Runtime Detection Framework for Android Malware

Taeguen Kim, Boojoong Kang, Eul Gyu Im

Research output: Contribution to journalArticle

Abstract

As the number of Android malware has been increased rapidly over the years, various malware detection methods have been proposed so far. Existing methods can be classified into two categories: static analysis-based methods and dynamic analysis-based methods. Both approaches have some limitations: static analysis-based methods are relatively easy to be avoided through transformation techniques such as junk instruction insertions, code reordering, and so on. However, dynamic analysis-based methods also have some limitations that analysis overheads are relatively high and kernel modification might be required to extract dynamic features. In this paper, we propose a dynamic analysis framework for Android malware detection that overcomes the aforementioned shortcomings. The framework uses a suffix tree that contains API (Application Programming Interface) subtraces and their probabilistic confidence values that are generated using HMMs (Hidden Markov Model) to reduce the malware detection overhead, and we designed the framework with the client-server architecture since the suffix tree is infeasible to be deployed in mobile devices. In addition, an application rewriting technique is used to trace API invocations without any modifications in the Android kernel. In our experiments, we measured the detection accuracy and the computational overheads to evaluate its effectiveness and efficiency of the proposed framework.

Original languageEnglish
Article number8094314
JournalMobile Information Systems
Volume2018
DOIs
StatePublished - 2018 Jan 1

Fingerprint

Dynamic analysis
Static analysis
Application programming interfaces (API)
Hidden Markov models
Mobile devices
Servers
Malware
Experiments

Cite this

Kim, Taeguen ; Kang, Boojoong ; Im, Eul Gyu. / Runtime Detection Framework for Android Malware. In: Mobile Information Systems. 2018 ; Vol. 2018.
@article{e259583e85ef4bc897f18f7ba77a7437,
title = "Runtime Detection Framework for Android Malware",
abstract = "As the number of Android malware has been increased rapidly over the years, various malware detection methods have been proposed so far. Existing methods can be classified into two categories: static analysis-based methods and dynamic analysis-based methods. Both approaches have some limitations: static analysis-based methods are relatively easy to be avoided through transformation techniques such as junk instruction insertions, code reordering, and so on. However, dynamic analysis-based methods also have some limitations that analysis overheads are relatively high and kernel modification might be required to extract dynamic features. In this paper, we propose a dynamic analysis framework for Android malware detection that overcomes the aforementioned shortcomings. The framework uses a suffix tree that contains API (Application Programming Interface) subtraces and their probabilistic confidence values that are generated using HMMs (Hidden Markov Model) to reduce the malware detection overhead, and we designed the framework with the client-server architecture since the suffix tree is infeasible to be deployed in mobile devices. In addition, an application rewriting technique is used to trace API invocations without any modifications in the Android kernel. In our experiments, we measured the detection accuracy and the computational overheads to evaluate its effectiveness and efficiency of the proposed framework.",
author = "Taeguen Kim and Boojoong Kang and Im, {Eul Gyu}",
year = "2018",
month = "1",
day = "1",
doi = "10.1155/2018/8094314",
language = "English",
volume = "2018",
journal = "Mobile Information Systems",
issn = "1574-017X",

}

Runtime Detection Framework for Android Malware. / Kim, Taeguen; Kang, Boojoong; Im, Eul Gyu.

In: Mobile Information Systems, Vol. 2018, 8094314, 01.01.2018.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Runtime Detection Framework for Android Malware

AU - Kim, Taeguen

AU - Kang, Boojoong

AU - Im, Eul Gyu

PY - 2018/1/1

Y1 - 2018/1/1

N2 - As the number of Android malware has been increased rapidly over the years, various malware detection methods have been proposed so far. Existing methods can be classified into two categories: static analysis-based methods and dynamic analysis-based methods. Both approaches have some limitations: static analysis-based methods are relatively easy to be avoided through transformation techniques such as junk instruction insertions, code reordering, and so on. However, dynamic analysis-based methods also have some limitations that analysis overheads are relatively high and kernel modification might be required to extract dynamic features. In this paper, we propose a dynamic analysis framework for Android malware detection that overcomes the aforementioned shortcomings. The framework uses a suffix tree that contains API (Application Programming Interface) subtraces and their probabilistic confidence values that are generated using HMMs (Hidden Markov Model) to reduce the malware detection overhead, and we designed the framework with the client-server architecture since the suffix tree is infeasible to be deployed in mobile devices. In addition, an application rewriting technique is used to trace API invocations without any modifications in the Android kernel. In our experiments, we measured the detection accuracy and the computational overheads to evaluate its effectiveness and efficiency of the proposed framework.

AB - As the number of Android malware has been increased rapidly over the years, various malware detection methods have been proposed so far. Existing methods can be classified into two categories: static analysis-based methods and dynamic analysis-based methods. Both approaches have some limitations: static analysis-based methods are relatively easy to be avoided through transformation techniques such as junk instruction insertions, code reordering, and so on. However, dynamic analysis-based methods also have some limitations that analysis overheads are relatively high and kernel modification might be required to extract dynamic features. In this paper, we propose a dynamic analysis framework for Android malware detection that overcomes the aforementioned shortcomings. The framework uses a suffix tree that contains API (Application Programming Interface) subtraces and their probabilistic confidence values that are generated using HMMs (Hidden Markov Model) to reduce the malware detection overhead, and we designed the framework with the client-server architecture since the suffix tree is infeasible to be deployed in mobile devices. In addition, an application rewriting technique is used to trace API invocations without any modifications in the Android kernel. In our experiments, we measured the detection accuracy and the computational overheads to evaluate its effectiveness and efficiency of the proposed framework.

UR - http://www.scopus.com/inward/record.url?scp=85045553885&partnerID=8YFLogxK

U2 - 10.1155/2018/8094314

DO - 10.1155/2018/8094314

M3 - Article

AN - SCOPUS:85045553885

VL - 2018

JO - Mobile Information Systems

JF - Mobile Information Systems

SN - 1574-017X

M1 - 8094314

ER -