Abstract
Android is the most popular mobile operating system with a market share of over 80% [1]. Due to its popularity and also its open source nature, Android is now the platform most targeted by malware, creating an urgent need for effective defense mechanisms to protect Android-enabled devices.
In this paper, we propose a novel Android malware classification method called HADM, Hybrid Analysis for Detection of Malware. We first extract static and dynamic information, and convert this information into vector-based representations. It has been shown that combining advanced features derived by deep learning with the original features provides significant gains [2]. Therefore, we feed both the original dynamic and static feature vector sets to a Deep Neural Network (DNN) which outputs a new set of features. These features are then concatenated with the original features to construct DNN vector sets. Different kernels are then applied onto the DNN vector sets. We also convert the dynamic information into graph-based representations and apply graph kernels onto the graph sets. Learning results from various vector and graph feature sets are combined using hierarchical Multiple Kernel Learning (MKL) [3] to build a final hybrid classifier.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Mawston, N.: Android captured record 85 percent share of global smartphone shipments in q2 2014. Smartphone report, Strategy Analystics (2014)
Sarikaya, R., Hinton, G.E., Deoras, A.: Application of deep belief networks for natural language understanding. IEEE/ACM Trans. Audio Speech Lang. Proces. 22(4), 778–784 (2014)
Gonen, M., Alpaydin, E.: Multiple kernel learning algorithms. J. Mach. Learn. Res. 12, 2211–2268 (2011)
IDC. Smartphone OS market share, q1 2015. Technical report (2015)
PulseSecure. 2015 mobile threat report. Technical report (2015)
Wu, D., Mao, C., Wei, T., Lee, H., Droidmat, K.: Android malware detection through manifest and API calls tracing. In: Proceedings of the 7th Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69, August 2012
Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys) (2012)
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM Conference on Computer and Communications Security (CCS) (2014)
Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Computer Security - ESORICS 2014. Lecture Notes in Computer Science (2014)
Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI) (2010)
Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 15–26 (2011)
Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Security Symposium (2012)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on Systems Security (EuroSec) (2013)
Tam, S., Khan, J., Fattori, A., Cavallaro, L.: Copperdroid: automatic reconstruction of android malware behaviors. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2015)
Dimjaševic, M., Atzeni, S., Ugrina, I., Rakamaric, Z.: Android malware detection based on system calls. Technical report, University of Utah (2015)
Bläsing, T., Batyuk, L., Schmidt, A.D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALCON), pp. 55–62, October 2010
Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing UI-based trigger conditions in android applications. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), New York, NY, USA, pp. 93–104 (2012)
Spreitzenbarth, M., Schreck, T., Echtler, F., Arp, D., Hoffmann, J.: Mobile-sandbox: combining static and dynamic analysis with machine-learning techniques. Int. J. Inf. Secur. 14, 141–153 (2014)
Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)
Weichselbaum, L., Neugschwandtner, M., Lindorfer, M., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis: android malware under the magnifying glass. Vienna University of Technology, Techical report, TRISECLAB-0414-001 (2014)
Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: Proceedings of the 39th Annual International Computers, Software and Applications Conference (COMPSAC) (2015)
Zhao, S., Li, X., Xu, G., Zhang, L., Feng, Z.: Attack tree based android malware detection with hybrid analysis. In: Proceedings of the IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (2014)
Rastogi, V., Chen, Y., Jiang, X.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)
Feizollah, A., Anuar, N.B., Salleh, R., Wahab, A.W.A.: A review on feature selection in mobile malware detection. Digital Invest. 13, 22–37 (2015)
Deng, L., Yu, D.: Deep learning: methods and applications. Found. Trends Signal Process. 7, 197–387 (2014)
Hinton, G.E.: A practical guide to training restricted Boltzmann machines. In: Neural Networks: Tricks of the Trade. Lecture Notes in Computer Science. Springer, Heidelberg (2012)
Krizhevsky, A., Hinton, G.E.: Using very deep autoencoders for content-based image retrieval. In: Proceedings of the European Symposium on Artificial Neural Networks (ESANN) (2011)
Ranzato, M., Boureau, Y., Cun, Y.L.: Sparse feature learning for deep belief networks. In: Proceedings of the Neural Information Processing Systems (NIPS), pp. 1185–1192 (2007)
Le Roux, N., Bengio, Y.: Representational power of restricted boltzmann machines and deep belief networks. Neural Comput. 20(6), 1631–1649 (2008)
Deng, L., Seltzer, M.L., Yu, D., Acero, A., Mohamed, A.R., Hinton, G.E.: Binary coding of speech spectrograms using a deep auto-encoder. In: INTERSPEECH, pp. 1692–1695 (2010)
Borgwardt, K.M., Kriegel, H.P.: Shortest-path kernels on graphs. In: Proceedings of the IEEE International Conference on Data Mining (ICDM), pp. 74–81 (2005)
Xu, L., Wei, W., Alvarez, M.A., Cavazos, J., Zhang, D.: Parallelization of shortest path graph kernels on multi-core CPUS and GPUS, In: Proceedings of the Programmability Issues for Heterogeneous Multicores (MultiProg), Vienna, Austria (2014)
Cristianini, N., Shawe-Taylor, J.: An introduction to support vector machines and other kernel-based learning methods. Cambridge University Press (2000)
Scholkopf, B., Smola, A.J.: Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, Cambridge (2001)
Jain, A., Vishwanathan, S.V.N., Varma, M.: SPG-GMKL: generalized multiple kernel learning with a million kernels. In: Proceedings of the 18th ACM International Conference on Knowledge Discovery and Data Mining (KDD)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2012
Yuan, Z., Lu, Y., Wang, X., Xue, Y.: Droid-sec: deep learning in android malware detection. In: Proceedings of the ACM conference on SIGCOMM (2014)
Yuan, Z., Lu, Y., Xue, Y.: Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci. Technol. 21(01), 114–123 (2016)
David, O.E., Netanyahu, N.S.: Deepsign: deep learning for automatic malware signature generation and classification. In: Proceedings of the International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2015
Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. CoRR, abs/1508.03096 (2015)
Anderson, B., Quist, D., Neil, J., Storlie, C., Lane, T.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG
About this paper
Cite this paper
Xu, L., Zhang, D., Jayasena, N., Cavazos, J. (2018). HADM: Hybrid Analysis for Detection of Malware. In: Bi, Y., Kapoor, S., Bhatia, R. (eds) Proceedings of SAI Intelligent Systems Conference (IntelliSys) 2016. IntelliSys 2016. Lecture Notes in Networks and Systems, vol 16. Springer, Cham. https://doi.org/10.1007/978-3-319-56991-8_51
Download citation
DOI: https://doi.org/10.1007/978-3-319-56991-8_51
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-56990-1
Online ISBN: 978-3-319-56991-8
eBook Packages: EngineeringEngineering (R0)