An HMM and structural entropy based detector for Android malware: An empirical study

doi:10.1016/j.cose.2016.04.009

Computers & Security

Volume 61, August 2016, Pages 1-18

https://doi.org/10.1016/j.cose.2016.04.009 Get rights and content

Abstract

Smartphones are becoming more and more popular and, as a consequence, malware writers are increasingly engaged to develop new threats and propagate them through official and third-party markets. In addition to the propagation vectors, malware is also evolving quickly the techniques adopted for infecting victims and hiding their malicious nature to antimalware scanning. From SMS Trojans to legitimate applications repacked with malicious payload, from AES encrypted root exploits to the dynamic loading of a payload retrieved from a remote server: malicious code is becoming more and more hard to detect.

In this paper we experimentally evaluate two techniques for detecting Android malware: the first one is based on Hidden Markov Model, while the second one exploits structural entropy. These two techniques have been successfully applied to detect PCs viruses in previous works, and only one work in literature analyzes the application of HMM to the detection of Android malware. We demonstrate that these methods, which reveal effective for PCs virus, are also successful for detecting and classifying mobile malware.

Our results are promising: we obtain a precision of 0.96 to discriminate a malware application, and a precision of 0.978 to identify the malware family.

Introduction

With the growth of smartphones capabilities, malicious software targeting mobile devices is rapidly spreading, and it is getting more and more successful in evading the detection.

In 2013, the growth rate of mobile malware was far greater than the growth rate of new malware targeting PCs (Alcatel Lucent, 2013), for the first time in malware history.

New kinds of malware spread out continuously at a very fast pace, and malware writers refine both the evasion techniques and the techniques for obtaining tangible return from the attacks, in terms of money or damage to the victim (F-Secure, 2015). Unfortunately, current solutions to protect users from new threats are still inadequate (Fraunhofer AISEC, 2013, Visaggio, Mercaldo, 2015). For example, a malware that is plaguing a huge number of devices while the authors are writing this paper is the ransomware (InfoWorld, 2013), which encrypts data stored on the device and holds it for ransom. The information will be released only after the victim pays the required amount, often in bitcoin.

In addition to this, there exist several techniques to allow the mobile malware to evade signature detection (Ramachandran et al, 2012, Rastogi et al, 2013), which makes detection harder.

In the meantime, simple forms of polymorphic attacks targeting Android platform have been seen in the wild (Bayer et al., 2006): the main effect of polymorphism (and metamorphism) is that signature-based detection becomes ineffective.

That considered, it urges to develop new techniques to detect malware targeting mobile devices.

Recent papers (Attaluri et al, 2008, Baysa et al, 2013) have used the structural entropy to detect metamorphic virus and Hidden Markov Models (HMM) to classify them. We observed that the way Android malware evolves makes it similar to metamorphic malware, in certain regard. As a matter of fact, writers of malware for Android use to modify some existing malware, by adding new behaviors or merging together parts of different existing malware's codes. This explains also why Android malware is usually grouped in families: in fact, given this way of generating Android malware, the malware belonging to the same family shares common parts of code and behaviors.

Considered these similarities, and considered that Structural Entropy and HMM were able to successfully detect metamorphic viruses for personal computer (Attaluri et al, 2008, Baysa et al, 2013), we investigate with this paper whether these two techniques can be effective in recognizing Android malware and the malware families. The fact that these techniques are effective with personal computers' malware does not entail that they are effective also for Android malware.

As a matter of fact, Android presents program's structures and features that make an Android malware different from a PC malware, since these features are leveraged by malware writers for developing techniques of infection, evasion and payload activation that are not used in PC's malware. Examples are the dynamic loading that permits to dynamically add malicious code to an app, the intent based programming that allows techniques of attacks like service or activity hijacking (Chin et al., 2011), and the system of permissions that limits the range of actions a malware can do, but allows attacks like the update attack (Poeplau et al., 2014), which is a very effective and widespread anti-detection technique. These peculiarities of Android lead us to wonder whether structural entropy and HMM hold their effectiveness in detecting malware also when applied to malicious software written for Android. Moreover, at the best knowledge of the authors, only one paper explores the effectiveness of HMM for detecting Android malware (Chen et al., 2014), but the authors obtained lower performances, used a smaller dataset than the one we used in the experiments, and applied HMM on different features from the ones our method relies on.

The experiments we carried out to demonstrate that HMM is effective in recognizing malware, i.e. with a precision of 0.96, while the structural entropy successfully identifies the family a malware belongs to, with a precision of 0.98.

Identifying the family that a malware belongs to is of primary importance as it helps to discover new malware families (Khoo, Lio, 2011, Ma et al, 2006), creates models of provenance and lineage (Dumitras and Neamtiu, 2011), and generates phylogeny models (Karim et al., 2005).

The paper proceeds as follows: the next section provides background notions about HMM and structural entropy and discusses the related work; Section 3 discusses the adoption of HMM and structural entropy methods to detect mobile malware; Section 4 discusses the experimental evaluation; Section 5 illustrates the results of experiments; Section 6 discusses the detection performance of HMM and structural entropy methods; Section 7 explains the threats to validity and, finally, conclusions are drawn in Section 8.

Section snippets

Background and related work

Before discussing the state of the art of malware detection using HMM and structural entropy, we recall the essential background about HMM and structural entropy.

Adopting HMM and structural entropy malware detection for android

In order to use HMM and structural entropy to detect Android malware, their original application to the PC's metamorphic malware detection was modified, as described in this section.

Experimental evaluation: study definition

In this section we discuss the experiments we carried out to evaluate the effectiveness of the HMM and structural entropy in detecting Android malware and correctly classifying the family a malware belongs to.

Analysis of results

The hypothesis test produced evidence that the considered features have different distributions in the control and experimental sample, as shown in Table 3. As a matter of fact, all the p-values are under 0.001.

Summing up, the null hypothesis can be rejected for the features f₁, f₂, f₃ and f₄. According to the hypothesis tests, both the two methods, HMM and structural entropy are able to distinguish a malware from a trusted app.

With regard to classification, we define the training set T,

Performance evaluation

In this section we discuss the performances of the structural entropy and the HMM based detectors.

In order to measure performances of the two methods, we used the time.clock() Python function that returns the processor time. The processor time is the percentage of elapsed time that the processor spends to execute a non-idle thread, i.e. the cpu-time measured in seconds that the process requires to perform the computation.

The machine used to run the scripts and to take measurements was an Intel

Threats to validity

This section describes the threats that can affect the validity of our evaluation, known as: construct, internal reliability, and external validity.

Conclusion and future work

In this paper we propose a detector for malicious mobile applications consisting on a classifier which uses as features 3-4-5 states HMM and the structural entropy.

Current malware detection techniques are ineffective, as they usually fail against zero-day attacks, in addition to the fact that existing malware can easily evade the current detectors.

This happens because Android malware is increasingly becoming more and more complex, and it is acquiring characteristics that make it closer to

References (54)

P.S. Addision
The illustrated wavelet transform handbook: introductory theory and applications in science, engineering, medicine and finance
(2002)
Alcatel Lucent
Kindsight security labs malware report – q4
N. Andronio et al.
Heldroid: dissecting and detecting mobile ransomware
Anon.
An assembler/disassembler for android's dex format
L. Apvrille et al.
Identifying unknown android malware with feature extractions and classification techniques
D. Arp et al.
Drebin: efficient and explainable detection of android malware in your pocket
S. Attaluri et al.
Profile Hidden Markov Models and metamorphic virus detection
J Comput Virol Hacking Tech
(2008)
U. Bayer et al.
TTanalyze: a tool for analyzing malware
D. Baysa et al.
Structural entropy and metamorphic malware
J Comput Virol Hacking Tech
(2013)
M. Borda
Fundamentals in information theory and coding
(2011)

Busticati Productions Presents

Dissecting the android bouncer

G. Canfora et al.

A classifier of malicious android applications

G. Canfora et al.

Detecting android malware using sequences of system calls

G. Canfora et al.

Effectiveness of Opcode ngrams for detection of multi family android malware

S. Chakradeo et al.

MAST: triage for market-scale mobile malware analysis

ChenY. et al.

A Hidden Markov Model detection of malicious android applications at runtime

E. Chin et al.

Analyzing inter-application communication in android

R. Chouchane et al.

Detecting machine-morphed malware variants via engine attribution

J Comput Virol Hacking Tech

(2013)

L. Deshotels et al.

Droidlegacy: automated familial classification of android malware

T. Dumitras et al.

Experimental challenges in cyber security: a story of provenance and lineage for malware

(2011)

F-Secure

Mobile threat report

P. Faruki et al.

Androsimilar: robust statistical feature signature for android malware detection

FengY. et al.

Apposcopy: semantics-based detection of android malware through static analysis

Fraunhofer AISEC

On the effectiveness of malware protection on android

InfoWorld

Update: McAfee: cyber criminals using android malware and ransomware the most

M.E. Karim et al.

Malware phylogeny generation using permutations of code

(2005)

W. Khoo et al.

Unity in diversity: phylogenetic-inspired techniques for reverse engineering and detection of malware families

Cited by (76)

DroidRL: Feature selection for android malware detection with reinforcement learning
2023, Computers and Security
Due to the completely open-source nature of Android, the exploitable vulnerability of malware attacks is increasing. Machine learning, leading to a great evolution in Android malware detection in recent years, is typically applied in the classification phase. Since the correlation between features is ignored in some traditional ranking-based feature selection algorithms, applying wrapper-based feature selection models is a topic worth investigating. Though considering the correlation between features, wrapper-based approaches are time-consuming for exploring all possible valid feature subsets when processing a large number of Android features. To reduce the computational expense of wrapper-based feature selection, a framework named DroidRL is proposed. The framework deploys DDQN algorithm to obtain a subset of features which can be used for effective malware classification. To select a valid subset of features over a larger range, the exploration-exploitation policy is applied in the model training phase. The recurrent neural network (RNN) is used as the decision network of DDQN to give the framework the ability to sequentially select features. Word embedding is applied for feature representation to enhance the framework’s ability to find the semantic relevance of features. The framework’s feature selection exhibits high performance without any human intervention and can be ported to other feature selection tasks with minor changes. The experiment results show a significant effect when using the Random Forest as DroidRL’s classifier, which reaches 95.6% accuracy with only 24 features selected.
Towards a fair comparison and realistic evaluation framework of android malware detectors based on static analysis and machine learning
2023, Computers and Security
As in other cybersecurity areas, machine learning (ML) techniques have emerged as a promising solution to detect Android malware. In this sense, many proposals employing a variety of algorithms and feature sets have been presented to date, often reporting impresive detection performances. However, the lack of reproducibility and the absence of a standard evaluation framework make these proposals difficult to compare. In this paper, we perform an analysis of 10 influential research works on Android malware detection using a common evaluation framework. We have identified five factors that, if not taken into account when creating datasets and designing detectors, significantly affect the trained ML models and their performances. In particular, we analyze the effect of (1) the presence of duplicated samples, (2) label (goodware/greyware/malware) attribution, (3) class imbalance, (4) the presence of apps that use evasion techniques and, (5) the evolution of apps. Based on this extensive experimentation, we conclude that the studied ML-based detectors have been evaluated optimistically, which justifies the good published results. Our findings also highlight that it is imperative to generate realistic experimental scenarios, taking into account the aforementioned factors, to foster the rise of better ML-based Android malware detection solutions.
PE Parser: A Python package for Portable Executable files processing[Formula presented]
2022, Software Impacts
PE Parser is a Python package to parse and work with the hexadecimal representation of executables’ binary content and its assembly language source code. PE Parser has been designed to provide a class-based and user-friendly interface for the extraction of well-known features commonly used for the task of malware detection and classification such as byte and opcode N-Grams, API function calls, the frequency of use of the registers, characteristics of the Portable Executable file sections, among others. In addition, PE Parser has various command line tools to visualize the executables as grayscale images or as a stream of entropy values.
GDroid: Android malware detection and classification with graph convolutional network
2021, Computers and Security
The dramatic increase in the number of malware poses a serious challenge to the Android platform and makes it difficult for malware analysis. In this paper, we propose a novel approach for Android malware detection and familial classification based on the Graph Convolutional Network (GCN). The general idea is to map apps and Android APIs into a large heterogeneous graph, converting the original problem into a node classification task. We build the “App-API” and “API-API” edges based on the invocation relationship and the API usage patterns, respectively. The heterogeneous graph is then fed into the GCN model, iteratively generating node embeddings that incorporate topological structure and node features. Eventually, the unlabeled apps are classified by their final embeddings. To our knowledge, this paper is the first study to explore the application of graph neural network in the field of malware classification. We develop a prototype system named GDroid. Experiments show that GDroid can effectively detect 98.99% of Android malware with a low false positive rate of less than 1%, outperforming the existing approaches. It also achieves an average accuracy of almost 97% in the malware familial classification task with surpassing the baselines. Additionally, we cooperate with QI-ANXIN Technology Research Institute to evaluate its real-world impact, and GDroid also maintains satisfactory performance in real-world scenarios.
Association rule-based malware classification using common subsequences of API calls
2021, Applied Soft Computing
Emerging malware pose increasing challenges to detection systems as their variety and sophistication continue to increase. Malware developers use complex techniques to produce malware variants, by removing, replacing, and adding useless API calls to the code, which are specifically designed to evade detection mechanisms, as well as do not affect the original functionality of the malicious code involved. In this work, a new recurring subsequences alignment-based algorithm that exploits associative rules has been proposed to infer malware behaviors. The proposed approach exploits the probabilities of transitioning from two API invocations in the call sequence, as well as it also considers their timeline, by extracting subsequence of API calls not necessarily consecutive and representative of common malicious behaviors of specific subsets of malware. The resulting malware classification scheme, capable to operate within dynamic analysis scenarios in which API calls are traced at runtime, is inherently robust against evasion/obfuscation techniques based on the API call flow perturbation. It has been experimentally compared with two detectors based on Markov chain and API call sequence alignment algorithms, which are among the most widely adopted approaches for malware classification. In such experimental assessment the proposed approach showed an excellent classification performance by outperforming its competitors.
Malicious application detection in android - A systematic literature review
2021, Computer Science Review
In last decade, due to tremendous usage of smart phones it seems that these gadgets became an essential necessity of day-to-day life. People are using new technologies and storing prominent data in their smartphones. Unfortunately, data related to privacy is center of attraction for attackers. Therefore, attackers are developing new techniques to steal the data from smartphones.
The objective of study is to report a systematic literature review regarding malicious application detection in android operating system.
Standard systematic literature review method is used to carry out the research. In this, 380 research articles are studied which are published in various prominent international journals and conferences.
The different techniques which are used to investigate malicious application are identified. Furthermore, features used in static and dynamic technique are classified according to their usage in recent approaches. Various hybrid methods are analyzed and mapped according to the combination of static and dynamic features used. A variety of machine learning techniques are also identified and categorized in different classes. The datasets are listed are taken from various previous research approaches.
This research will help to identify malicious applications in android operating system. New hybrid techniques must be implemented to investigate malware activities and recommendations are given for future research.

View all citing articles on Scopus

View full text

An HMM and structural entropy based detector for Android malware: An empirical study

Abstract

Introduction

Section snippets

Background and related work

Adopting HMM and structural entropy malware detection for android

Experimental evaluation: study definition

Analysis of results

Performance evaluation

Threats to validity

Conclusion and future work

The illustrated wavelet transform handbook: introductory theory and applications in science, engineering, medicine and finance

Kindsight security labs malware report – q4

Heldroid: dissecting and detecting mobile ransomware

An assembler/disassembler for android's dex format

Identifying unknown android malware with feature extractions and classification techniques

Drebin: efficient and explainable detection of android malware in your pocket

Profile Hidden Markov Models and metamorphic virus detection

J Comput Virol Hacking Tech

TTanalyze: a tool for analyzing malware

Structural entropy and metamorphic malware

J Comput Virol Hacking Tech

Fundamentals in information theory and coding

Dissecting the android bouncer

A classifier of malicious android applications

Detecting android malware using sequences of system calls

Effectiveness of Opcode ngrams for detection of multi family android malware

MAST: triage for market-scale mobile malware analysis

A Hidden Markov Model detection of malicious android applications at runtime

Analyzing inter-application communication in android

Detecting machine-morphed malware variants via engine attribution

J Comput Virol Hacking Tech

Droidlegacy: automated familial classification of android malware

Experimental challenges in cyber security: a story of provenance and lineage for malware

Mobile threat report

Androsimilar: robust statistical feature signature for android malware detection

Apposcopy: semantics-based detection of android malware through static analysis

On the effectiveness of malware protection on android

Update: McAfee: cyber criminals using android malware and ransomware the most

Malware phylogeny generation using permutations of code

Unity in diversity: phylogenetic-inspired techniques for reverse engineering and detection of malware families