StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware

Introduction
This paper focuses on detecting malware android applications based on machine learning method. They defined 4 types of features to be extracted from applications:
1. well-received features
1.1 Permission: Some malicious applications need some specific types of permissions.
1.2 Sensitive API Calls: They extracted sensitive API calls from Snail files, and found the top types of sensitive API calls which could best distinguish malicious and benign applications.
2. newly-defined features
2.1 Sequence: Malicious apps tend to have drastically different sensitive API calls. They defined 3 metrics to quantify the number of sensitive API calls.
2.2 Dynamic Behavior: Monitor the activities triggered by each application from their log file.
In both of these features, they removed the common ones which are shared by malicious and benign apps, and left the most distinguishable features.

Application of ML methods
They compared several ML methods: SVM, decision tree, Multi-Layer Perceptron, Naïve Bayes, KNN, Bagging predictor. They also compared the performance of different feature selection methods (Only well-received features / well-received and newly-defined features). Finally, they found that KNN classifier + well-received and newly-defined features achieved the best performance.

Pros
1. They contributed to define new features for monitoring dynamic behavior of malicious applications, which achieved better performance than using static analysis only.
2. They proposed the streaming framework (3 phases: Preamble, Feature Extraction, Classification), where all phases happen almost simultaneously (like CPU pipeline). That accelerated the speed of processing large scale of data.

Cons
1. When analyzing features, they used the same APP dataset which is also used in testing ML classifier. So they removed the common features and selected most distinguishable features based on their analyzing results, before testing their ML classifier. I think there will be a kind of “over-fitting” in this process. They should use different APP dataset for analyzing and testing.
2. Decompiling and analyzing the application on Android device may use too many system resources, since the performance of mobile CPU and memory are comparatively lower. Actually I think this method is more suitable for detecting malicious applications on PC.

Comments

  1. jon_weissmanApril 18, 2019 at 5:44 AM

    Good points about overfitting. The pipelining seemed interesting but they did not provide any details. It is also disappointing that they did not try to learn features automatically.

    ReplyDelete

Post a Comment

Popular posts from this blog

A Machine Learning Approach to Live Migration Modeling

Authors:  Changyeon Jo, Youngsu Cho, Bernhard Egger Seoul National University Summary:  This paper proposed a machine learning approach to predict the system metrics for different VM migration algorithms. These system metrics are affected by migration algorithm, host machine status and user applications and feasible for machine learning approach. The prediction model takes 21 system/application input features (including which algorithm), and generates 6 metrics as the output. As a result, it can accurately estimate each metrics under different application, VM and algorithms. One of the application, the paper provide a semi-automated algorithm selection based on this machine learning model and user-provided SLA (service level agreements) constraints. Questions about Machine Learning:  Why machine learning is applied: The combination of algorithm, VM status and current running applications status, is a huge searching space. Machine learning features: which algorithm, 20 featu
Read more

NetBouncer: Active Device and Link Failure Localization in Data Center Networks

Authors : Cheng Tan, Ze Jin, Chuanxiong Guo, Tianrong Zhang, Haitao Wu, Karl Deng, Dongming Bi, and Dong Xiang Introduction : Availability of large scale data centers ensures that all the operations within the center's network function smoothly. The biggest challenge for such data centers is the ability to accurately locate and contain device and link failures, across millions of servers and thousands of network devices. The authors introduce NetBouncer, a failure localization system which is capable of detecting both device and link failures. The authors introduce the framework's algorithm for high accuracy link failure inference and use domain knowledge to make it robust to real-world data inconsistencies.  Pros : The NetBouncer framework makes use of Clos network architectures, which were introduced by Bell Labs in 1950s and made famous again with the onset of Ethernet switches. Many software companies now make use of multi-tier Clos network-based architecture
Read more

Deep Learning for Entity Matching: A Design Space Exploration

Authors - Sidharth Mudgal, Han Li, Theodoros Rekatsinas, AnHai Doan, Youngchoon Park, Ganesh Krishnan, Rohit Deep, Esteban Arcaute, Vijay Raghavendra Motivation/Abstract: Introduces entity matching, deep learning separately. Categorizes all the Deep Learning solutions in similar situations(matching tasks in NLP), and then works towards solving Entity Matching. Talks about the involvement of Deep Learning in EM in the past (one model). Finds out different fields where Deep Learning might perform better, does testing and reports results and conclusion. Main Points: There are three criteria/context where the discussion(comparing Deep Learning model vs traditional model) takes place - 1. Structured Data - SQL type stored data 2. Textual Data - Consists of text blobs which consist of huge sentences 3. Dirty Data - Erroneous structured data where text fields have values all mixed up Four representative models are picked and the Deep Learning process is explained through them. 
Read more