StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware

Introduction
This paper focuses on detecting malware android applications based on machine learning method. They defined 4 types of features to be extracted from applications:
1. well-received features
1.1 Permission: Some malicious applications need some specific types of permissions.
1.2 Sensitive API Calls: They extracted sensitive API calls from Snail files, and found the top types of sensitive API calls which could best distinguish malicious and benign applications.
2. newly-defined features
2.1 Sequence: Malicious apps tend to have drastically different sensitive API calls. They defined 3 metrics to quantify the number of sensitive API calls.
2.2 Dynamic Behavior: Monitor the activities triggered by each application from their log file.
In both of these features, they removed the common ones which are shared by malicious and benign apps, and left the most distinguishable features.

Application of ML methods
They compared several ML methods: SVM, decision tree, Multi-Layer Perceptron, Naïve Bayes, KNN, Bagging predictor. They also compared the performance of different feature selection methods (Only well-received features / well-received and newly-defined features). Finally, they found that KNN classifier + well-received and newly-defined features achieved the best performance.

Pros
1. They contributed to define new features for monitoring dynamic behavior of malicious applications, which achieved better performance than using static analysis only.
2. They proposed the streaming framework (3 phases: Preamble, Feature Extraction, Classification), where all phases happen almost simultaneously (like CPU pipeline). That accelerated the speed of processing large scale of data.

Cons
1. When analyzing features, they used the same APP dataset which is also used in testing ML classifier. So they removed the common features and selected most distinguishable features based on their analyzing results, before testing their ML classifier. I think there will be a kind of “over-fitting” in this process. They should use different APP dataset for analyzing and testing.
2. Decompiling and analyzing the application on Android device may use too many system resources, since the performance of mobile CPU and memory are comparatively lower. Actually I think this method is more suitable for detecting malicious applications on PC.

Comments

  1. Good points about overfitting. The pipelining seemed interesting but they did not provide any details. It is also disappointing that they did not try to learn features automatically.

    ReplyDelete

Post a Comment

Popular posts from this blog

A Machine Learning Approach to Live Migration Modeling

StormDroid: A Streaminglized Machine Learning-Based System for Detecting Android Malware

Coordinated Management of Multiple Interacting Resources in Chip Multiprocessors: A Machine Learning Approach