Low-Resource Footprint, Data-Driven Malware Detection on Android

Resource-constrained systems are becoming more and more common as users migrate from PCs to mobile devices and as IoT systems enter the mainstream. At the same time, it is not acceptable to reduce the level of security hence it is necessary to accommodate the required security into the system-imposed resource constraints. This paper introduces BAdDroIds, a mobile application leveraging machine learning for detecting malware on resource constrained devices. BAdDroIds executes in background and transparently analyzes the applications as soon as they are installed, i.e., before infecting the device. BAdDroIds relies on static analysis techniques and features provided by the Android OS to build up sound and complete models of Android apps in terms of permissions and API invocations. It uses ad-hoc supervised classification techniques to allow resource-efficient malware detection. By exploiting the intrinsic nature of data, it has been possible to implement a state-of-the-art data-driven model which provides deep insights on the detection problem and can be efficiently executed on the device itself as it requires a very limited computational effort. Besides its limited resource footprint, BAdDroIds is extremely effective: An extensive experimental evaluation shows that it outperforms the currently available solutions in terms of accuracy, which is around 99 percent.

[1]  Jiqiang Liu,et al.  A Two-Layered Permission-Based Android Malware Detection Scheme , 2014, 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering.

[2]  Bernhard Schölkopf,et al.  The Kernel Trick for Distances , 2000, NIPS.

[3]  Davide Anguita,et al.  In-Sample and Out-of-Sample Model Selection and Error Estimation for Support Vector Machines , 2012, IEEE Transactions on Neural Networks and Learning Systems.

[4]  Tal Schuster,et al.  Nonlinear iterative methods for linear ill-posed problems in Banach spaces , 2006 .

[5]  Isabelle Guyon,et al.  An Introduction to Variable and Feature Selection , 2003, J. Mach. Learn. Res..

[6]  Shanqing Guo,et al.  Integration of Multi-modal Features for Android Malware Detection Using Linear SVM , 2016, 2016 11th Asia Joint Conference on Information Security (AsiaJCIS).

[7]  P. Bartlett,et al.  Local Rademacher complexities , 2005, math/0508275.

[8]  R. Tibshirani Regression Shrinkage and Selection via the Lasso , 1996 .

[9]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[10]  Alfredo De Santis,et al.  Exploiting Battery-Drain Vulnerabilities in Mobile Smart Devices , 2017, IEEE Transactions on Sustainable Computing.

[11]  Win Zaw,et al.  Permission-Based Android Malware Detection , 2013 .

[12]  Lorenzo Rosasco,et al.  Are Loss Functions All the Same? , 2004, Neural Computation.

[13]  Guang-Bin Huang,et al.  Extreme Learning Machine for Multilayer Perceptron , 2016, IEEE Transactions on Neural Networks and Learning Systems.

[14]  Carl E. Rasmussen,et al.  Gaussian processes for machine learning , 2005, Adaptive computation and machine learning.

[15]  Alessio Merlo,et al.  The energy impact of security mechanisms in modern mobile devices , 2012, Netw. Secur..

[16]  John Shawe-Taylor,et al.  Tighter PAC-Bayes bounds through distribution-dependent priors , 2013, Theor. Comput. Sci..

[17]  Peter L. Bartlett,et al.  Rademacher and Gaussian Complexities: Risk Bounds and Structural Results , 2003, J. Mach. Learn. Res..

[18]  A. Bakushinskii,et al.  Ill-Posed Problems: Theory and Applications , 1994 .

[19]  André Elisseeff,et al.  Stability and Generalization , 2002, J. Mach. Learn. Res..

[20]  Dianhui Wang,et al.  Extreme learning machines: a survey , 2011, Int. J. Mach. Learn. Cybern..

[21]  Chih-Jen Lin,et al.  Asymptotic Behaviors of Support Vector Machines with Gaussian Kernel , 2003, Neural Computation.

[22]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[23]  M. Kenward,et al.  An Introduction to the Bootstrap , 2007 .

[24]  François Laviolette,et al.  Risk bounds for the majority vote: from a PAC-Bayesian analysis to a learning algorithm , 2015, J. Mach. Learn. Res..

[25]  Jürgen Schmidhuber,et al.  Deep learning in neural networks: An overview , 2014, Neural Networks.

[26]  Bernhard Schölkopf,et al.  A Generalized Representer Theorem , 2001, COLT/EuroCOLT.

[27]  Peter E. Hart,et al.  Nearest neighbor pattern classification , 1967, IEEE Trans. Inf. Theory.

[28]  Mingtian Zhou,et al.  The Survey and Future Evolution of Green Computing , 2011, 2011 IEEE/ACM International Conference on Green Computing and Communications.

[29]  John Platt,et al.  Probabilistic Outputs for Support vector Machines and Comparisons to Regularized Likelihood Methods , 1999 .

[30]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[31]  A. N. Tikhonov,et al.  Solutions of ill-posed problems , 1977 .

[32]  Francesco Palmieri,et al.  Evaluating Network-Based DoS Attacks under the Energy Consumption Perspective: New Security Issues in the Coming Green ICT Area , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[33]  Dario Rossi,et al.  A Survey of Green Networking Research , 2010, IEEE Communications Surveys & Tutorials.

[34]  Muttukrishnan Rajarajan,et al.  PIndroid: A novel Android malware detection system using ensemble learning , 2017 .

[35]  Alessio Merlo,et al.  Measuring and estimating power consumption in Android to support energy-based intrusion detection , 2015, J. Comput. Secur..

[36]  Heekuck Oh,et al.  Neural Networks for Pattern Recognition , 1993, Adv. Comput..

[37]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[38]  Davide Anguita,et al.  A Novel Procedure for Training L1-L2 Support Vector Machine Classifiers , 2013, ICANN.

[39]  Alessio Merlo,et al.  Improving energy efficiency in distributed intrusion detection systems , 2013, J. High Speed Networks.

[40]  Manfred K. Warmuth,et al.  Sample Compression, Learnability, and the Vapnik-Chervonenkis Dimension , 1995, Machine Learning.

[41]  Toniann Pitassi,et al.  The reusable holdout: Preserving validity in adaptive data analysis , 2015, Science.

[42]  Nello Cristianini,et al.  Kernel Methods for Pattern Analysis , 2003, ICTAI.

[43]  John Langford,et al.  Computable Shell Decomposition Bounds , 2000, J. Mach. Learn. Res..

[44]  Davide Anguita,et al.  Human Activity Recognition on Smartphones Using a Multiclass Hardware-Friendly Support Vector Machine , 2012, IWAAL.

[45]  Arthur Zimek,et al.  On the Evaluation of Outlier Detection and One-Class Classification Methods , 2016, 2016 IEEE International Conference on Data Science and Advanced Analytics (DSAA).

[46]  H. Zou,et al.  Regularization and variable selection via the elastic net , 2005 .

[47]  Hahn-Ming Lee,et al.  DroidMat: Android Malware Detection through Manifest and API Calls Tracing , 2012, 2012 Seventh Asia Joint Conference on Information Security.

[48]  Gonzalo Álvarez,et al.  PUMA: Permission Usage to Detect Malware in Android , 2012, CISIS/ICEUTE/SOCO Special Sessions.

[49]  Toniann Pitassi,et al.  Preserving Statistical Validity in Adaptive Data Analysis , 2014, STOC.

[50]  Davide Anguita,et al.  Learning Hardware-Friendly Classifiers Through Algorithmic Stability , 2016, ACM Trans. Embed. Comput. Syst..

[51]  Sylvain Arlot,et al.  A survey of cross-validation procedures for model selection , 2009, 0907.4728.