The University of Southampton
University of Southampton Institutional Repository

AndroDFA: android malware classification based on resource consumption

AndroDFA: android malware classification based on resource consumption
AndroDFA: android malware classification based on resource consumption

The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper, we propose AndroDFA (DFA, detrended fluctuation analysis): an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware, we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtained a classification accuracy of 82%, comparable with works from the state-of-the-art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS, and by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide its malicious behavior. The experiments on the AMD dataset gave similar results, with an overall mean accuracy of 78%. Furthermore, we made the software we developed publicly available, to ease the reproducibility of our results.

Android, Machine learning, Malware
Massarelli, Luca
58365726-2118-4599-9f9e-b419046eee2a
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3
Ciccotelli, Claudio
da54f041-47a2-45ea-8947-f35d01d1d488
Querzoni, Leonardo
c0eee656-74e7-419d-876c-3cad808683d6
Ucci, Daniele
a25d9fc6-0075-4d85-bd3f-155058fe32ad
Baldoni, Roberto
4265db45-a184-45c4-a56d-b5829b6f6f1f
Massarelli, Luca
58365726-2118-4599-9f9e-b419046eee2a
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3
Ciccotelli, Claudio
da54f041-47a2-45ea-8947-f35d01d1d488
Querzoni, Leonardo
c0eee656-74e7-419d-876c-3cad808683d6
Ucci, Daniele
a25d9fc6-0075-4d85-bd3f-155058fe32ad
Baldoni, Roberto
4265db45-a184-45c4-a56d-b5829b6f6f1f

Massarelli, Luca, Aniello, Leonardo, Ciccotelli, Claudio, Querzoni, Leonardo, Ucci, Daniele and Baldoni, Roberto (2020) AndroDFA: android malware classification based on resource consumption. Information (Switzerland), 11 (6), [326]. (doi:10.3390/INFO11060326).

Record type: Article

Abstract

The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper, we propose AndroDFA (DFA, detrended fluctuation analysis): an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware, we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtained a classification accuracy of 82%, comparable with works from the state-of-the-art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS, and by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide its malicious behavior. The experiments on the AMD dataset gave similar results, with an overall mean accuracy of 78%. Furthermore, we made the software we developed publicly available, to ease the reproducibility of our results.

Full text not available from this repository.

More information

Accepted/In Press date: 11 June 2020
Published date: 16 June 2020
Keywords: Android, Machine learning, Malware

Identifiers

Local EPrints ID: 450780
URI: http://eprints.soton.ac.uk/id/eprint/450780
PURE UUID: 77160c5c-769c-4b5b-b8cd-06520999c141
ORCID for Leonardo Aniello: ORCID iD orcid.org/0000-0003-2886-8445

Catalogue record

Date deposited: 11 Aug 2021 16:31
Last modified: 12 Aug 2021 01:52

Export record

Altmetrics

Contributors

Author: Luca Massarelli
Author: Leonardo Aniello ORCID iD
Author: Claudio Ciccotelli
Author: Leonardo Querzoni
Author: Daniele Ucci
Author: Roberto Baldoni

University divisions

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×