Skip to main content
SpringerLink
Log in

DroidDivesDeep: Android Malware Classification via Low Level Monitorable Features with Deep Neural Networks

  • Conference paper
  • First Online:
Security and Privacy (ISEA-ISAP 2019)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 939))

Included in the following conference series:

Abstract

Android, the dominant smart device Operating System (OS) has evolved into a robust smart device platform since its release in 2008. Naturally, cyber criminals leverage fragmentation among varied major release by employing novel attacks. Machine learning is extensively used in System Security. Shallow Learning classifiers tend to over-learn during the training time; hence, the model under performs due to dependence on training data during real evaluation. Deep learning has the potential to automate detection of newly discovered malware families that learn the generalization about malware and benign files to be able to detect unseen or zero-day malware attacks.

Deep Neural Networks (DNN) have proven performance with image analysis and text classification. In this paper, our proposal DroidDivesDeep D3, a malware classification and app categorization framework models’ low level monitorable features (e.g., CPU, Memory, Network, Sensors etc.). Our proposal employs low level device runtime attributes unlike the existing techniques considering static extraction approach. D3 evaluates a reasonable dataset consisting 24,343 genuine playstore apps against 8,779 real-world Android malware. In fact, the initial results of our proposal are quite encouraging with 98.65% detection rate with 99.79% accuracy during real evaluation. Our proposal improves upon existing techniques by 23%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alam, M., Vuong, S.T.: An intelligent multi-agent based detection framework for classification of android malware. In: Ślȩzak, D., Schaefer, G., Vuong, S.T., Kim, Y.-S. (eds.) AMT 2014. LNCS, vol. 8610, pp. 226–237. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-09912-5_19

    Chapter  Google Scholar 

  2. Amos, B., Turner, H.A., White, J.: Applying machine learning classifiers to dynamic android malware detection at scale. In: 2013 9th International Wireless Communications and Mobile Computing Conference, IWCMC 2013, Sardinia, Italy, 1–5 July 2013, pp. 1666–1671 (2013)

    Google Scholar 

  3. Amos, B., Turner, H.A., White, J.: Applying machine learning classifiers to dynamic android malware detection at scale. In: Saracco, R., Letaief, K.B., Gerla, M., Palazzo, S., Atzori, L. (eds.) IWCMC, pp. 1666–1671. IEEE (2013)

    Google Scholar 

  4. R. Analytics. A comparison of deep learning packages for r (2017)

    Google Scholar 

  5. A. Brains. Android sdk version market share (2017)

    Google Scholar 

  6. Dahl, G.E., Stokes, J.W., Deng, L., Yu, D.: Large-scale malware classification using random projections and neural networks. In: ICASSP, pp. 3422–3426. IEEE (2013)

    Google Scholar 

  7. Dash, S.K., et al.: Droidscribe: classifying android malware based on runtime behavior. In: Mobile Security Technologies (MoST) (2016)

    Google Scholar 

  8. Deo, A., Dash, S.K., Suarez-Tangil, G., Vovk, V., Cavallaro, L.: Prescience: probabilistic guidance on the retraining conundrum for malware detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec 2016, New York, NY, USA, pp. 71–82. ACM (2016)

    Google Scholar 

  9. Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33704-8_21

    Chapter  Google Scholar 

  10. Dong, S., et al.: Understanding android obfuscation techniques: a large-scale investigation in the wild. CoRR, abs/1801.01633 (2018)

    Google Scholar 

  11. Faruki, P., Bhandari, S., Laxmi, V., Gaur, M., Conti, M.: DroidAnalyst: synergic app framework for static and dynamic app analysis. In: Abielmona, R., Falcon, R., Zincir-Heywood, N., Abbass, H.A. (eds.) Recent Advances in Computational Intelligence in Defense and Security. SCI, vol. 621, pp. 519–552. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-26450-9_20

    Chapter  Google Scholar 

  12. Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. Commun. Surv. Tutorials 17(2), 998–1022 (2015). Second quarter

    Article  Google Scholar 

  13. Faruki, P., Ganmoor, V., Vijay, L., Gaur, M., Conti, M.: Android platform invariant sandbox for analyzing malware and resource hogger apps. In: Proceedings of the 10th IEEE International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Beijing, China, 26–28 September 2014 (2014)

    Google Scholar 

  14. Faruki, P., Zemmari, A., Gaur, M., Vijay, L., Conti, M.: Mimeodroid: large scale dynamic app analysis on cloned devices via machine learning classifiers. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 60–65 (2016)

    Google Scholar 

  15. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, New York, NY, USA, pp. 3:1–3:14. ACM (2012)

    Google Scholar 

  16. Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: TriggerScope: towards detecting logic bombs in android apps. In: Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Jose, CA, May 2016

    Google Scholar 

  17. Hung, S.-H., Hsiao, S.-W., Teng, Y.-C., Chien, R.: Real-time and intelligent private data protection for the android platform. Pervasive Mob. Comput. 24(C), 231–242 (2015)

    Article  Google Scholar 

  18. IDC. Idc: Smartphone market share 2016, 2015 (2017)

    Google Scholar 

  19. G. Inc. Gartner: Chinese vendor share q3 2016, 2015 (2017)

    Google Scholar 

  20. Keinert, B., Martschinke, J., Stamminger, M.: Learning real-time ambient occlusion from distance representations. In: Proceedings of the ACM SIGGRAPH Symposium on Interactive 3D Graphics and Games, I3D 2018, pp. 3:1–3:9. ACM, New York (2018)

    Google Scholar 

  21. Lecun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)

    Article  Google Scholar 

  22. Mirsky, Y., Shabtai, A., Rokach, L., Shapira, B., Elovici, Y.: Sherlock vs moriarty: a smartphone dataset for cybersecurity research. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec 2016, pp. 1–12. ACM, New York (2016)

    Google Scholar 

  23. Nair, V., Hinton, G.E.: Rectified linear units improve restricted boltzmann machines. In: Proceedings of the 27th International Conference on Machine Learning, ICML 2010, pp. 807–814. Omnipress (2010)

    Google Scholar 

  24. Neyshabur, B., Li, Z., Bhojanapalli, S., LeCun, Y., Srebro, N.: Towards understanding the role of over-parametrization in generalization of neural networks. CoRR, abs/1805.12076 (2018)

    Google Scholar 

  25. Papernot, N., McDaniel, P.D., Sinha, A., Wellman, M.P.: Towards the science of security and privacy in machine learning. CoRR, abs/1611.03814 (2016)

    Google Scholar 

  26. Rastogi, V., Qu, Z., McClurg, J., Cao, Y., Chen, Y.: Uranine: real-time privacy leakage monitoring without system modification for android. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 256–276. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_14

    Chapter  Google Scholar 

  27. Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), MALWARE 2015, pp. 11–20. IEEE Computer Society, Washington, D.C. (2015)

    Google Scholar 

  28. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)

    Article  Google Scholar 

  29. Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.: Dropout: a simple way to prevent neural networks from overfitting. J. Mach. Learn. Res. 15(1), 1929–1958 (2014)

    MathSciNet  MATH  Google Scholar 

  30. Suarez-Tangil, G., Conti, M., Tapiador, J.E., Peris-Lopez, P.: Detecting targeted smartphone malware with behavior-triggering stochastic models. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 183–201. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_11

    Chapter  Google Scholar 

  31. Suarez-Tangil, G., Dash, S.K., Ahmadi, M., Kinder, J., Giacinto, G., Cavallaro, L.: Droidsieve: fast and accurate classification of obfuscated android malware. In: 7th ACM Conference Data and Application Security and Privacy (CODASPY) (2017)

    Google Scholar 

  32. Suarez-Tangil, G., Stringhini, G.: Eight years of rider measurement in the android malware ecosystem: evolution and lessons learned. CoRR, abs/1801.08115 (2018)

    Google Scholar 

  33. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutorials 16(2), 961–987 (2014)

    Article  Google Scholar 

  34. Szegedy, C., et al.: Intriguing properties of neural networks. CoRR, abs/1312.6199 (2013)

    Google Scholar 

  35. WeLiveSecurity. Trends (in) security everywhere (2017)

    Google Scholar 

  36. Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in google play. CoRR, abs/1801.02742 (2018)

    Google Scholar 

  37. Yuan, Z., Lu, Y., Wang, Z., Xue, Y.: Droid-sec: deep learning in android malware detection. SIGCOMM Comput. Commun. Rev. 44(4), 371–372 (2014)

    Article  Google Scholar 

  38. Zeng, M., Wang, X., Nguyen, L.T., Wu, P., Mengshoel, O.J., Zhang, J.: Adaptive activity recognition with dynamic heterogeneous sensor fusion. In: 6th International Conference on Mobile Computing, Applications and Services, MobiCASE 2014, Austin, TX, USA, 6–7 November 2014, pp. 189–196 (2014)

    Google Scholar 

  39. Zhang, L., Yi, Z., Yu, J., Heng, P.A.: Some multistability properties of bidirectional associative memory recurrent neural networks with unsaturating piecewise linear transfer functions. Neurocomput 72(16–18), 3809–3817 (2009)

    Article  Google Scholar 

  40. Faruki, P., Laxmi, V., Ganmoor, V., Gaur, M.S., Bharmal, A.: DroidOLytics: robust feature signature for repackaged android apps on official and third party android markets. In: 2013 2nd International Conference on Advanced Computing, Networking and Security, pp. 247–252, December 2013. ISSN 2377-2506

    Google Scholar 

  41. Faruki, P., Zemmari, A., Gaur, M.S., Laxmi, V., Conti, M.: Android component vulnerabities: proof of concepts and mitigation. In: 2016 International Conference on Information Networking (ICOIN), pp. 17–22, January 2016

    Google Scholar 

  42. Faruki, P., Zemmari, A., Gaur, M.S., Laxmi, V., Conti, M.: MimeoDroid: large scale dynamic app analysis on cloned devices via machine learning classifiers. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 60–65, June 2016

    Google Scholar 

  43. Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M.S., Bharmal, A.: AndroSimilar: robust statistical feature signature for android malware detection. In: Proceedings of the 6th International Conference on Security of Information and Networks, SIN 2013, New York, NY, USA, pp. 152–159 (2013). ISBN 978-1-4503-2498-4

    Google Scholar 

  44. Faruki, P., Bharmal, A., Laxmi, V., Gaur, M.S., Conti, M., Rajarajan, M.: Evaluation of android anti-malware techniques against dalvik bytecode obfuscation. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 414–421, September 2014

    Google Scholar 

  45. Dave, J., Faruki, P., Laxmi, V., Bezawada, B., Gaur, M.: Secure and efficient proof of ownership for deduplicated cloud storage. In: Proceedings of the 10th International Conference on Security of Information and Networks, pp. 19–26 (2017)

    Google Scholar 

  46. Dave, J., Saharan, S., Faruki, P., Laxmi, V., Gaur, M.S.: Secure random encryption for deduplicated storage. In: Shyamasundar, R.K., Singh, V., Vaidya, J. (eds.) ICISS 2017. LNCS, vol. 10717, pp. 164–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72598-7_10

    Chapter  Google Scholar 

  47. Dave, J., Das, M.L.: Securing SQL with access control for database as a service model. In: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, p. 104 (2016)

    Google Scholar 

  48. Hou, S., Saas, A., Chen, L., Ye, Y., Bourlai, T.: Deep neural networks for automatic android malware detection, pp. 803–810 (2017). https://doi.org/10.1145/3110025.3116211

  49. Wang, X., Zhang, D., Su, X., Li, W.: Mlifdect: android malware detection based on parallel machine learning and information fusion. Secur. Commun. Netw. 2017, 14 (2017). Article ID 6451260

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Government MCA College, Ahmedabad, India

    Parvez Faruki & Bhavya Shah

  2. MNIT Jaipur, Jaipur, India

    Bharat Buddhadev & Vijay Laxmi

  3. Indian Institute of Technology Jammu, Jammu, India

    Akka Zemmari

  4. University of Bordeaux, Bordeaux, France

    Manoj Singh Gaur

Authors
  1. Parvez Faruki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Bharat Buddhadev
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Bhavya Shah
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Akka Zemmari
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Vijay Laxmi
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Manoj Singh Gaur
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Parvez Faruki .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Guwahati, Guwahati, India

    Sukumar Nandi

  2. Indian Institute of Technology Jammu, Jammu, India

    Devesh Jinwala

  3. Indian Institute of Technology Bombay, Mumbai, India

    Virendra Singh

  4. Malaviya National Institute of Technology, Jaipur, India

    Vijay Laxmi

  5. Indian Institute of Technology Jammu, Jammu, Jammu and Kashmir, India

    Manoj Singh Gaur

  6. Department of Technical Education, Government of Gujarat, Rajkot, India

    Parvez Faruki

Appendix A

Appendix A

In the following, we briefly describe the important low-level monitorable features extracted for classification in our proposal DroidDivesDeep.

  1. 1.

    cpu_usage CPU utilization % to a constant CPU speed.

  2. 2.

    cutime: The time a process waited which are scheduled in user mode.

  3. 3.

    importancereasoncode: The reason for importance, if any.

  4. 4.

    importance: Status of a process i.e., background, foreground, service or sleeping.

  5. 5.

    importancereasonpid: For the specified values of importanceReasonCode, this is the process ID of the other process that is a client of this process.

  6. 6.

    lru: relative utility of processes within an importance category.

  7. 7.

    num_threads: Number of threads in this process.

  8. 8.

    pgid: Identifier of foreground process.

  9. 9.

    priority: Priority assigned to the process between 0–99.

  10. 10.

    cmaj_flt: Page faults a process and its children made the number of major faults that the process’s waited-for children have made.

  11. 11.

    otherprivatedirty: The private dirty pages used by everything else.

  12. 12.

    otherpss: The proportional set size for everything else.

  13. 13.

    othershareddirty: Shared dirty pages.

  14. 14.

    rss: Resident Set Size: number of pages the process has in real memory.

  15. 15.

    version_code: An integer used as an internal version number for the Android app.

  16. 16.

    packageuid: An app package UID.

  17. 17.

    uidrxbytes: Bytes received by this application since the last time the T4 probe was activated.

  18. 18.

    uidrxpackets: Packets received by this application since the activated T4 probe.

  19. 19.

    uidtxbytes: Bytes transmitted by this application since the last time the T4 probe was activated.

  20. 20.

    uidtxpackets: Packets transmitted by this application since the last time the T4 probe was activated.

  21. 21.

    dalvikprivatedirty: The private dirty pages used by dalvik heap.

  22. 22.

    dalvikpss: The proportional set size for dalvik heap.

  23. 23.

    dalvikshareddirty: The shared dirty pages used by dalvik heap.

  24. 24.

    start_time: The time the process started after system boot.

  25. 25.

    stime: Clock tick time this process has been scheduled in kernel mode.

  26. 26.

    utime: Amount of time that this process has been scheduled in user mode, measured in clock ticks.

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Faruki, P., Buddhadev, B., Shah, B., Zemmari, A., Laxmi, V., Gaur, M.S. (2019). DroidDivesDeep: Android Malware Classification via Low Level Monitorable Features with Deep Neural Networks. In: Nandi, S., Jinwala, D., Singh, V., Laxmi, V., Gaur, M., Faruki, P. (eds) Security and Privacy. ISEA-ISAP 2019. Communications in Computer and Information Science, vol 939. Springer, Singapore. https://doi.org/10.1007/978-981-13-7561-3_10

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-7561-3_10

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-7560-6

  • Online ISBN: 978-981-13-7561-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation