AndroDFA: Android Malware Classification Based on Resource Consumption
The vast majority of today’s mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper, we propose <i>AndroDFA</i> (DFA, detrended fluctuation analysis): an approach to Android malware famil...
Main Authors: | , , , , , |
---|---|
Format: | Article |
Language: | English |
Published: |
MDPI AG
2020-06-01
|
Series: | Information |
Subjects: | |
Online Access: | https://www.mdpi.com/2078-2489/11/6/326 |
id |
doaj-18a55b3bccf34c8cb2ac7aebd58ca99e |
---|---|
record_format |
Article |
spelling |
doaj-18a55b3bccf34c8cb2ac7aebd58ca99e2020-11-25T03:59:23ZengMDPI AGInformation2078-24892020-06-011132632610.3390/info11060326AndroDFA: Android Malware Classification Based on Resource ConsumptionLuca Massarelli0Leonardo Aniello1Claudio Ciccotelli2Leonardo Querzoni3Daniele Ucci4Roberto Baldoni5Department of Computer, Control, and Management Engineering Antonio Ruberti, Sapienza University of Rome, Via Ariosto 25 00185 Rome, ItalyCyber Security Research Group, School of Electronics and Computer Science, University of Southampton, University Road, Southampton SO17 1BJ, UKDepartment of Computer, Control, and Management Engineering Antonio Ruberti, Sapienza University of Rome, Via Ariosto 25 00185 Rome, ItalyDepartment of Computer, Control, and Management Engineering Antonio Ruberti, Sapienza University of Rome, Via Ariosto 25 00185 Rome, ItalyDepartment of Computer, Control, and Management Engineering Antonio Ruberti, Sapienza University of Rome, Via Ariosto 25 00185 Rome, ItalyDepartment of Computer, Control, and Management Engineering Antonio Ruberti, Sapienza University of Rome, Via Ariosto 25 00185 Rome, ItalyThe vast majority of today’s mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper, we propose <i>AndroDFA</i> (DFA, detrended fluctuation analysis): an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware, we extract features through detrended fluctuation analysis (DFA) and Pearson’s correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtained a classification accuracy of 82%, comparable with works from the state-of-the-art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS, and by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide its malicious behavior. The experiments on the AMD dataset gave similar results, with an overall mean accuracy of 78%. Furthermore, we made the software we developed publicly available, to ease the reproducibility of our results.https://www.mdpi.com/2078-2489/11/6/326malwaremachine learningAndroid |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Luca Massarelli Leonardo Aniello Claudio Ciccotelli Leonardo Querzoni Daniele Ucci Roberto Baldoni |
spellingShingle |
Luca Massarelli Leonardo Aniello Claudio Ciccotelli Leonardo Querzoni Daniele Ucci Roberto Baldoni AndroDFA: Android Malware Classification Based on Resource Consumption Information malware machine learning Android |
author_facet |
Luca Massarelli Leonardo Aniello Claudio Ciccotelli Leonardo Querzoni Daniele Ucci Roberto Baldoni |
author_sort |
Luca Massarelli |
title |
AndroDFA: Android Malware Classification Based on Resource Consumption |
title_short |
AndroDFA: Android Malware Classification Based on Resource Consumption |
title_full |
AndroDFA: Android Malware Classification Based on Resource Consumption |
title_fullStr |
AndroDFA: Android Malware Classification Based on Resource Consumption |
title_full_unstemmed |
AndroDFA: Android Malware Classification Based on Resource Consumption |
title_sort |
androdfa: android malware classification based on resource consumption |
publisher |
MDPI AG |
series |
Information |
issn |
2078-2489 |
publishDate |
2020-06-01 |
description |
The vast majority of today’s mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper, we propose <i>AndroDFA</i> (DFA, detrended fluctuation analysis): an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware, we extract features through detrended fluctuation analysis (DFA) and Pearson’s correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtained a classification accuracy of 82%, comparable with works from the state-of-the-art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS, and by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide its malicious behavior. The experiments on the AMD dataset gave similar results, with an overall mean accuracy of 78%. Furthermore, we made the software we developed publicly available, to ease the reproducibility of our results. |
topic |
malware machine learning Android |
url |
https://www.mdpi.com/2078-2489/11/6/326 |
work_keys_str_mv |
AT lucamassarelli androdfaandroidmalwareclassificationbasedonresourceconsumption AT leonardoaniello androdfaandroidmalwareclassificationbasedonresourceconsumption AT claudiociccotelli androdfaandroidmalwareclassificationbasedonresourceconsumption AT leonardoquerzoni androdfaandroidmalwareclassificationbasedonresourceconsumption AT danieleucci androdfaandroidmalwareclassificationbasedonresourceconsumption AT robertobaldoni androdfaandroidmalwareclassificationbasedonresourceconsumption |
_version_ |
1724454346508206080 |