Skip to main content

Advertisement

Springer Nature Link
Log in

NSDroid: efficient multi-classification of android malware using neighborhood signature in local function call graphs

  • regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

With the rapid development of mobile Internet, Android applications are used more and more in people’s daily life. While bringing convenience and making people’s life smarter, Android applications also face much serious security and privacy issues, e.g., information leakage and monetary loss caused by malware. Detection and classification of malware have thus attracted much research attention in recent years. Most current malware detection and classification approaches are based on graph-based similarity analysis (e.g., subgraph isomorphism), which is well known to be time-consuming, especially for large graphs. In this paper, we propose NSDroid, a time-efficient malware multi-classification approach based on neighborhood signature in local function call graphs (FCGs). NSDroid uses a approach based on neighborhood signature to calculate the similarity of different applications’ FCGs, which is significantly faster than traditional approaches based on subgraph isomorphism. For each node in the FCGs, NSDroid uses a fixed-length neighborhood signature to capture the caller-callee relationship between different functions and combines neighborhood signatures of all nodes to form a vector that characterizes the function call relationship in the whole application. The generated signature vector is fed into a SVM-based classifier to determine which family the malware belongs to. Experimental results on large-scale benchmarks show that, compared with state-of-the-art solutions, NSDroid reduces average detection latency by nearly \(20\times \), and meanwhile improves many evaluation index such as recall rate and others.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Detection report: Tencent anti virus laboratory 2017 q3 security report. https://slab.qq.com/news/authority/1744.html. Accessed 2 Nov 2018

  2. Yang, C., Xu, Z., Gu, G., Yegneswaran, V., Porras, P.: Droidminer: automated mining and characterization of fine-grained malicious behaviors in android applications. In: Proceedings of 2014 European Symposium on Research in Computer Security (ESRCS), pp. 163–182 (2014)

  3. Hou, S., Ye, Y., Song, Y., Abdulhayoglu, M.: Hindroid: an intelligent android malware detection system based on structured heterogeneous information network. In: Proceedings of 2017 ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD), pp. 1507–1515. ACM (2017)

  4. Onwuzurike, L., Mariconti, E., Andriotis, P., De Cristofaro, E., Ross, G., Stringhini, G.: Mamadroid: detecting android malware by building Markov chains of behavioral models (extended version). arXiv preprint arXiv:1711.07477 (2016)

  5. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security(CCS), pp. 1105–1116. ACM (2014)

  6. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Blasco, J.: Dendroid: a text mining approach to analyzing and classifying code structures in android malware families. Expert Syst. Appl. (ESA) 41(4), 1104–1117 (2014)

    Article  Google Scholar 

  7. Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP), pp. 95–109. IEEE (2012)

  8. Fan, M., Liu, J., Luo, X., Chen, K., Chen, T., Tian, Z., Zhang, X., Zheng, Q., Liu, T.: Frequent subgraph based familial classification of android malware. In: Proceedings of the 27th IEEE International Symposium on Software Reliability Engineering(ISSRE), pp. 24–35. IEEE (2016)

  9. Cordella, L.P., Foggia, P., Sansone, C., Vento, M.: A (sub)graph isomorphism algorithm for matching large graphs. IEEE Trans. Pattern Anal. Mach. Intell. (TPAMI) 26(10), 1367–1372 (2004)

    Article  Google Scholar 

  10. Sen, A.K., Bagchi, A., Zhang, W.: Average-case analysis of best-first search in two representative directed acyclic graphs. Artif. Intell. (AI) 155(1–2), 183–206 (2004)

    Article  MathSciNet  Google Scholar 

  11. Levin, L.A., Venkatesan, R.: An average case NP-complete graph colouring problem. Comput. Sci. 27(5), 808–828 (2002)

    MathSciNet  MATH  Google Scholar 

  12. Zhou, W., Zhou, Y., Jiang, X., Ning, P.: Detecting repackaged smartphone applications in third-party android marketplaces. In: Proceedings of the 2nd ACM Conference on Data and Application Security and Privacy (DASP), pp. 317–326. ACM (2012)

  13. Deshotels, L., Notani, V., Lakhotia, A.: Droidlegacy: automated familial classification of android malware. In: Proceedings of 2014 ACM SIGPLAN on Program Protection and Reverse Engineering Workshop (PPREW), p. 3. ACM (2014)

  14. Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Trans. Dependable Secure Comput. (TDSC) 15(1), 83–97 (2016)

    Article  Google Scholar 

  15. Jang, Y., Lee, N., Kim, H., Park, S.: Design and implementation of a bloom filter-based data deduplication algorithm for efficient data management. J. Ambient Intell. Hum. Comput. (2018). https://doi.org/10.1007/s12652-018-0893-1

  16. Hido, S., Kashima, H.: A linear-time graph kernel. In: Proceedings of the 9th IEEE International Conference on Data Mining (ICDM), pp. 179–188. IEEE (2009)

  17. Wang, W., Gao, Z., Zhao, M., Li, Y., Liu, J., Zhang, X.: Droidensemble: detecting android malicious applications with ensemble of string and structural static features. IEEE Access 6, 31798–31807 (2018)

    Google Scholar 

  18. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: CERT Siemens. Drebin: effective and explainable detection of android malware in your pocket. In: The Network and Distributed System Security Symposium (NDSS), Vol. 14, pp. 23–26. ISOC (2014)

  19. Kirubavathi, G., Anitha, R.: Structural analysis and detection of android botnets using machine learning techniques. Int. J. Inf. Secur. (IJIS) 17(2), 153–167 (2018)

    Article  Google Scholar 

  20. Jang, J., Kang, H., Woo, J., Mohaisen, A., Kim, H.K.: Andro-dumpsys: anti-malware system based on the similarity of malware creator and malware centric information. Comput. Secur. 58, 125–138 (2016)

    Article  Google Scholar 

  21. Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), pp. 252–276. Springer, Berlin (2017)

  22. Blasing, T., Batyuk, L., Schmidt, A.-D., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proceedings of the 5th International Conference on Malicious and Unwanted Software(MUS), pp. 55–62. IEEE (2010)

  23. Wang, C., Li, Z., Mo, X., Yang, H., Zhao, Y.: An android malware dynamic detection method based on service call co-occurrence matrices. Ann. Telecommun. (AT) 72(9–10), 607–615 (2017)

    Article  Google Scholar 

  24. Wong, M.Y., Lie, D.: Intellidroid: a targeted input generator for the dynamic analysis of android malware. In: Proceedings of the 2016 ISOC Network and Distributed System Security Symposium (NDSS), vol. 16, pp. 21–24. ISOC (2016)

  25. Ruiz-Heras, A., García-Teodoro, P., Sánchez-Casado, L.: Adroid: anomaly-based detection of malicious events in android platforms. Int. J. Inf. Secur. (IJIS) 16(4), 371–384 (2017)

    Article  Google Scholar 

  26. Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

    Article  Google Scholar 

  27. Bai, J., Wang, W., Qin, Y., Zhang, S., Wang, J., Pan, Y.: Bridgetaint: a bi-directional dynamic taint tracking method for javascript bridges in android hybrid applications. IEEE Trans. Inf. Forensics Secur. (TIFS) 14(3), 677–692 (2019)

    Article  Google Scholar 

  28. Dai, S., Liu, Y., Wang, T., Wei, T., Zou, W.: Behavior-based malware detection on mobile phone. In: Proceedings of the 6th International Conference on Wireless Communications Networking and Mobile Computing (WCNMC), pp. 1–4. IEEE (2010)

  29. Isohara, T., Takemori, K., Kubota, A.: Kernel-based behavior analysis for android malware detection. In: Proceedings of the 7th International Conference on Computational Intelligence and Security (CIS), pp. 1011–1015. IEEE (2011)

  30. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPISM), pp. 15–26. ACM (2011)

  31. Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the 7th European Workshop on System Security (EWSS), pp. 1–6. ACM (2014)

  32. Garg, S., Peddoju, S.K., Sarje, A.K.: Network-based detection of android malicious apps. Int. J. Inf. Secur. (IJIS) 16(4), 385–400 (2017)

    Article  Google Scholar 

  33. Miao, Q., Liu, J., Cao, Y., Song, J.: Malware detection using bilayer behavior abstraction and improved one-class support vector machines. Int. J. Inf. Secur. (IJIS) 15(4), 361–379 (2016)

    Article  Google Scholar 

  34. Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. ACM Trans. Priv. Secur. (TOPS) 21(3), 14 (2018)

    Google Scholar 

  35. Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering(FSE), pp. 576–587. ACM (2014)

  36. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Traon, Y.L., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Notices (SN) 49(6), 259–269 (2014)

    Article  Google Scholar 

Download references

Acknowledgements

We would like to thank anonymous reviewers for their comments. This work is partially supported by the National Natural Science Foundation of China under Grant No. 61672543, the Open Research Fund of Hunan Provincial Key Laboratory of Network Investigational Technology, Grant No. 2017WLZC002, the Fundamental Research Funds for the Central Universities of Central South University, Grant No. 2018zzts175.

Author information

Authors and Affiliations

  1. School of Computer Science and Engineering, Central South University, Changsha, Hunan, China

    Pengfei Liu, Weiping Wang & Chushu Liu

  2. Hunan Provincial Key Laboratory of Network Investigational Technology, Hunan Police Academy, Changsha, Hunan, China

    Xi Luo

  3. Department of Information Technology, Hunan Police Academy, Changsha, Hunan, China

    Xi Luo

  4. Department of Electrical Engineering and Computer Science, Cleveland State University, Cleveland, OH, 44115, USA

    Haodong Wang

Authors
  1. Pengfei Liu
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Weiping Wang
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Xi Luo
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Haodong Wang
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Chushu Liu
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Xi Luo.

Ethics declarations

Ethical approval

Our article does not contain any studies with human participants or animals performed by any of the authors. Every participant in our paper received informed consent.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, P., Wang, W., Luo, X. et al. NSDroid: efficient multi-classification of android malware using neighborhood signature in local function call graphs. Int. J. Inf. Secur. 20, 59–71 (2021). https://doi.org/10.1007/s10207-020-00489-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-020-00489-5

Keywords