Abstract
Android, the dominant smart device Operating System (OS) has evolved into a robust smart device platform since its release in 2008. Naturally, cyber criminals leverage fragmentation among varied major release by employing novel attacks. Machine learning is extensively used in System Security. Shallow Learning classifiers tend to over-learn during the training time; hence, the model under performs due to dependence on training data during real evaluation. Deep learning has the potential to automate detection of newly discovered malware families that learn the generalization about malware and benign files to be able to detect unseen or zero-day malware attacks.
Deep Neural Networks (DNN) have proven performance with image analysis and text classification. In this paper, our proposal DroidDivesDeep D3, a malware classification and app categorization framework models’ low level monitorable features (e.g., CPU, Memory, Network, Sensors etc.). Our proposal employs low level device runtime attributes unlike the existing techniques considering static extraction approach. D3 evaluates a reasonable dataset consisting 24,343 genuine playstore apps against 8,779 real-world Android malware. In fact, the initial results of our proposal are quite encouraging with 98.65% detection rate with 99.79% accuracy during real evaluation. Our proposal improves upon existing techniques by 23%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Alam, M., Vuong, S.T.: An intelligent multi-agent based detection framework for classification of android malware. In: Ślȩzak, D., Schaefer, G., Vuong, S.T., Kim, Y.-S. (eds.) AMT 2014. LNCS, vol. 8610, pp. 226–237. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-09912-5_19
Amos, B., Turner, H.A., White, J.: Applying machine learning classifiers to dynamic android malware detection at scale. In: 2013 9th International Wireless Communications and Mobile Computing Conference, IWCMC 2013, Sardinia, Italy, 1–5 July 2013, pp. 1666–1671 (2013)
Amos, B., Turner, H.A., White, J.: Applying machine learning classifiers to dynamic android malware detection at scale. In: Saracco, R., Letaief, K.B., Gerla, M., Palazzo, S., Atzori, L. (eds.) IWCMC, pp. 1666–1671. IEEE (2013)
R. Analytics. A comparison of deep learning packages for r (2017)
A. Brains. Android sdk version market share (2017)
Dahl, G.E., Stokes, J.W., Deng, L., Yu, D.: Large-scale malware classification using random projections and neural networks. In: ICASSP, pp. 3422–3426. IEEE (2013)
Dash, S.K., et al.: Droidscribe: classifying android malware based on runtime behavior. In: Mobile Security Technologies (MoST) (2016)
Deo, A., Dash, S.K., Suarez-Tangil, G., Vovk, V., Cavallaro, L.: Prescience: probabilistic guidance on the retraining conundrum for malware detection. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec 2016, New York, NY, USA, pp. 71–82. ACM (2016)
Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33704-8_21
Dong, S., et al.: Understanding android obfuscation techniques: a large-scale investigation in the wild. CoRR, abs/1801.01633 (2018)
Faruki, P., Bhandari, S., Laxmi, V., Gaur, M., Conti, M.: DroidAnalyst: synergic app framework for static and dynamic app analysis. In: Abielmona, R., Falcon, R., Zincir-Heywood, N., Abbass, H.A. (eds.) Recent Advances in Computational Intelligence in Defense and Security. SCI, vol. 621, pp. 519–552. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-26450-9_20
Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. Commun. Surv. Tutorials 17(2), 998–1022 (2015). Second quarter
Faruki, P., Ganmoor, V., Vijay, L., Gaur, M., Conti, M.: Android platform invariant sandbox for analyzing malware and resource hogger apps. In: Proceedings of the 10th IEEE International Conference on Security and Privacy in Communication Networks (SecureComm 2014), Beijing, China, 26–28 September 2014 (2014)
Faruki, P., Zemmari, A., Gaur, M., Vijay, L., Conti, M.: Mimeodroid: large scale dynamic app analysis on cloned devices via machine learning classifiers. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 60–65 (2016)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, New York, NY, USA, pp. 3:1–3:14. ACM (2012)
Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: TriggerScope: towards detecting logic bombs in android apps. In: Proceedings of the IEEE Symposium on Security and Privacy (S&P), San Jose, CA, May 2016
Hung, S.-H., Hsiao, S.-W., Teng, Y.-C., Chien, R.: Real-time and intelligent private data protection for the android platform. Pervasive Mob. Comput. 24(C), 231–242 (2015)
IDC. Idc: Smartphone market share 2016, 2015 (2017)
G. Inc. Gartner: Chinese vendor share q3 2016, 2015 (2017)
Keinert, B., Martschinke, J., Stamminger, M.: Learning real-time ambient occlusion from distance representations. In: Proceedings of the ACM SIGGRAPH Symposium on Interactive 3D Graphics and Games, I3D 2018, pp. 3:1–3:9. ACM, New York (2018)
Lecun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436–444 (2015)
Mirsky, Y., Shabtai, A., Rokach, L., Shapira, B., Elovici, Y.: Sherlock vs moriarty: a smartphone dataset for cybersecurity research. In: Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security, AISec 2016, pp. 1–12. ACM, New York (2016)
Nair, V., Hinton, G.E.: Rectified linear units improve restricted boltzmann machines. In: Proceedings of the 27th International Conference on Machine Learning, ICML 2010, pp. 807–814. Omnipress (2010)
Neyshabur, B., Li, Z., Bhojanapalli, S., LeCun, Y., Srebro, N.: Towards understanding the role of over-parametrization in generalization of neural networks. CoRR, abs/1805.12076 (2018)
Papernot, N., McDaniel, P.D., Sinha, A., Wellman, M.P.: Towards the science of security and privacy in machine learning. CoRR, abs/1611.03814 (2016)
Rastogi, V., Qu, Z., McClurg, J., Cao, Y., Chen, Y.: Uranine: real-time privacy leakage monitoring without system modification for android. In: Thuraisingham, B., Wang, X., Yegneswaran, V. (eds.) SecureComm 2015. LNICST, vol. 164, pp. 256–276. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-28865-9_14
Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: Proceedings of the 2015 10th International Conference on Malicious and Unwanted Software (MALWARE), MALWARE 2015, pp. 11–20. IEEE Computer Society, Washington, D.C. (2015)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.: Dropout: a simple way to prevent neural networks from overfitting. J. Mach. Learn. Res. 15(1), 1929–1958 (2014)
Suarez-Tangil, G., Conti, M., Tapiador, J.E., Peris-Lopez, P.: Detecting targeted smartphone malware with behavior-triggering stochastic models. In: Kutyłowski, M., Vaidya, J. (eds.) ESORICS 2014. LNCS, vol. 8712, pp. 183–201. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11203-9_11
Suarez-Tangil, G., Dash, S.K., Ahmadi, M., Kinder, J., Giacinto, G., Cavallaro, L.: Droidsieve: fast and accurate classification of obfuscated android malware. In: 7th ACM Conference Data and Application Security and Privacy (CODASPY) (2017)
Suarez-Tangil, G., Stringhini, G.: Eight years of rider measurement in the android malware ecosystem: evolution and lessons learned. CoRR, abs/1801.08115 (2018)
Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutorials 16(2), 961–987 (2014)
Szegedy, C., et al.: Intriguing properties of neural networks. CoRR, abs/1312.6199 (2013)
WeLiveSecurity. Trends (in) security everywhere (2017)
Wermke, D., Huaman, N., Acar, Y., Reaves, B., Traynor, P., Fahl, S.: A large scale investigation of obfuscation use in google play. CoRR, abs/1801.02742 (2018)
Yuan, Z., Lu, Y., Wang, Z., Xue, Y.: Droid-sec: deep learning in android malware detection. SIGCOMM Comput. Commun. Rev. 44(4), 371–372 (2014)
Zeng, M., Wang, X., Nguyen, L.T., Wu, P., Mengshoel, O.J., Zhang, J.: Adaptive activity recognition with dynamic heterogeneous sensor fusion. In: 6th International Conference on Mobile Computing, Applications and Services, MobiCASE 2014, Austin, TX, USA, 6–7 November 2014, pp. 189–196 (2014)
Zhang, L., Yi, Z., Yu, J., Heng, P.A.: Some multistability properties of bidirectional associative memory recurrent neural networks with unsaturating piecewise linear transfer functions. Neurocomput 72(16–18), 3809–3817 (2009)
Faruki, P., Laxmi, V., Ganmoor, V., Gaur, M.S., Bharmal, A.: DroidOLytics: robust feature signature for repackaged android apps on official and third party android markets. In: 2013 2nd International Conference on Advanced Computing, Networking and Security, pp. 247–252, December 2013. ISSN 2377-2506
Faruki, P., Zemmari, A., Gaur, M.S., Laxmi, V., Conti, M.: Android component vulnerabities: proof of concepts and mitigation. In: 2016 International Conference on Information Networking (ICOIN), pp. 17–22, January 2016
Faruki, P., Zemmari, A., Gaur, M.S., Laxmi, V., Conti, M.: MimeoDroid: large scale dynamic app analysis on cloned devices via machine learning classifiers. In: 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop (DSN-W), pp. 60–65, June 2016
Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M.S., Bharmal, A.: AndroSimilar: robust statistical feature signature for android malware detection. In: Proceedings of the 6th International Conference on Security of Information and Networks, SIN 2013, New York, NY, USA, pp. 152–159 (2013). ISBN 978-1-4503-2498-4
Faruki, P., Bharmal, A., Laxmi, V., Gaur, M.S., Conti, M., Rajarajan, M.: Evaluation of android anti-malware techniques against dalvik bytecode obfuscation. In: 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 414–421, September 2014
Dave, J., Faruki, P., Laxmi, V., Bezawada, B., Gaur, M.: Secure and efficient proof of ownership for deduplicated cloud storage. In: Proceedings of the 10th International Conference on Security of Information and Networks, pp. 19–26 (2017)
Dave, J., Saharan, S., Faruki, P., Laxmi, V., Gaur, M.S.: Secure random encryption for deduplicated storage. In: Shyamasundar, R.K., Singh, V., Vaidya, J. (eds.) ICISS 2017. LNCS, vol. 10717, pp. 164–176. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-72598-7_10
Dave, J., Das, M.L.: Securing SQL with access control for database as a service model. In: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies, p. 104 (2016)
Hou, S., Saas, A., Chen, L., Ye, Y., Bourlai, T.: Deep neural networks for automatic android malware detection, pp. 803–810 (2017). https://doi.org/10.1145/3110025.3116211
Wang, X., Zhang, D., Su, X., Li, W.: Mlifdect: android malware detection based on parallel machine learning and information fusion. Secur. Commun. Netw. 2017, 14 (2017). Article ID 6451260
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A
Appendix A
In the following, we briefly describe the important low-level monitorable features extracted for classification in our proposal DroidDivesDeep.
-
1.
cpu_usage CPU utilization % to a constant CPU speed.
-
2.
cutime: The time a process waited which are scheduled in user mode.
-
3.
importancereasoncode: The reason for importance, if any.
-
4.
importance: Status of a process i.e., background, foreground, service or sleeping.
-
5.
importancereasonpid: For the specified values of importanceReasonCode, this is the process ID of the other process that is a client of this process.
-
6.
lru: relative utility of processes within an importance category.
-
7.
num_threads: Number of threads in this process.
-
8.
pgid: Identifier of foreground process.
-
9.
priority: Priority assigned to the process between 0–99.
-
10.
cmaj_flt: Page faults a process and its children made the number of major faults that the process’s waited-for children have made.
-
11.
otherprivatedirty: The private dirty pages used by everything else.
-
12.
otherpss: The proportional set size for everything else.
-
13.
othershareddirty: Shared dirty pages.
-
14.
rss: Resident Set Size: number of pages the process has in real memory.
-
15.
version_code: An integer used as an internal version number for the Android app.
-
16.
packageuid: An app package UID.
-
17.
uidrxbytes: Bytes received by this application since the last time the T4 probe was activated.
-
18.
uidrxpackets: Packets received by this application since the activated T4 probe.
-
19.
uidtxbytes: Bytes transmitted by this application since the last time the T4 probe was activated.
-
20.
uidtxpackets: Packets transmitted by this application since the last time the T4 probe was activated.
-
21.
dalvikprivatedirty: The private dirty pages used by dalvik heap.
-
22.
dalvikpss: The proportional set size for dalvik heap.
-
23.
dalvikshareddirty: The shared dirty pages used by dalvik heap.
-
24.
start_time: The time the process started after system boot.
-
25.
stime: Clock tick time this process has been scheduled in kernel mode.
-
26.
utime: Amount of time that this process has been scheduled in user mode, measured in clock ticks.
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Faruki, P., Buddhadev, B., Shah, B., Zemmari, A., Laxmi, V., Gaur, M.S. (2019). DroidDivesDeep: Android Malware Classification via Low Level Monitorable Features with Deep Neural Networks. In: Nandi, S., Jinwala, D., Singh, V., Laxmi, V., Gaur, M., Faruki, P. (eds) Security and Privacy. ISEA-ISAP 2019. Communications in Computer and Information Science, vol 939. Springer, Singapore. https://doi.org/10.1007/978-981-13-7561-3_10
Download citation
DOI: https://doi.org/10.1007/978-981-13-7561-3_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-7560-6
Online ISBN: 978-981-13-7561-3
eBook Packages: Computer ScienceComputer Science (R0)