Skip to main content
SpringerLink
Log in

HADM: Hybrid Analysis for Detection of Malware

  • Conference paper
  • First Online:
Proceedings of SAI Intelligent Systems Conference (IntelliSys) 2016 (IntelliSys 2016)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 16))

Included in the following conference series:

Abstract

Android is the most popular mobile operating system with a market share of over 80% [1]. Due to its popularity and also its open source nature, Android is now the platform most targeted by malware, creating an urgent need for effective defense mechanisms to protect Android-enabled devices.

In this paper, we propose a novel Android malware classification method called HADM, Hybrid Analysis for Detection of Malware. We first extract static and dynamic information, and convert this information into vector-based representations. It has been shown that combining advanced features derived by deep learning with the original features provides significant gains [2]. Therefore, we feed both the original dynamic and static feature vector sets to a Deep Neural Network (DNN) which outputs a new set of features. These features are then concatenated with the original features to construct DNN vector sets. Different kernels are then applied onto the DNN vector sets. We also convert the dynamic information into graph-based representations and apply graph kernels onto the graph sets. Learning results from various vector and graph feature sets are combined using hierarchical Multiple Kernel Learning (MKL) [3] to build a final hybrid classifier.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 169.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 219.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.genymotion.com.

  2. 2.

    http://virusshare.com.

  3. 3.

    https://code.google.com/p/androguard/.

  4. 4.

    http://linux.die.net/man/1/strace.

  5. 5.

    http://virusshare.com.

  6. 6.

    https://www.virustotal.com/.

  7. 7.

    http://free.avg.com/us-en/homepage.

  8. 8.

    https://anubis.iseclab.org/.

  9. 9.

    https://cuckoosandbox.org.

References

  1. Mawston, N.: Android captured record 85 percent share of global smartphone shipments in q2 2014. Smartphone report, Strategy Analystics (2014)

    Google Scholar 

  2. Sarikaya, R., Hinton, G.E., Deoras, A.: Application of deep belief networks for natural language understanding. IEEE/ACM Trans. Audio Speech Lang. Proces. 22(4), 778–784 (2014)

    Article  Google Scholar 

  3. Gonen, M., Alpaydin, E.: Multiple kernel learning algorithms. J. Mach. Learn. Res. 12, 2211–2268 (2011)

    MathSciNet  MATH  Google Scholar 

  4. IDC. Smartphone OS market share, q1 2015. Technical report (2015)

    Google Scholar 

  5. PulseSecure. 2015 mobile threat report. Technical report (2015)

    Google Scholar 

  6. Wu, D., Mao, C., Wei, T., Lee, H., Droidmat, K.: Android malware detection through manifest and API calls tracing. In: Proceedings of the 7th Asia Joint Conference on Information Security (Asia JCIS), pp. 62–69, August 2012

    Google Scholar 

  7. Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys) (2012)

    Google Scholar 

  8. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of the Network and Distributed System Security Symposium (NDSS) (2014)

    Google Scholar 

  9. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM Conference on Computer and Communications Security (CCS) (2014)

    Google Scholar 

  10. Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Computer Security - ESORICS 2014. Lecture Notes in Computer Science (2014)

    Google Scholar 

  11. Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation (OSDI) (2010)

    Google Scholar 

  12. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), pp. 15–26 (2011)

    Google Scholar 

  13. Yan, L.K., Yin, H.: Droidscope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic android malware analysis. In: Proceedings of the 21st USENIX Security Symposium (2012)

    Google Scholar 

  14. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: Andromaly: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)

    Article  Google Scholar 

  15. Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on Systems Security (EuroSec) (2013)

    Google Scholar 

  16. Tam, S., Khan, J., Fattori, A., Cavallaro, L.: Copperdroid: automatic reconstruction of android malware behaviors. In: Proceedings of the Symposium on Network and Distributed System Security (NDSS) (2015)

    Google Scholar 

  17. Dimjaševic, M., Atzeni, S., Ugrina, I., Rakamaric, Z.: Android malware detection based on system calls. Technical report, University of Utah (2015)

    Google Scholar 

  18. Bläsing, T., Batyuk, L., Schmidt, A.D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software (MALCON), pp. 55–62, October 2010

    Google Scholar 

  19. Zheng, C., Zhu, S., Dai, S., Gu, G., Gong, X., Han, X., Zou, W.: Smartdroid: an automatic system for revealing UI-based trigger conditions in android applications. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), New York, NY, USA, pp. 93–104 (2012)

    Google Scholar 

  20. Spreitzenbarth, M., Schreck, T., Echtler, F., Arp, D., Hoffmann, J.: Mobile-sandbox: combining static and dynamic analysis with machine-learning techniques. Int. J. Inf. Secur. 14, 141–153 (2014)

    Article  Google Scholar 

  21. Lindorfer, M., Neugschwandtner, M., Weichselbaum, L., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis-1,000,000 apps later: a view on current android malware behaviors. In: Proceedings of the the 3rd International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS) (2014)

    Google Scholar 

  22. Weichselbaum, L., Neugschwandtner, M., Lindorfer, M., Fratantonio, Y., van der Veen, V., Platzer, C.: Andrubis: android malware under the magnifying glass. Vienna University of Technology, Techical report, TRISECLAB-0414-001 (2014)

    Google Scholar 

  23. Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: efficient and comprehensive mobile app classification through static and dynamic analysis. In: Proceedings of the 39th Annual International Computers, Software and Applications Conference (COMPSAC) (2015)

    Google Scholar 

  24. Zhao, S., Li, X., Xu, G., Zhang, L., Feng, Z.: Attack tree based android malware detection with hybrid analysis. In: Proceedings of the IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) (2014)

    Google Scholar 

  25. Rastogi, V., Chen, Y., Jiang, X.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)

    Article  Google Scholar 

  26. Feizollah, A., Anuar, N.B., Salleh, R., Wahab, A.W.A.: A review on feature selection in mobile malware detection. Digital Invest. 13, 22–37 (2015)

    Article  Google Scholar 

  27. Deng, L., Yu, D.: Deep learning: methods and applications. Found. Trends Signal Process. 7, 197–387 (2014)

    Article  MathSciNet  MATH  Google Scholar 

  28. Hinton, G.E.: A practical guide to training restricted Boltzmann machines. In: Neural Networks: Tricks of the Trade. Lecture Notes in Computer Science. Springer, Heidelberg (2012)

    Google Scholar 

  29. Krizhevsky, A., Hinton, G.E.: Using very deep autoencoders for content-based image retrieval. In: Proceedings of the European Symposium on Artificial Neural Networks (ESANN) (2011)

    Google Scholar 

  30. Ranzato, M., Boureau, Y., Cun, Y.L.: Sparse feature learning for deep belief networks. In: Proceedings of the Neural Information Processing Systems (NIPS), pp. 1185–1192 (2007)

    Google Scholar 

  31. Le Roux, N., Bengio, Y.: Representational power of restricted boltzmann machines and deep belief networks. Neural Comput. 20(6), 1631–1649 (2008)

    Article  MathSciNet  MATH  Google Scholar 

  32. Deng, L., Seltzer, M.L., Yu, D., Acero, A., Mohamed, A.R., Hinton, G.E.: Binary coding of speech spectrograms using a deep auto-encoder. In: INTERSPEECH, pp. 1692–1695 (2010)

    Google Scholar 

  33. Borgwardt, K.M., Kriegel, H.P.: Shortest-path kernels on graphs. In: Proceedings of the IEEE International Conference on Data Mining (ICDM), pp. 74–81 (2005)

    Google Scholar 

  34. Xu, L., Wei, W., Alvarez, M.A., Cavazos, J., Zhang, D.: Parallelization of shortest path graph kernels on multi-core CPUS and GPUS, In: Proceedings of the Programmability Issues for Heterogeneous Multicores (MultiProg), Vienna, Austria (2014)

    Google Scholar 

  35. Cristianini, N., Shawe-Taylor, J.: An introduction to support vector machines and other kernel-based learning methods. Cambridge University Press (2000)

    Google Scholar 

  36. Scholkopf, B., Smola, A.J.: Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, Cambridge (2001)

    Google Scholar 

  37. Jain, A., Vishwanathan, S.V.N., Varma, M.: SPG-GMKL: generalized multiple kernel learning with a million kernels. In: Proceedings of the 18th ACM International Conference on Knowledge Discovery and Data Mining (KDD)

    Google Scholar 

  38. Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: Proceedings of the Network and Distributed System Security Symposium (NDSS), February 2012

    Google Scholar 

  39. Yuan, Z., Lu, Y., Wang, X., Xue, Y.: Droid-sec: deep learning in android malware detection. In: Proceedings of the ACM conference on SIGCOMM (2014)

    Google Scholar 

  40. Yuan, Z., Lu, Y., Xue, Y.: Droiddetector: android malware characterization and detection using deep learning. Tsinghua Sci. Technol. 21(01), 114–123 (2016)

    Article  Google Scholar 

  41. David, O.E., Netanyahu, N.S.: Deepsign: deep learning for automatic malware signature generation and classification. In: Proceedings of the International Joint Conference on Neural Networks (IJCNN), pp. 1–8, July 2015

    Google Scholar 

  42. Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. CoRR, abs/1508.03096 (2015)

    Google Scholar 

  43. Anderson, B., Quist, D., Neil, J., Storlie, C., Lane, T.: Graph-based malware detection using dynamic analysis. J. Comput. Virol. 7(4), 247–258 (2011)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Delaware, Newark, USA

    Lifan Xu & John Cavazos

  2. AMD Research, Sunnyvale, USA

    Dongping Zhang & Nuwan Jayasena

Authors
  1. Lifan Xu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dongping Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nuwan Jayasena
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. John Cavazos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lifan Xu .

Editor information

Editors and Affiliations

  1. Faculty of Computing and Engineering, School of Computing and Mathematics, University of Ulster at Jordanstown, Newtownabbey, United Kingdom

    Yaxin Bi

  2. The Science and Information (SAI) Organization, Bradford, West Yorkshire, United Kingdom

    Supriya Kapoor

  3. The Science and Information (SAI) Organization, Bradford, West Yorkshire, United Kingdom

    Rahul Bhatia

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Cite this paper

Xu, L., Zhang, D., Jayasena, N., Cavazos, J. (2018). HADM: Hybrid Analysis for Detection of Malware. In: Bi, Y., Kapoor, S., Bhatia, R. (eds) Proceedings of SAI Intelligent Systems Conference (IntelliSys) 2016. IntelliSys 2016. Lecture Notes in Networks and Systems, vol 16. Springer, Cham. https://doi.org/10.1007/978-3-319-56991-8_51

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-56991-8_51

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-56990-1

  • Online ISBN: 978-3-319-56991-8

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation