Zhenlong Yuan;Yongqiang Lu;Yibo Xue;

• 1:Department of Automation and Research Institute of Information Technology (RIIT)
• 2:Tsinghua University
• 3:Department of Antivirus
• 4:Baidu Inc.

摘要(Abstract)：

Smartphones and mobile tablets are rapidly becoming indispensable in daily life. Android has been the most popular mobile operating system since 2012. However, owing to the open nature of Android, countless malwares are hidden in a large number of benign apps in Android markets that seriously threaten Android security. Deep learning is a new area of machine learning research that has gained increasing attention in artificial intelligence. In this study, we propose to associate the features from the static analysis with features from dynamic analysis of Android apps and characterize malware using deep learning techniques. We implement an online deep-learning-based Android malware detection engine(Droid Detector) that can automatically detect whether an app is a malware or not. With thousands of Android apps, we thoroughly test Droid Detector and perform an indepth analysis on the features that deep learning essentially exploits to characterize malware. The results show that deep learning is suitable for characterizing Android malware and especially effective with the availability of more training data. Droid Detector can achieve 96.76% detection accuracy, which outperforms traditional machine learning techniques. An evaluation of ten popular anti-virus softwares demonstrates the urgency of advancing our capabilities in Android malware detection.

关键词(KeyWords)：

Abstract:

Keywords:

基金项目(Foundation):

作者(Authors): Zhenlong Yuan;Yongqiang Lu;Yibo Xue;

参考文献(References)：

• [1]Gartner,Gartner says Android has surpassed a billion shipments of devices,http://www.gartner.com/newsroom/id/2954317,2015.
• [2]T.Vidas,D.Votipka,and N.Christin,All your droid are belong to us:A survey of current Android attacks,in Proceedings of the 5th USENIX Workshop on Offensive Technologies(WOOT),2011,pp.81–90.
• [3]A.P.Felt,M.Finifter,E.Chin,S.Hanna,and D.Wagner,A survey of mobile malware in the wild,in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices(SPSM),2011,pp.3–14.
• [4]Mc Afee,Mc Afee labs threats report,http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2013.pdf,2015.
• [5]A.Mylonas,A.Kastania,and D.Gritzalis,Delegate the smartphone user?Security awareness in smartphone platforms,Computers&Security,vol.34,pp.47–66,2013.
• [6]Z.Fang,W.Han,and Y.Li,Permission based Android security:Issues and countermeasures,Computers&Security,vol.43,pp.205–218,2014.
• [7]J.Xu,Y.-T.Yu,Z.Chen,B.Cao,W.Dong,Y.Guo,and J.Cao,Mobsafe:Cloud computing based forensic analysis for massive mobile applications using data mining,Tsinghua Science and Technology,vol.18,no.4,pp.418–427,2013.
• [8]R.Pandita,X.Xiao,W.Yang,W.Enck,and T.Xie,Whyper:Towards automating risk assessment of mobile applications,in Proceedings of the 22nd USENIX Security Symposium(USENIX Security),2013,pp.527–542.
• [9]Z.Qu,V.Rastogi,X.Zhang,Y.Chen,T.Zhu,and Z.Chen,Autocog:Measuring the description-to-permission fidelity in Android applications,in Proceedings of the 21st ACM Conference on Computer and Communications Security(CCS),2014,pp.1354–1365.
• [10]D.Geneiatakis,I.N.Fovino,I.Kounelis,and P.Stirparo,A permission verification approach for Android mobile applications,Computers&Security,vol.49,pp.192–205,2015.
• [11]Y.Zhou,Z.Wang,W.Zhou,and X.Jiang,Hey,You,Get off of my market:Detecting malicious apps in official and alternative Android markets,in Proceedings of the 19th Annual Symposium on Network and Distributed System Security(NDSS),2012.
• [12]M.Grace,Y.Zhou,Q.Zhang,S.Zou,and X.Jiang,Riskranker:Scalable and accurate zero-day Android malware detection,in Proceedings of the10th International Conference on Mobile Systems,Applications,and Services(Mobi Sys),2012,pp.281–294.
• [13]V.Rastogi,Y.Chen,and X.Jiang,Droidchameleon:Evaluating Android anti-malware against transformation attacks,in Proceedings of the 8th ACM Symposium on Information,Computer and Communications Security(ASIA CCS),2013,pp.329–334.
• [14]M.C.Grace,W.Zhou,X.Jiang,and A.-R.Sadeghi,Unsafe exposure analysis of mobile in-app advertisements,in Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks(Wi Sec),2012,pp.101–112.
• [15]S.Poeplau,Y.Fratantonio,A.Bianchi,C.Kruegel,and G.Vigna,Execute this!Analyzing unsafe and malicious dynamic code loading in Android applications,in Proceedings of the 21th Annual Symposium on Network and Distributed System Security(NDSS),2014.
• [16]Y.Zhou and X.Jiang,Dissecting Android malware:Characterization and evolution,in Proceedings of the 33rd IEEE Symposium on Security and Privacy(Oakland),2012,pp.95–109.
• [17]D.Barrera,H.G.Kayacik,P.C.van Oorschot,and A.Somayaji,A methodology for empirical analysis of permission-based security models and its application to Android,in Proceedings of the 17th ACM Conference on Computer and Communications Security(CCS),2010,pp.73–84.
• [18]Y.Aafer,W.Du,and H.Yin,Droidapiminer:Mining apilevel features for robust malware detection in Android,in Proceedinds of the 9th International Conference on Security and Privacy in Communication Networks(Secure Comm),2013,pp.86–103.
• [19]D.Arp,M.Spreitzenbarth,M.Hbner,H.Gascon,K.Rieck,and C.Siemens,Drebin:Effective and explainable detection of Android malware in your pocket,in Proceedings of the 21th Annual Symposium on Network and Distributed System Security(NDSS),2014.
• [20]M.Zhang,Y.Duan,H.Yin,and Z.Zhao,Semantics-aware Android malware classification using weighted contextual api dependency graphs,in Proceedings of the 21st ACM Conference on Computer and Communications Security(CCS),2014,pp.1105–1116.
• [21]I.Burguera,U.Zurutuza,and S.Nadjm-Tehrani,Crowdroid:Behavior-based malware detection system for Android,in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices(SPSM),2011,pp.15–26.
• [22]Y.Bengio,Learning deep architectures for ai,Foundations and Trends in Machine Learning,vol.2,no.1,pp.1–127,2009.
• [23]Z.Yuan,Y.Lu,Z.Wang,and Y.Xue,Droid-sec:Deep learning in Android malware detection,in Proceedings of the 2014 ACM Conference on Special Interest Group on Data Communication(SIGCOMM,poster),2014,pp.371–372.
• [24]Droid Detector:A deep learning based Android malware detection engine,http://analysis.droid-sec.com,2015.
• [25]Contagio mobile malware dump,http://contagiodump.blogspot.com,2015.
• [26]Android malware genome project,http://www.malgenomeproject.org,2015.
• [27]Droid Box:An Android application sandbox for dynamic analysis,http://www.honeynet.org/gsoc2011/slot5,2015.
• [28]W.Enck,P.Gilbert,B.-G.Chun,L.P.Cox,J.Jung,P.Mc Daniel,and A.Sheth,Taintdroid:An information-flow tracking system for realtime privacy monitoring on smartphones,in Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation(OSDI),2010.
• [29]Bouncer:Android and security,http://googlemobile.blogspot.com/2012/02/android-and-security.html,2015.
• [30]J.H.Friedman and N.I.Fisher,Bump hunting in highdimensional data,Statistics and Computing,vol.9,no.2,pp.123–143,1999.
• [31]N.Jones,The learning machines,Nature,vol.505,pp.146–148,2014.
• [32]X.Wei,L.Gomez,I.Neamtiu,and M.Faloutsos,Profiledroid:Multi-layer profiling of Android applications,in Proceedings of the 18th Annual International Conference on Mobile Computing and Networking(Mobi Com),2012,pp.137–148.
• [33]L.-K.Yan and H.Yin,Droidscope:Seamlessly reconstructing the os and dalvik semantic views for dynamic Android malware analysis,in Proceedings of the21st USENIX Security Symposium(USENIX Security),2012,pp.569–584.
• [34]K.O.Elish,X.Shu,D.D.Yao,B.G.Ryder,and X.Jiang,Profiling user-trigger dependence for Android malware detection,Computers&Security,vol.49,pp.255–273,2015.