Journal Home > Volume 21 , Issue 1
Tsinghua Science and Technology 2016, 21(1): 114-123 https://doi.org/10.1109/TST.2016.7399288
Open Access | Issue | Published: 04 February 2016

DroidDetector: Android Malware Characterization and Detection Using Deep Learning

Show Author's Information Zhenlong Yuan Yongqiang Lu Yibo Xue( )
Department of Automation and Research Institute of Information Technology (RIIT), Tsinghua University, Beijing 100084, China.
Department of Antivirus, Baidu Inc., Beijing 100085, China.
Research Institute of Information Technology (RIIT) and Tsinghua National Lab for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China.
Keywords:
deep learning, characterization, Android security, malware detection, association rules mining
Cite this article:
Yuan Z, Lu Y, Xue Y. DroidDetector: Android Malware Characterization and Detection Using Deep Learning. Tsinghua Science and Technology, 2016, 21(1): 114-123. https://doi.org/10.1109/TST.2016.7399288
Download citation
EndNote(RIS)
BibTeX

1858

Views

134

Downloads

Citations

322

Crossref

N/A

WoS

356

Scopus

15

CSCD

Abstract Full text About this article

Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine (DroidDetector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test DroidDetector and perform an in-depth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. DroidDetector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.


menu
Abstract
Full text
Outline
About this article

DroidDetector: Android Malware Characterization and Detection Using Deep Learning

Show Author's information Zhenlong YuanYongqiang LuYibo Xue( )
Department of Automation and Research Institute of Information Technology (RIIT), Tsinghua University, Beijing 100084, China.
Department of Antivirus, Baidu Inc., Beijing 100085, China.
Research Institute of Information Technology (RIIT) and Tsinghua National Lab for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China.

Abstract

Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine (DroidDetector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test DroidDetector and perform an in-depth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. DroidDetector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.

Keywords: deep learning, characterization, Android security, malware detection, association rules mining

References(34)

[1]
Gartner, Gartner says Android has surpassed a billion shipments of devices, http://www.gartner.com/ newsroom/id/2954317, 2015.
[2]
Vidas T., Votipka D., and Christin N., All your droid are belong to us: A survey of current Android attacks, in Proceedings of the 5th USENIX Workshop on Offensive Technologies (WOOT), 2011, pp. 81–90.
[3]
Felt A. P., Finifter M., Chin E., Hanna S., and Wagner D., A survey of mobile malware in the wild, in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2011, pp. 3–14.
DOI
[4]
McAfee, McAfee labs threats report, http://www. mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2013.pdf, 2015.
[5]
Mylonas A., Kastania A., and Gritzalis D., Delegate the smartphone user? Security awareness in smartphone platforms, Computers & Security, vol. 34, pp. 47–66, 2013.
DOI Google Scholar
[6]
Fang Z., Han W., and Li Y., Permission based Android security: Issues and countermeasures, Computers & Security, vol. 43, pp. 205–218, 2014.
DOI Google Scholar
[7]
Xu J., Yu Y.-T., Chen Z., Cao B., Dong W., Guo Y., and Cao J., Mobsafe: Cloud computing based forensic analysis for massive mobile applications using data mining, Tsinghua Science and Technology, vol. 18, no. 4, pp. 418–427, 2013.
DOI Google Scholar
[8]
Pandita R., Xiao X., Yang W., Enck W., and Xie T., Whyper: Towards automating risk assessment of mobile applications, in Proceedings of the 22nd USENIX Security Symposium (USENIX Security), 2013, pp. 527–542.
[9]
Qu Z., Rastogi V., Zhang X., Chen Y., Zhu T., and Chen Z., Autocog: Measuring the description-to-permission fidelity in Android applications, in Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), 2014, pp. 1354–1365.
DOI
[10]
Geneiatakis D., Fovino I. N., Kounelis I., and Stirparo P., A permission verification approach for Android mobile applications, Computers & Security, vol. 49, pp. 192–205, 2015.
DOI Google Scholar
[11]
Zhou Y., Wang Z., Zhou W., and Jiang X., Hey, You, Get off of my market: Detecting malicious apps in official and alternative Android markets, in Proceedings of the 19th Annual Symposium on Network and Distributed System Security (NDSS), 2012.
[12]
Grace M., Zhou Y., Zhang Q., Zou S., and Jiang X., Riskranker: Scalable and accurate zero-day Android malware detection, in Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (MobiSys), 2012, pp. 281–294.
DOI
[13]
Rastogi V., Chen Y., and Jiang X., Droidchameleon: Evaluating Android anti-malware against transformation attacks, in Proceedings of the 8th ACM Symposium on Information, Computer and Communications Security (ASIA CCS), 2013, pp. 329–334.
DOI
[14]
Grace M. C., Zhou W., Jiang X., and Sadeghi A.-R., Unsafe exposure analysis of mobile in-app advertisements, in Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2012, pp. 101–112.
DOI
[15]
Poeplau S., Fratantonio Y., Bianchi A., Kruegel C., and Vigna G., Execute this! Analyzing unsafe and malicious dynamic code loading in Android applications, in Proceedings of the 21th Annual Symposium on Network and Distributed System Security (NDSS), 2014.
DOI
[16]
Zhou Y. and Jiang X., Dissecting Android malware: Characterization and evolution, in Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland), 2012, pp. 95–109.
DOI
[17]
Barrera D., Kayacik H. G., van Oorschot P. C., and Somayaji A., A methodology for empirical analysis of permission-based security models and its application to Android, in Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), 2010, pp. 73–84.
DOI
[18]
Aafer Y., Du W., and Yin H., Droidapiminer: Mining api-level features for robust malware detection in Android, in Proceedinds of the 9th International Conference on Security and Privacy in Communication Networks (SecureComm), 2013, pp. 86–103.
DOI
[19]
Arp D., Spreitzenbarth M., Hbner M., Gascon H., Rieck K., and Siemens C., Drebin: Effective and explainable detection of Android malware in your pocket, in Proceedings of the 21th Annual Symposium on Network and Distributed System Security (NDSS), 2014.
DOI
[20]
Zhang M., Duan Y., Yin H., and Zhao Z., Semantics-aware Android malware classification using weighted contextual api dependency graphs, in Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), 2014, pp. 1105–1116.
DOI
[21]
Burguera I., Zurutuza U., and Nadjm-Tehrani S., Crowdroid: Behavior-based malware detection system for Android, in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM), 2011, pp. 15–26.
DOI
[22]
Bengio Y., Learning deep architectures for ai, Foundations and Trends in Machine Learning, vol. 2, no. 1, pp. 1–127, 2009.
DOI Google Scholar
[23]
Yuan Z., Lu Y., Wang Z., and Xue Y., Droid-sec: Deep learning in Android malware detection, in Proceedings of the 2014 ACM Conference on Special Interest Group on Data Communication (SIGCOMM, poster), 2014, pp. 371–372.
DOI
[24]
DroidDetector: A deep learning based Android malware detection engine, http://analysis.droid-sec.com, 2015.
[25]
Contagio mobile malware dump, http://contagiodump. blogspot.com, 2015.
[26]
Android malware genome project, http://www. malgenomeproject.org, 2015.
[27]
DroidBox: An Android application sandbox for dynamic analysis, http://www.honeynet.org/gsoc2011/slot5, 2015.
[28]
Enck W., Gilbert P., Chun B.-G., Cox L. P., Jung J., McDaniel P., and Sheth A., Taintdroid: An information-flow tracking system for realtime privacy monitoring on smartphones, in Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2010.
[29]
Bouncer: Android and security, http://googlemobile. blogspot.com/2012/02/android-and-security.html, 2015.
[30]
Friedman J. H. and Fisher N. I., Bump hunting in high-dimensional data, Statistics and Computing, vol. 9, no. 2, pp. 123–143, 1999.
DOI Google Scholar
[31]
Jones N., The learning machines, Nature, vol. 505, pp. 146–148, 2014.
DOI Google Scholar
[32]
Wei X., Gomez L., Neamtiu I., and Faloutsos M., Profiledroid: Multi-layer profiling of Android applications, in Proceedings of the 18th Annual International Conference on Mobile Computing and Networking (MobiCom), 2012, pp. 137–148.
DOI
[33]
Yan L.-K. and Yin H., Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic Android malware analysis, in Proceedings of the 21st USENIX Security Symposium (USENIX Security), 2012, pp. 569–584.
[34]
Elish K. O., Shu X., Yao D. D., Ryder B. G., and Jiang X., Profiling user-trigger dependence for Android malware detection, Computers & Security, vol. 49, pp. 255–273, 2015.
DOI Google Scholar
Publication history
Copyright
Acknowledgements
Rights and permissions

Publication history

Received: 01 January 2016
Accepted: 07 January 2016
Published: 04 February 2016
Issue date: February 2016

Copyright

© The author(s) 2016

Acknowledgements

We would like to thank Zhen Chen for his insightful feedback and comments.

Rights and permissions

Return