A multi-view context-aware approach to Android malware detection and malicious code localization
Many existing Machine Learning (ML) based Android malware detection approaches use a variety of features such as security-sensitive APIs, system calls, control-flow structures and information flows in conjunction with ML classifiers to achieve accurate detection. Each of these feature sets provides...
Saved in:
| Main Authors: | , , , |
|---|---|
| Other Authors: | |
| Format: | Article |
| Language: | English |
| Published: |
2020
|
| Subjects: | |
| Online Access: | https://hdl.handle.net/10356/144570 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Nanyang Technological University |
| Language: | English |
| id |
sg-ntu-dr.10356-144570 |
|---|---|
| record_format |
dspace |
| spelling |
sg-ntu-dr.10356-1445702020-11-13T02:14:32Z A multi-view context-aware approach to Android malware detection and malicious code localization Narayanan, Annamalai Chandramohan, Mahinthan Chen, Lihui Liu, Yang School of Electrical and Electronic Engineering Engineering::Electrical and electronic engineering Android Malware Detection Graph Kernels Many existing Machine Learning (ML) based Android malware detection approaches use a variety of features such as security-sensitive APIs, system calls, control-flow structures and information flows in conjunction with ML classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps’ behaviors with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterize several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevents them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localization. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps’ dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid’s unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Malicious code localization caters several important applications such as supporting human analysts studying malware behaviors, engineering malware signatures, and other counter-measures. Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localization experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall. Our work opens up two new avenues in malware research: (i) enables the research community to elegantly look at Android malware behaviors in multiple perspectives simultaneously, and (ii) performing precise and scalable malicious code localization. 2020-11-13T02:14:32Z 2020-11-13T02:14:32Z 2017 Journal Article Narayanan, A., Chandramohan, M., Chen, L., & Liu, Y. (2018). A multi-view context-aware approach to Android malware detection and malicious code localization. Empirical Software Engineering, 23(3), 1222-1274. doi:10.1007/s10664-017 1382-3256 https://hdl.handle.net/10356/144570 10.1007/s10664-017-9539-8 3 23 1222 1274 en Empirical Software Engineering © 2017. Springer Science+Business Media, LLC. All rights reserved. |
| institution |
Nanyang Technological University |
| building |
NTU Library |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
NTU Library |
| collection |
DR-NTU |
| language |
English |
| topic |
Engineering::Electrical and electronic engineering Android Malware Detection Graph Kernels |
| spellingShingle |
Engineering::Electrical and electronic engineering Android Malware Detection Graph Kernels Narayanan, Annamalai Chandramohan, Mahinthan Chen, Lihui Liu, Yang A multi-view context-aware approach to Android malware detection and malicious code localization |
| description |
Many existing Machine Learning (ML) based Android malware detection approaches use a variety of features such as security-sensitive APIs, system calls, control-flow structures and information flows in conjunction with ML classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps’ behaviors with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterize several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevents them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localization. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps’ dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid’s unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Malicious code localization caters several important applications such as supporting human analysts studying malware behaviors, engineering malware signatures, and other counter-measures. Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localization experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall. Our work opens up two new avenues in malware research: (i) enables the research community to elegantly look at Android malware behaviors in multiple perspectives simultaneously, and (ii) performing precise and scalable malicious code localization. |
| author2 |
School of Electrical and Electronic Engineering |
| author_facet |
School of Electrical and Electronic Engineering Narayanan, Annamalai Chandramohan, Mahinthan Chen, Lihui Liu, Yang |
| format |
Article |
| author |
Narayanan, Annamalai Chandramohan, Mahinthan Chen, Lihui Liu, Yang |
| author_sort |
Narayanan, Annamalai |
| title |
A multi-view context-aware approach to Android malware detection and malicious code localization |
| title_short |
A multi-view context-aware approach to Android malware detection and malicious code localization |
| title_full |
A multi-view context-aware approach to Android malware detection and malicious code localization |
| title_fullStr |
A multi-view context-aware approach to Android malware detection and malicious code localization |
| title_full_unstemmed |
A multi-view context-aware approach to Android malware detection and malicious code localization |
| title_sort |
multi-view context-aware approach to android malware detection and malicious code localization |
| publishDate |
2020 |
| url |
https://hdl.handle.net/10356/144570 |
| _version_ |
1688665678435844096 |