Identifying Android malware with system call co-occurrence matrices

With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic an...

Full description

Saved in:
Bibliographic Details
Published in:Transactions on emerging telecommunications technologies 2016-05, Vol.27 (5), p.675-684
Main Authors: Xiao, Xi, Xiao, Xianni, Jiang, Yong, Liu, Xuejiao, Ye, Runguo
Format: Article
Language:English
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:With the popularity of Android devices, mobile malware in Android has became more prevalent. Malware causes lots of harm to users, such as stealing personal information and using too much battery or CPU. Detecting mobile malware is the main task in Android security. In this work, we use a dynamic analysis method to distinguish malware with system call sequences. At first, we track the system calls of applications under different events. Then two different feature models, the frequency vector and the co‐occurrence matrix, are employed to extract features from the system call sequence. Finally, we apply Adaptive Regularization Of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. We evaluate our method with 1189 benign applications and 1227 malicious applications. The experiment results show that the co‐occurrence matrix can achieve a much better detection rate than the frequency vector. Our best detection rate is 97.7per cent with false positive rate being 1.34per cent, which is better than those of the existing methods. Copyright © 2016 John Wiley & Sons, Ltd. (1) In this paper, we track the system calls of applications under different events and employ the frequency vector and the co‐occurrence matrix, which are two different feature models, to extract features from the system call sequence. (2) We apply Adaptive Regularization of Weight Vectors and other machine learning algorithms to identify Android malware based on the aforementioned two models, respectively. (3) Experiment results show that the co‐occurrence matrix built on the system call sequences extracts more useful information than the plain system call frequency vector.
ISSN:2161-3915
2161-3915
DOI:10.1002/ett.3016