Fingerprinting Android malware families

Nannan XIE; Xing WANG; Wei WANG; Jiqiang LIU

doi:10.1007/s11704-017-6493-y

Front. Comput. Sci. ›› 2019, Vol. 13 ›› Issue (3) : 637 -646. DOI: 10.1007/s11704-017-6493-y

RESEARCH ARTICLE

Fingerprinting Android malware families

Author information +

History +

PDF (331KB)

Abstract

The domination of the Android operating system in the market share of smart terminals has engendered increasing threats of malicious applications (apps). Research on Android malware detection has received considerable attention in academia and the industry. In particular, studies on malware families have been beneficial to malware detection and behavior analysis. However, identifying the characteristics of malware families and the features that can describe a particular family have been less frequently discussed in existing work. In this paper, we are motivated to explore the key features that can classify and describe the behaviors of Android malware families to enable fingerprinting the malware families with these features.We present a framework for signature-based key feature construction. In addition, we propose a frequency-based feature elimination algorithm to select the key features. Finally, we construct the fingerprints of ten malware families, including twenty key features in three categories. Results of extensive experiments using Support Vector Machine demonstrate that the malware family classification achieves an accuracy of 92% to 99%. The typical behaviors of malware families are analyzed based on the selected key features. The results demonstrate the feasibility and effectiveness of the presented algorithm and fingerprinting method.

Keywords

Android malware / malware family / feature selection / behavior analysis

Cite this article

Download citation ▾

Nannan XIE, Xing WANG, Wei WANG, Jiqiang LIU. Fingerprinting Android malware families. Front. Comput. Sci., 2019, 13(3): 637-646 DOI:10.1007/s11704-017-6493-y

登录浏览全文

4963

注册一个新账户忘记密码

References

Publishing order | Descend order by publishing year | Descend order by cited within

[1]	Wang W, Zhang X L, Gombault S. Constructing attribute weights from computer audit data for effective intrusion detection. Journal of Systems and Software, 2009, 82(12): 1974–1981

[2]	Guan X H, Wang W, Zhang X L. Fast intrusion detection based on a non-negative matrix factorization model. Journal of Network and Computer Applications, 2009, 32(1): 31–44

[3]	Wang W, Guan X H, Zhang X L, Yang L. Profiling program behavior for anomaly intrusion detection based on the transition and frequency property of computer audit data. Computers & Security, 2006, 25(7): 539–550

[4]	Wang W, Guan X, Zhang X L. Processing of massive audit data streams for real-time anomaly intrusion detection. Computer Communications, 2008, 31(1): 58–72

[5]	Wang W, Liu J Q, Pitsilis G, Zhang X L. Abstracting massive data for lightweight intrusion detection in computer networks. Information Sciences, 2018, 433: 417–430

[6]	Zhang X L, T Lee, Pitsilis G. Securing recommender systems against shilling attacks using social-based clustering. Journal of Computer Science and Technology, 2013, 28(4): 616–624

[7]	Wang W, Guyet T, Quiniou R, Cordier M O, Masseglia F, Zhang X L. Autonomic intrusion detection: adaptively detecting anomalies over unlabeled audit data streams in computer networks. Knowledge-Based Systems, 2014, 70: 103–117

[8]	Wang W, Battiti R. Identifying intrusions in computer networks with principal component analysis. In: Proceedings of the 1st International Conference on Availability, Reliability and Security. 2006, 1–8

[9]	Zhang X L, Furtlehner C, Germain-Renaud C, Sebag M. Data stream clustering with affinity propagation. IEEE Transactions on Knowledge and Data Engineering, 2014, 26(7): 1644–1656

[10]	Li J, Li J W, Chen X F, Lou W. Identity-based encryption with outsourced revocation in cloud computing. IEEE Transactions on Computers, 2015, 64(2): 425–437

[11]	Li J, Li Y K, Chen X F, Lee P, Lou W. A hybrid cloud approach for secure authorized deduplication. IEEE Transactions on Parallel & Distributed Systems, 2015, 26(5): 1206–1216

[12]	Zhou Y, Jiang X. Detecting Android malware: characterization and evolution. In: Proceedings of IEEE Symposium on Security and Privacy. 2012, 95–109

[13]	Enck W, Ongtang M, McDaniel P. On lightweight mobile phone application certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security. 2009, 235–245

[14]	Chan P F, Hui L K, Yiu S M. Droidchecker: analyzing Android applications for capability leak. In: Proceedings of the 15th ACM Conference on Security and Privacy in Wireless and Mobile Networks. 2012, 125–136

[15]	Lu L, Li Z, Wu Z, Lee W, Jiang G. Chex: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of ACM Conference on Computer and Communications Security. 2012, 229–240

[16]	Felt A P, Chin E, Hanna S, Song D, Wagner D. Android permissions demystified. In: Proceedings of the ACM Conference on Computer and Communications Security. 2011, 627–638

[17]	Dietz M, Shekhar S, Pisetsky Y, Shu A, Wallach D S. Quire: lightweight provenance for smart phone operating systems. In: Proceedings of the 20th USENIX Conference of Security. 2011, 23–24

[18]	Huang J J, Zhang X Y, Tan L, Wang P, Liang B. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behaviors contradiction. In: Proceedings of the 36th International Conference on Software Engineering. 2014, 1036–1046

[19]	Wang W, Wang X, Feng D, Liu J. Exploring permission-induced risk in Android applications for malicious application detection. IEEE Transactions on Information Forensics and Security. 2014, 9(11): 1869–1882

[20]	Liu X, Liu J, Wang W, He Y, Zhang X. Discovering and understanding Android sensor usage behaviors with data flow analysis. World Wide Web, 2018, 21(1): 105–126

[21]	Liu X, Zhu S, Wang W, Liu J. Alde: privacy risk analysis of analytics libraries in the Android ecosystem. In: Proceedings of the 12th EAI International Conference on Security and Privacy in Communication Networks. 2016, 10–12

[22]	Wang W, Li Y, Wang X, Liu J Q, Zhang X L. Detecting Android malicious apps and categorizing benign apps with ensemble of classifiers. Future Generation Computer Systems, 2018, 78: 987–994

[23]	Barrera D, Oorschot P, Somayaji A. A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of ACM Conference on Computer and Communications Security. 2010, 73–84

[24]	Shabtai A, Kanonov U, Elovici Y, Glezer C, Weiss Y. “Andromaly”: a behavioral malware detection framework for Android devices. Journal of Intelligent Information Systems, 2012, 38(1): 161–190

[25]	Munoz A, Martin I, Guzman A, Hernandez J. Android malware detection from Google Play meta-data: selection of important features. In: Proceedings of IEEE Conference on Communications & Network Security. 2015, 701–702

[26]	Qing S H. Research progress on Android security. Journal of Software, 2016, 27(1): 45–71

[27]	Jang J W, Yun J, Mohaisen A, Woo J, Kim H K. Detecting and classifying method based on similarity matching of Android malware behavior with profile. Spingerplus, 2016, 5(1): 1–23

[28]	Chen J, Alalfi M H, Dean T R, Zou Y. Detecting Android malware using clone detection. Journal of Computer Science and Technology, 2015, 30(5): 942–956

[29]	Dunham K, Hartman S, Morales J A, Quintans M, Strazzere T. Android Malware and Analysis. Boca Raion, Florida: CRC Press, 2014

[30]	Liu H, Yu L. Toward integrating feature selection algorithms for classification and clustering. IEEE Transactions on Knowledge and Data Engineering, 2005, 17(4): 491–502

[31]	Cheng Z D, Zhang Y J, Fan X, Zhu B. Study on discriminant matrices of commonly-used fisher discriminant functions. Acta Automatica Sinica, 2010, 36(10): 1361–1370