Experimental comparison of features and classifiers for Android malware detection
Android platform has dominated the smart phone market for years now and, consequently, gained a lot of attention from attackers. Malicious apps (malware) pose a serious threat to the security and privacy of Android smart phone users. Available approaches to detect mobile malware based on machine lea...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2020
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/5115 https://ink.library.smu.edu.sg/context/sis_research/article/6118/viewcontent/Experimental_Comparison_of_Features_and_Classifiers_for_Android_Malware_Detection.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| Summary: | Android platform has dominated the smart phone market for years now and, consequently, gained a lot of attention from attackers. Malicious apps (malware) pose a serious threat to the security and privacy of Android smart phone users. Available approaches to detect mobile malware based on machine learning rely on features extracted with static analysis or dynamic analysis techniques. Dif- ferent types of machine learning classi ers (such as support vector machine and random forest) deep learning classi ers (based on deep neural networks) are then trained on extracted features, to produce models that can be used to detect mobile malware. The usually-analyzed features include permissions requested/used, fre- quency of API calls, use of API calls, and sequence of API calls. The API calls are analyzed at various granularity levels such as method, class, package, and family.
In the view of the proposals of di erent types of classi ers and the use of di erent types of features and di erent underlying analy- ses used for feature extraction, there is a need for a comprehensive evaluation on the e ectiveness of the current state-of-the-art stud- ies in malware detection on a common benchmark. In this work, we provide a baseline comparison of several conventional machine learning classi ers and deep learning classi ers, without ne tun- ing. We also provide the evaluation of di erent types of features that characterize the use of API calls at class level and the sequence of API calls at method level. Features have been extracted from a common benchmark of 4572 benign samples and 2399 malware samples, using both static analysis and dynamic analysis.
Among other interesting ndings, we observed that classi ers trained on the use of API calls generally perform better than those trained on the sequence of API calls. Classi ers trained on static analysis-based features perform better than those trained on dy- namic analysis-based features. Deep learning classi ers, despite their sophistication, are not necessarily better than conventional classi ers, especially when they are not optimized. However, deep learning classi ers do perform better than conventional classi ers when trained on dynamic analysis-based features. |
|---|