with a million kernels. In: Proceedings of the 18th ACM International Conference on Knowledge Discovery and Data Mining (KDD)Google Scholar
  38. 38.
    Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2012Google Scholar
  39. 39.
    Yuan, Z., Lu, Y., Wang, X., Xue, Y.: Droid-sec: deep learning in android malware detection. In: Proceedings of the ACM conference on SIGCOMM (2014)Google Scholar
  40. 40.
    Yuan, Z., Lu, Y., Xue, Y.: Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci. Technol. 21(01), 114–123 (2016)CrossRefGoogle Scholar
  41. 41.
    David, O.E., Netanyahu, N.S.: Deepsign: deep learning for automatic malware signature generation and classification. In: Proceedings of the International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2015Google Scholar
  42. 42.
    Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. CoRR, abs/1508.03096 (2015)Google Scholar
  43. 43.
    Anderson, B., Quist, D., Neil, J., Storlie, C., Lane, T.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Lifan Xu
    • 1
  • Dongping Zhang
    • 2
  • Nuwan Jayasena
    • 2
  • John Cavazos
    • 1
  1. 1.University of DelawareNewarkUSA
  2. 2.AMD ResearchSunnyvaleUSA

Personalised recommendations