Abstract
As Android malware increasingly relies on network interfaces to perform malicious behaviors, detecting such malicious network behaviors becomes a critical challenge. Traditionally, static analysis provides soundness for Android malware detection, but it also leads to high false positives. It is also challenging to guarantee the completion of static analysis within a given time constraint, which is an important requirement for real-world security analysis. Dynamic analysis is often used to precisely detect malware within a specific time budget. However, dynamic analysis is inherently unsound as it only reports analysis results of the executed paths. In this paper, we introduce GranDroid, a graph-based hybrid malware detection system that combines dynamic analysis, incremental and partial static analysis, and machine learning to provide time-sensitive malicious network behavior detection with high accuracy. Our evaluation using 1,500 malware samples and 1,500 benign apps shows that our approach achieves 93% accuracy while spending only eight minutes to dynamically execute each app and determine its maliciousness. GranDroid can be used to provide rich and precise detection results while incurring similar analysis time as a typical malware detector based on pure dynamic analysis.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Available from: https://developer.android.com/training/testing/ui-automator.html.
References
Apkpure.com. https://apkpure.com/. Accessed Dec 2017
An http client for android and java applications. http://square.github.io/okhttp/. Accessed Dec 2017
Virusshare.com. https://virusshare.com/. Accessed Dec 2017
Volley overview. https://developer.android.com/training/volley. Accessed Dec 2017
Android feiwo. https://goo.gl/AAY8xp. Accessed Feb 2018
Afonso, V., et al.:. Going native: using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In: The Network and Distributed System Security Symposium, pp. 1–15 (2016)
Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.: DREBIN: effective and explainable detection of android malware in your pocket. In: NDSS (2014)
Chen, Z., et al.: A first look at android malware traffic in first few minutes. In: Trustcom/BigDataSE/ISPA, vol. 1, pp. 206–213. IEEE (2015)
Choudhary, S.R., Gorla, A., Orso, A.: Automated test input generation for android: are we there yet? In: Proceedings of ASE, Lincoln, NE, pp. 429–440 (2015)
Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM TOCS 32(2), 5 (2014)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: USENIX Security Symposium, vol. 2, p. 2 (2011)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of CCS, pp. 627–638. ACM (2011)
Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of MobiSys, pp. 281–294 (2012)
Kelly, G.: Report: 97% of mobile malware is on android. This is the easy way you stay safe. In: Forbes Tech (2014)
Li, Z., Sun, L., Yan, Q., Srisa-an, W., Chen, Z.: DroidClassifier: efficient adaptive mining of application-layer header for classifying android malware. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds.) SecureComm 2016. LNICST, vol. 198, pp. 597–616. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59608-2_33
Messmer, E.: Black Hat demo: Google Bouncer Can Be Beaten. http://www.networkworld.com/news/2012/072312-black-hat-google-bouncer-261048.html
Rasthofer, S., Arzt, S., Bodden, E.: A machine-learning approach for classifying and categorizing android sources and sinks. In: Proceedings of of NDSS (2014)
Storey, O.: More malware found on google play store. https://www.eset.com/uk/about/newsroom/blog/more-malware-found-on-google-play-store/. Accessed June 2017
Sun, L., Li, Z., Yan, Q., Srisa-an, W., Pan, Y.: SigPID: significant permission identification for android malware detection. In: Proceedings of MALWARE, pp. 1–8. IEEE (2016)
Symantec. Latest intelligence for March 2016. In: Symantec Official Blog (2016)
Tsutano, Y., Bachala, S., Srisa-An, W., Rothermel, G., Dinh, J.: An efficient, robust, and scalable approach for analyzing interacting android apps. In: Proceedings of ICSE, Buenos Aires, Argentina (2017)
Wang, S., et al.: TrafficAV: an effective and explainable detection of mobile malware behavior using network traffic. In: Proceedings of IWQoS, pp. 1–6. IEEE (2016)
Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)
Xu, W., Qi, Y., Evans, D.: Automatically evading classifiers. In: Proceedings of NDSS (2016)
Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: DroidMiner: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 163–182. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_10
Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications, Technical report. Texas A&M (2014)
Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., Enck, W.: Appcontext: differentiating malicious and benign mobile app behaviors using context. In: Proceedings of ICSE, Florence, Italy, pp. 303–313 (2015)
Yang, Y., Wei, Z., Xu, Y., He, H., Wang, W.: Droidward: an effective dynamic analysis method for vetting android applications. Cluster Comput. December 2016
Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of CCS, pp. 1105–1116 (2014)
Zhao, D., Traore, I., Sayed, B., Lu, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013)
Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of IEEE S&P, pp. 95–109 (2012)
Acknowledgement
This work was supported in part by US National Science Foundation under grant CNS-1566388.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Li, Z., Sun, J., Yan, Q., Srisa-an, W., Bachala, S. (2018). GranDroid: Graph-Based Detection of Malicious Network Behaviors in Android Applications. In: Beyah, R., Chang, B., Li, Y., Zhu, S. (eds) Security and Privacy in Communication Networks. SecureComm 2018. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 254. Springer, Cham. https://doi.org/10.1007/978-3-030-01701-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-01701-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01700-2
Online ISBN: 978-3-030-01701-9
eBook Packages: Computer ScienceComputer Science (R0)