The University of Southampton
University of Southampton Institutional Repository
Warning ePrints Soton is experiencing an issue with some file downloads not being available. We are working hard to fix this. Please bear with us.

Android malware family classification based on resource consumption over time

Android malware family classification based on resource consumption over time
Android malware family classification based on resource consumption over time
The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behaviour. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%c, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.
31-38
Massarelli, Luca
58365726-2118-4599-9f9e-b419046eee2a
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3
Ciccotelli, Claudio
da54f041-47a2-45ea-8947-f35d01d1d488
Querzoni, Leonardo
c0eee656-74e7-419d-876c-3cad808683d6
Ucci, Daniele
a25d9fc6-0075-4d85-bd3f-155058fe32ad
Baldoni, Roberto
6ea5e1cc-92fe-4b9d-9ed3-0b7970553965
Massarelli, Luca
58365726-2118-4599-9f9e-b419046eee2a
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3
Ciccotelli, Claudio
da54f041-47a2-45ea-8947-f35d01d1d488
Querzoni, Leonardo
c0eee656-74e7-419d-876c-3cad808683d6
Ucci, Daniele
a25d9fc6-0075-4d85-bd3f-155058fe32ad
Baldoni, Roberto
6ea5e1cc-92fe-4b9d-9ed3-0b7970553965

Massarelli, Luca, Aniello, Leonardo, Ciccotelli, Claudio, Querzoni, Leonardo, Ucci, Daniele and Baldoni, Roberto (2017) Android malware family classification based on resource consumption over time. In 2017 12th International Conference on Malicious and Unwanted Software (MALWARE). vol. 1, pp. 31-38 . (doi:10.1109/MALWARE.2017.8323954).

Record type: Conference or Workshop Item (Paper)

Abstract

The vast majority of today's mobile malware targets Android devices. This has pushed the research effort in Android malware analysis in the last years. An important task of malware analysis is the classification of malware samples into known families. Static malware analysis is known to fall short against techniques that change static characteristics of the malware (e.g. code obfuscation), while dynamic analysis has proven effective against such techniques. To the best of our knowledge, the most notable work on Android malware family classification purely based on dynamic analysis is DroidScribe. With respect to DroidScribe, our approach is easier to reproduce. Our methodology only employs publicly available tools, does not require any modification to the emulated environment or Android OS, and can collect data from physical devices. The latter is a key factor, since modern mobile malware can detect the emulated environment and hide their malicious behaviour. Our approach relies on resource consumption metrics available from the proc file system. Features are extracted through detrended fluctuation analysis and correlation. Finally, a SVM is employed to classify malware into families. We provide an experimental evaluation on malware samples from the Drebin dataset, where we obtain a classification accuracy of 82%c, proving that our methodology achieves an accuracy comparable to that of DroidScribe. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.

This record has no associated files available for download.

More information

Published date: 2017

Identifiers

Local EPrints ID: 450638
URI: http://eprints.soton.ac.uk/id/eprint/450638
PURE UUID: ab5ca619-7ec4-406c-92dc-e9e4a51188f5
ORCID for Leonardo Aniello: ORCID iD orcid.org/0000-0003-2886-8445

Catalogue record

Date deposited: 05 Aug 2021 16:32
Last modified: 06 Aug 2021 01:49

Export record

Altmetrics

Contributors

Author: Luca Massarelli
Author: Leonardo Aniello ORCID iD
Author: Claudio Ciccotelli
Author: Leonardo Querzoni
Author: Daniele Ucci
Author: Roberto Baldoni

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×