Android malware family classification based on resource consumption over time
Android malware family classification based on resource consumption over time
The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behaviour. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%c, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.
31-38
Massarelli, Luca
58365726-2118-4599-9f9e-b419046eee2a
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3
Ciccotelli, Claudio
da54f041-47a2-45ea-8947-f35d01d1d488
Querzoni, Leonardo
c0eee656-74e7-419d-876c-3cad808683d6
Ucci, Daniele
a25d9fc6-0075-4d85-bd3f-155058fe32ad
Baldoni, Roberto
6ea5e1cc-92fe-4b9d-9ed3-0b7970553965
2017
Massarelli, Luca
58365726-2118-4599-9f9e-b419046eee2a
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3
Ciccotelli, Claudio
da54f041-47a2-45ea-8947-f35d01d1d488
Querzoni, Leonardo
c0eee656-74e7-419d-876c-3cad808683d6
Ucci, Daniele
a25d9fc6-0075-4d85-bd3f-155058fe32ad
Baldoni, Roberto
6ea5e1cc-92fe-4b9d-9ed3-0b7970553965
Massarelli, Luca, Aniello, Leonardo, Ciccotelli, Claudio, Querzoni, Leonardo, Ucci, Daniele and Baldoni, Roberto
(2017)
Android malware family classification based on resource consumption over time.
In 2017 12th International Conference on Malicious and Unwanted Software (MALWARE).
vol. 1,
.
(doi:10.1109/MALWARE.2017.8323954).
Record type:
Conference or Workshop Item
(Paper)
Abstract
The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behaviour. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%c, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.
This record has no associated files available for download.
More information
Published date: 2017
Identifiers
Local EPrints ID: 450638
URI: http://eprints.soton.ac.uk/id/eprint/450638
PURE UUID: ab5ca619-7ec4-406c-92dc-e9e4a51188f5
Catalogue record
Date deposited: 05 Aug 2021 16:32
Last modified: 17 Mar 2024 03:48
Export record
Altmetrics
Contributors
Author:
Luca Massarelli
Author:
Leonardo Aniello
Author:
Claudio Ciccotelli
Author:
Leonardo Querzoni
Author:
Daniele Ucci
Author:
Roberto Baldoni
Download statistics
Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.
View more statistics