Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers

Research Article

Detection, Classification and Characterization of Android Malware Using API Data Dependency

Download
564 downloads
  • @INPROCEEDINGS{10.1007/978-3-319-28865-9_2,
        author={Yongfeng Li and Tong Shen and Xin Sun and Xuerui Pan and Bing Mao},
        title={Detection, Classification and Characterization of Android Malware Using API Data Dependency},
        proceedings={Security and Privacy in Communication Networks. 11th International Conference, SecureComm 2015, Dallas, TX, USA, October 26-29, 2015, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2016},
        month={2},
        keywords={Android malware Machine learning Data flow Flowdroid},
        doi={10.1007/978-3-319-28865-9_2}
    }
    
  • Yongfeng Li
    Tong Shen
    Xin Sun
    Xuerui Pan
    Bing Mao
    Year: 2016
    Detection, Classification and Characterization of Android Malware Using API Data Dependency
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-319-28865-9_2
Yongfeng Li1,*, Tong Shen1,*, Xin Sun1,*, Xuerui Pan1,*, Bing Mao1,*
  • 1: Nanjing University
*Contact email: jsliyongfeng@gmail.com, shentongnju@gmail.com, sunxin508@gmail.com, xueruipan@gmail.com, maobing@nju.edu.cn

Abstract

With the popularity of Android devices, more and more Android malware are manufactured every year. How to filter out malicious app is a serious problem for app markets. In this paper, we propose DroidADDMiner, an efficient and precise system to detect, classify and characterize Android malware. DroidADDMiner is a machine learning based system that extracts features based on data dependency between sensitive APIs. It extracts API data dependence paths embedded in app to construct feature vectors for machine learning. While DroidSIFT [13] also attempts automated detection of Android applications according to data flow analysis, DroidADDMiner can not only reduce the run time but also characterize malware’s behaviors automatically. We implement DroidADDMiner based on FlowDroid [14] and evaluate it using 5648 malware samples and 14280 benign apps. Experiments show that, for malware detection, DroidADDMiner achieves a 98% detection rate, with a 0.3% false positive rate. For malware classification, the accuracy of classifying malicious apps under their proper family labels is 96%. Although performing data flow analysis, most of the experimental samples can be examined in 60 seconds.