Detecting and classifying method based on similarity matching of Android malware behavior with profile

Jae wook Jang, Jaesung Yun, Aziz Mohaisen, Jiyoung Woo, Huy Kang Kim

Research output: Contribution to journalArticle

11 Citations (Scopus)

Abstract

Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, and off-device techniques. Static techniques are easy to evade, while dynamic techniques are expensive. On-device techniques are evasion, while off-device techniques need being always online. To address some of those shortcomings, we introduce Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler main goals are efficiency, scalability, and accuracy. For that, Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family using a weighted similarity matching technique, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than 98 %, outperforms the existing state-of-the-art work, and is capable of identifying 0-day mobile malware samples.

Original languageEnglish
Article number273
JournalSpringerPlus
Volume5
Issue number1
DOIs
Publication statusPublished - 2016 Dec 1

Fingerprint

Mobile devices
Malware
Scalability
Experiments
Mobile security

Keywords

  • Android
  • Behavior profiling
  • Malware
  • Similarity
  • System call

ASJC Scopus subject areas

  • General

Cite this

Detecting and classifying method based on similarity matching of Android malware behavior with profile. / Jang, Jae wook; Yun, Jaesung; Mohaisen, Aziz; Woo, Jiyoung; Kim, Huy Kang.

In: SpringerPlus, Vol. 5, No. 1, 273, 01.12.2016.

Research output: Contribution to journalArticle

Jang, Jae wook ; Yun, Jaesung ; Mohaisen, Aziz ; Woo, Jiyoung ; Kim, Huy Kang. / Detecting and classifying method based on similarity matching of Android malware behavior with profile. In: SpringerPlus. 2016 ; Vol. 5, No. 1.
@article{b98dc17138954ab985b8f34ee482c759,
title = "Detecting and classifying method based on similarity matching of Android malware behavior with profile",
abstract = "Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, and off-device techniques. Static techniques are easy to evade, while dynamic techniques are expensive. On-device techniques are evasion, while off-device techniques need being always online. To address some of those shortcomings, we introduce Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler main goals are efficiency, scalability, and accuracy. For that, Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family using a weighted similarity matching technique, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than 98 {\%}, outperforms the existing state-of-the-art work, and is capable of identifying 0-day mobile malware samples.",
keywords = "Android, Behavior profiling, Malware, Similarity, System call",
author = "Jang, {Jae wook} and Jaesung Yun and Aziz Mohaisen and Jiyoung Woo and Kim, {Huy Kang}",
year = "2016",
month = "12",
day = "1",
doi = "10.1186/s40064-016-1861-x",
language = "English",
volume = "5",
journal = "SpringerPlus",
issn = "2193-1801",
publisher = "Springer Science and Business Media Deutschland GmbH",
number = "1",

}

TY - JOUR

T1 - Detecting and classifying method based on similarity matching of Android malware behavior with profile

AU - Jang, Jae wook

AU - Yun, Jaesung

AU - Mohaisen, Aziz

AU - Woo, Jiyoung

AU - Kim, Huy Kang

PY - 2016/12/1

Y1 - 2016/12/1

N2 - Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, and off-device techniques. Static techniques are easy to evade, while dynamic techniques are expensive. On-device techniques are evasion, while off-device techniques need being always online. To address some of those shortcomings, we introduce Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler main goals are efficiency, scalability, and accuracy. For that, Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family using a weighted similarity matching technique, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than 98 %, outperforms the existing state-of-the-art work, and is capable of identifying 0-day mobile malware samples.

AB - Mass-market mobile security threats have increased recently due to the growth of mobile technologies and the popularity of mobile devices. Accordingly, techniques have been introduced for identifying, classifying, and defending against mobile threats utilizing static, dynamic, on-device, and off-device techniques. Static techniques are easy to evade, while dynamic techniques are expensive. On-device techniques are evasion, while off-device techniques need being always online. To address some of those shortcomings, we introduce Andro-profiler, a hybrid behavior based analysis and classification system for mobile malware. Andro-profiler main goals are efficiency, scalability, and accuracy. For that, Andro-profiler classifies malware by exploiting the behavior profiling extracted from the integrated system logs including system calls. Andro-profiler executes a malicious application on an emulator in order to generate the integrated system logs, and creates human-readable behavior profiles by analyzing the integrated system logs. By comparing the behavior profile of malicious application with representative behavior profile for each malware family using a weighted similarity matching technique, Andro-profiler detects and classifies it into malware families. The experiment results demonstrate that Andro-profiler is scalable, performs well in detecting and classifying malware with accuracy greater than 98 %, outperforms the existing state-of-the-art work, and is capable of identifying 0-day mobile malware samples.

KW - Android

KW - Behavior profiling

KW - Malware

KW - Similarity

KW - System call

UR - http://www.scopus.com/inward/record.url?scp=84963502457&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84963502457&partnerID=8YFLogxK

U2 - 10.1186/s40064-016-1861-x

DO - 10.1186/s40064-016-1861-x

M3 - Article

AN - SCOPUS:84963502457

VL - 5

JO - SpringerPlus

JF - SpringerPlus

SN - 2193-1801

IS - 1

M1 - 273

ER -