Android application classification and anomaly detection with graph-based permission patterns

Android is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still pre...

Full description

Saved in:
Bibliographic Details
Published in:Decision Support Systems 2017-01, Vol.93, p.62-76
Main Authors: Sokolova, Karina, Perez, Charles, Lemercier, Marc
Format: Article
Language:English
Subjects:
Android
Anomaly detection
Art exhibits
Classification
Computer Science
Computer viruses
End users
Graph analysis
Graph theory
Malware
Mobile Computing
Networking and Internet Architecture
Permission patterns
Risk warning
Search engines
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913
cites cdi_FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913
container_end_page 76
container_issue
container_start_page 62
container_title Decision Support Systems
container_volume 93
creator Sokolova, Karina
Perez, Charles
Lemercier, Marc
description Android is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still present on the market. A permission system is a user-centric security solution against abusive applications and malware that has been unsuccessful: users are incapable of understanding and judging the permissions required by each application and often ignore on-installation warnings. State-of-the-art shows that the current permission system is inappropriate for end-users. However, Android permission lists do provide information about the application's behavior and may be suitable for automatic application analysis. Identifying key permissions for functionalities and expected permission requests can help leverage abnormal application behavior and provide a simpler risk warning for users. Applications with similar functionalities are grouped into categories on Google Play and this work therefore analyzes permission requests by category. In this study, we propose a methodology to characterize normal behavior for each category of applications, highlighting expected permission requests. The co-required permissions are modeled as a graph and the category patterns and central permissions are obtained using graph analysis metrics. The obtained patterns are evaluated by the performance of the application classification into categories that allow choosing the best graph metrics representing categories. Finally, this study proposes a privacy score and a risk warning threshold based on the best metrics. The efficiency of the proposed methodology was tested on a set of 9512 applications collected from Google Play and a set of malware. [Display omitted] •We build permission usage patterns for Android application categories using graph.•We classify applications into categories using patterns and graph-analysis features.•Among metrics, betweenness centrality and weighted degree performed the best for classification.•We build a pattern-based risk metric for applications.•The risk metric showed high performance for malware detection.
doi_str_mv 10.1016/j.dss.2016.09.006
format article
fullrecord <record><control><sourceid>proquest_hal_p</sourceid><recordid>TN_cdi_hal_primary_oai_HAL_hal_02272236v1</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0167923616301555</els_id><sourcerecordid>4320979915</sourcerecordid><originalsourceid>FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913</originalsourceid><addsrcrecordid>eNp9kD9PwzAQxS0EEqXwAdgiMTEk-E8dx2KqKqBIlVhgRJbjnKmjNAl2Cuq3xyHAyOTzvfdOdz-ELgnOCCb5TZ1VIWQ0lhmWGcb5EZqRQrCUCymO0SwKIpWU5afoLIQ6Gpgo8hl6XbaV71yV6L5vnNGD69rENDoEZ3-_uo1y2-10c0gqGMB8dz_dsE3evO63aakDVEkPfudiLmq9HgbwbThHJ1Y3AS5-3jl6ub97Xq3TzdPD42q5SQ3jckhzkhfGLhY4t4IRK5lgQCUR3C5sUZZYmIKV0gAwwmnJOOWy4JRpwoCXpSRsjq6nuVvdqN67nfYH1Wmn1suNGnuYUkHj9R-j92ry9r5730MYVN3tfRvXUxFYITjGhEcXmVzGdyF4sH9jCVYjcVWrSFyNxBWWagQ6R7dTBuKpHw68CsZBa6ByPkJTVef-SX8BaieIxw</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>1878750015</pqid></control><display><type>article</type><title>Android application classification and anomaly detection with graph-based permission patterns</title><source>ScienceDirect Journals</source><creator>Sokolova, Karina ; Perez, Charles ; Lemercier, Marc</creator><creatorcontrib>Sokolova, Karina ; Perez, Charles ; Lemercier, Marc</creatorcontrib><description>Android is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still present on the market. A permission system is a user-centric security solution against abusive applications and malware that has been unsuccessful: users are incapable of understanding and judging the permissions required by each application and often ignore on-installation warnings. State-of-the-art shows that the current permission system is inappropriate for end-users. However, Android permission lists do provide information about the application's behavior and may be suitable for automatic application analysis. Identifying key permissions for functionalities and expected permission requests can help leverage abnormal application behavior and provide a simpler risk warning for users. Applications with similar functionalities are grouped into categories on Google Play and this work therefore analyzes permission requests by category. In this study, we propose a methodology to characterize normal behavior for each category of applications, highlighting expected permission requests. The co-required permissions are modeled as a graph and the category patterns and central permissions are obtained using graph analysis metrics. The obtained patterns are evaluated by the performance of the application classification into categories that allow choosing the best graph metrics representing categories. Finally, this study proposes a privacy score and a risk warning threshold based on the best metrics. The efficiency of the proposed methodology was tested on a set of 9512 applications collected from Google Play and a set of malware. [Display omitted] •We build permission usage patterns for Android application categories using graph.•We classify applications into categories using patterns and graph-analysis features.•Among metrics, betweenness centrality and weighted degree performed the best for classification.•We build a pattern-based risk metric for applications.•The risk metric showed high performance for malware detection.</description><identifier>ISSN: 0167-9236</identifier><identifier>EISSN: 1873-5797</identifier><identifier>DOI: 10.1016/j.dss.2016.09.006</identifier><identifier>CODEN: DSSYDK</identifier><language>eng</language><publisher>Amsterdam: Elsevier B.V</publisher><subject>Android ; Anomaly detection ; Art exhibits ; Classification ; Computer Science ; Computer viruses ; End users ; Graph analysis ; Graph theory ; Malware ; Mobile Computing ; Networking and Internet Architecture ; Permission patterns ; Risk warning ; Search engines</subject><ispartof>Decision Support Systems, 2017-01, Vol.93, p.62-76</ispartof><rights>2016 Elsevier B.V.</rights><rights>Copyright Elsevier Sequoia S.A. Jan 2017</rights><rights>Distributed under a Creative Commons Attribution 4.0 International License</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913</citedby><cites>FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913</cites><orcidid>0000-0001-8226-914X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>230,314,780,784,885,27924,27925</link.rule.ids><backlink>$$Uhttps://utt.hal.science/hal-02272236$$DView record in HAL$$Hfree_for_read</backlink></links><search><creatorcontrib>Sokolova, Karina</creatorcontrib><creatorcontrib>Perez, Charles</creatorcontrib><creatorcontrib>Lemercier, Marc</creatorcontrib><title>Android application classification and anomaly detection with graph-based permission patterns</title><title>Decision Support Systems</title><description>Android is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still present on the market. A permission system is a user-centric security solution against abusive applications and malware that has been unsuccessful: users are incapable of understanding and judging the permissions required by each application and often ignore on-installation warnings. State-of-the-art shows that the current permission system is inappropriate for end-users. However, Android permission lists do provide information about the application's behavior and may be suitable for automatic application analysis. Identifying key permissions for functionalities and expected permission requests can help leverage abnormal application behavior and provide a simpler risk warning for users. Applications with similar functionalities are grouped into categories on Google Play and this work therefore analyzes permission requests by category. In this study, we propose a methodology to characterize normal behavior for each category of applications, highlighting expected permission requests. The co-required permissions are modeled as a graph and the category patterns and central permissions are obtained using graph analysis metrics. The obtained patterns are evaluated by the performance of the application classification into categories that allow choosing the best graph metrics representing categories. Finally, this study proposes a privacy score and a risk warning threshold based on the best metrics. The efficiency of the proposed methodology was tested on a set of 9512 applications collected from Google Play and a set of malware. [Display omitted] •We build permission usage patterns for Android application categories using graph.•We classify applications into categories using patterns and graph-analysis features.•Among metrics, betweenness centrality and weighted degree performed the best for classification.•We build a pattern-based risk metric for applications.•The risk metric showed high performance for malware detection.</description><subject>Android</subject><subject>Anomaly detection</subject><subject>Art exhibits</subject><subject>Classification</subject><subject>Computer Science</subject><subject>Computer viruses</subject><subject>End users</subject><subject>Graph analysis</subject><subject>Graph theory</subject><subject>Malware</subject><subject>Mobile Computing</subject><subject>Networking and Internet Architecture</subject><subject>Permission patterns</subject><subject>Risk warning</subject><subject>Search engines</subject><issn>0167-9236</issn><issn>1873-5797</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2017</creationdate><recordtype>article</recordtype><recordid>eNp9kD9PwzAQxS0EEqXwAdgiMTEk-E8dx2KqKqBIlVhgRJbjnKmjNAl2Cuq3xyHAyOTzvfdOdz-ELgnOCCb5TZ1VIWQ0lhmWGcb5EZqRQrCUCymO0SwKIpWU5afoLIQ6Gpgo8hl6XbaV71yV6L5vnNGD69rENDoEZ3-_uo1y2-10c0gqGMB8dz_dsE3evO63aakDVEkPfudiLmq9HgbwbThHJ1Y3AS5-3jl6ub97Xq3TzdPD42q5SQ3jckhzkhfGLhY4t4IRK5lgQCUR3C5sUZZYmIKV0gAwwmnJOOWy4JRpwoCXpSRsjq6nuVvdqN67nfYH1Wmn1suNGnuYUkHj9R-j92ry9r5730MYVN3tfRvXUxFYITjGhEcXmVzGdyF4sH9jCVYjcVWrSFyNxBWWagQ6R7dTBuKpHw68CsZBa6ByPkJTVef-SX8BaieIxw</recordid><startdate>201701</startdate><enddate>201701</enddate><creator>Sokolova, Karina</creator><creator>Perez, Charles</creator><creator>Lemercier, Marc</creator><general>Elsevier B.V</general><general>Elsevier Sequoia S.A</general><general>Elsevier</general><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>8FD</scope><scope>JQ2</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><scope>1XC</scope><orcidid>https://orcid.org/0000-0001-8226-914X</orcidid></search><sort><creationdate>201701</creationdate><title>Android application classification and anomaly detection with graph-based permission patterns</title><author>Sokolova, Karina ; Perez, Charles ; Lemercier, Marc</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2017</creationdate><topic>Android</topic><topic>Anomaly detection</topic><topic>Art exhibits</topic><topic>Classification</topic><topic>Computer Science</topic><topic>Computer viruses</topic><topic>End users</topic><topic>Graph analysis</topic><topic>Graph theory</topic><topic>Malware</topic><topic>Mobile Computing</topic><topic>Networking and Internet Architecture</topic><topic>Permission patterns</topic><topic>Risk warning</topic><topic>Search engines</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Sokolova, Karina</creatorcontrib><creatorcontrib>Perez, Charles</creatorcontrib><creatorcontrib>Lemercier, Marc</creatorcontrib><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Technology Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts – Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><collection>Hyper Article en Ligne (HAL)</collection><jtitle>Decision Support Systems</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Sokolova, Karina</au><au>Perez, Charles</au><au>Lemercier, Marc</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Android application classification and anomaly detection with graph-based permission patterns</atitle><jtitle>Decision Support Systems</jtitle><date>2017-01</date><risdate>2017</risdate><volume>93</volume><spage>62</spage><epage>76</epage><pages>62-76</pages><issn>0167-9236</issn><eissn>1873-5797</eissn><coden>DSSYDK</coden><abstract>Android is one of the mobile market leaders, offering more than a million applications on Google Play store. Google checks the application for known malware, but applications abusively collecting users' data and requiring access to sensitive services not related to functionalities are still present on the market. A permission system is a user-centric security solution against abusive applications and malware that has been unsuccessful: users are incapable of understanding and judging the permissions required by each application and often ignore on-installation warnings. State-of-the-art shows that the current permission system is inappropriate for end-users. However, Android permission lists do provide information about the application's behavior and may be suitable for automatic application analysis. Identifying key permissions for functionalities and expected permission requests can help leverage abnormal application behavior and provide a simpler risk warning for users. Applications with similar functionalities are grouped into categories on Google Play and this work therefore analyzes permission requests by category. In this study, we propose a methodology to characterize normal behavior for each category of applications, highlighting expected permission requests. The co-required permissions are modeled as a graph and the category patterns and central permissions are obtained using graph analysis metrics. The obtained patterns are evaluated by the performance of the application classification into categories that allow choosing the best graph metrics representing categories. Finally, this study proposes a privacy score and a risk warning threshold based on the best metrics. The efficiency of the proposed methodology was tested on a set of 9512 applications collected from Google Play and a set of malware. [Display omitted] •We build permission usage patterns for Android application categories using graph.•We classify applications into categories using patterns and graph-analysis features.•Among metrics, betweenness centrality and weighted degree performed the best for classification.•We build a pattern-based risk metric for applications.•The risk metric showed high performance for malware detection.</abstract><cop>Amsterdam</cop><pub>Elsevier B.V</pub><doi>10.1016/j.dss.2016.09.006</doi><tpages>15</tpages><orcidid>https://orcid.org/0000-0001-8226-914X</orcidid></addata></record>
fulltext fulltext
identifier ISSN: 0167-9236
ispartof Decision Support Systems, 2017-01, Vol.93, p.62-76
issn 0167-9236
1873-5797
language eng
recordid cdi_hal_primary_oai_HAL_hal_02272236v1
source ScienceDirect Journals
subjects Android
Anomaly detection
Art exhibits
Classification
Computer Science
Computer viruses
End users
Graph analysis
Graph theory
Malware
Mobile Computing
Networking and Internet Architecture
Permission patterns
Risk warning
Search engines
title Android application classification and anomaly detection with graph-based permission patterns
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-06T04%3A26%3A22IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_hal_p&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Android%20application%20classification%20and%20anomaly%20detection%20with%20graph-based%20permission%20patterns&rft.jtitle=Decision%20Support%20Systems&rft.au=Sokolova,%20Karina&rft.date=2017-01&rft.volume=93&rft.spage=62&rft.epage=76&rft.pages=62-76&rft.issn=0167-9236&rft.eissn=1873-5797&rft.coden=DSSYDK&rft_id=info:doi/10.1016/j.dss.2016.09.006&rft_dat=%3Cproquest_hal_p%3E4320979915%3C/proquest_hal_p%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c359t-6168cf4406f731f9373e29175f4f8bb07c83b9cee3152b352598523a13e5bb913%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_pqid=1878750015&rft_id=info:pmid/&rfr_iscdi=true