Top

Journal of Intelligent Information Systems

Published in:

01-02-2012

“Andromaly”: a behavioral malware detection framework for android devices

Authors: Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, Yael Weiss

Published in: Journal of Intelligent Information Systems | Issue 1/2012

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

This article presents Andromaly—a framework for detecting malware on Android mobile devices. The proposed framework realizes a Host-based Malware Detection System that continuously monitors various features and events obtained from the mobile device and then applies Machine Learning anomaly detectors to classify the collected data as normal (benign) or abnormal (malicious). Since no malicious applications are yet available for Android, we developed four malicious applications, and evaluated Andromaly’s ability to detect new malware based on samples of known malware. We evaluated several combinations of anomaly detection algorithms, feature selection method and the number of top features in order to find the combination that yields the best performance in detecting new malware on Android. Empirical results suggest that the proposed framework is effective in detecting malware on mobile devices in general and on Android in particular.

previous article A relational database integrity framework for access control policies

next article Learning non-taxonomical semantic relations from domain texts

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

http://www.android.com

Also known as Detection Rate in the intrusion detection community.

Also known as False Alarm Rate in the intrusion detection community.

Android uses a proprietary format for Java bytecode called.dex (Dalvik Executable), designed to be more compact and memory-efficient than regular Java class files.

http://www.usenix.org/events/sec09/tech/tech.html#cannings

http://www.geek.com/articles/mobile/google-says-that-memoryup-has-no-malware-20090128/

Adam, P. F., Chaudhuri, A., & Foster, J. S. (2009). SCanDroid: Automated security certification of android applications. In IEEE symposium of security and privacy.

Bose, A., Hu, X., Shin, K. G., & Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proc. of the 6th international conference on mobile systems, applications, and services.

Botha, R. A., Furnell, S. M., & Clarke, N. L. (2009). From desktop to mobile: Examining the security experience. Computer & Security, 28, 130–137.CrossRef

Buennemeyer, T. K., et al. (2008). Mobile device profiling and intrusion detection using smart batteries. In International conference on system sciences (pp. 296–296).

Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly detection: A survey. ACM Computing Surveys, 41(3), 1–58.CrossRef

Chaudhuri, A. (2009). Language-based security on android. In ACM workshop on programming languages and analysis for security (PLAS) (pp. 1–7).

Cheng, J., Wong, S. H., Yang, H., & Lu, S. (2007). SmartSiren: Virus detection and alert for smartphones. In Proceedings of the 5th international conference on mobile systems, applications and services.

Dagon, C., Martin, T., & Starner, T. (2004). Mobile phones as computing devices the viruses are coming. Pervasive Computing, 3, 11–15.CrossRef

Domingos, P., & Pazzani, M. (1997). On the optimality of simple Bayesian classifier under zero-one loss. Machine Learning, 29, 103–130.CrossRefMATH

Egele, M., Krugel, C., Kirda, E., Yin, H., & Song, D. (2007). Dynamic spyware analysis. In USENIX annual technical conference (pp. 233–246).

Emm, D. (2006). Mobile malware – new avenues. Network Security, 2006(11), 4–6.CrossRef

Enck, W., Ongtang, M., & McDaniel, P. (2008). Mitigating android software misuse before it happens. Tech. report NAS-TR-0094–2008, Network and Security Research Ctr., Dept. Computer Science and Eng., Pennsylvania State Univ.

Enck, W., Ongtang, M., & McDaniel, P. (2009). Understanding android security. IEEE Security & Privacy Magazine, 7(1), 50–57.CrossRef

Endler, D. (1998). Intrusion detection: Applying machine learning to solaris audit data. In Proceedings of the 14th annual computer security applications conference.

Garcia-Teodoro, P., Diaz-Verdejo, J., Macia-Fernandez, G., & Vazquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. Computers & Security, 28(1–2), 18–28.CrossRef

Golub, T., et al. (1999). Molecular classification of cancer: Class discovery and class prediction by gene expression monitoring. Science, 286, 531–537.CrossRef

Griffin, K., Schneider, S., Hu, X., & Chiueh, T. (2009). Automatic generation of string signatures for malware detection. In Proc. of the 12th international symposium on recent advances in intrusion detection.

Gryaznov, D. (1999). Scanners of the year 2000: Heuritics. The 5th international virus bulletin.

Guo, C., Wang, H. J., & Zhu, W. (2004). Smart-phone attacks and defenses. In HotNets III.

Hwang, S. S., Cho, S., & Park, S. (2009). Keystroke dynamics-based authentication for mobile devices. Computer & Security, 28, 85–93.CrossRef

Imam, I. F., Michalski, R. S., & Kerschberg, L. (1993). Discovering attribute dependence in databases by integrating symbolic learning and statistical analysis techniques. In Proceeding of the AAAI-93 workshop on knowledge discovery in databases.

Jacob, G., Debar, H., & Filiol, E. (2008). Behavioral detection of malware: From a survey towards an established taxonomy. Journal in Computer Virology, 4, 251–266.CrossRef

Jacoby, G. A., & Davis, N. J. (2004). Battery-based intrusion detection. In Global telecommunications conference (GLOBECOM’04).

Jain, A. K., Murty, M. N., & Flynn, P. J. (1999). Data clustering. ACM Computing Surveys, 31(3):264–296.CrossRef

John, G. H., & Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In Proc. of the conference on uncertainty in artificial intelligence (pp. 338–345).

Kim, H., Smith, J., & Shin, K. G. (2008). Detecting energy-greedy anomalies and mobile malware variants. In Proceeding of the 6th international conference on mobile systems, applications, and services.

Koong, K. S., Liu, L. C., Bai, S., & Lin, B. (2008). Identity theft in the USA: Evidence from 2002 to 2006. International Journal of Mobile Communications, 6(2), 199–216.CrossRef

Leavitt, N. (2005). Mobile phones: The next frontier for hackers? Computer, 38(4), 20–23.CrossRef

Lee, W., & Xiang, D. (2001). Information-theoretic measures for anomaly detection. In Proc. of the IEEE symposium on security and privacy (pp. 130–143).

Lee, W., Stolfo, S., & Mok, K. (1999). A data mining framework for building intrusion detection models. In Proc. of the 1999 IEEE symposium on security and privacy. Oakland.

Lee, W., Fan, W., Miller, M., Stolfo, S., & Zadok, E. (2002). Toward cost-sensitive modeling for intrusion detection and response. Journal of Computer Security, 10(1–2), 5–22.

Menahem, E., Shabtai, A., Rokach, L., & Elovici, Y. (2008). Improving malware detection by applying multi-inducer ensemble. Computational Statistics and Data Analysis, 53(4), 1483–1494.CrossRefMathSciNet

Miettinen, M., Halonen, P., & Hätönen, K. (2006). Host-based intrusion detection for advanced mobile devices. In Proc. of the 20th international conference on advanced information networking and applications.

Mitchell, T. (1997). Machine learning. New York: McGraw-Hill.MATH

Moreau, Y., Preneel, B., Burge, P., Shawe-Taylor, J., Stoermann, C., & Cooke, C. (1997). Novel techniques for fraud detection in mobile telecommunication networks. In ACTS mobile summit.

Moser, A., Kruegel, C., & Kirda, E. (2007). Limits of static analysis for malware detection. In Annual computer security applications conference (pp. 421–430).

Moskovitch, R., Elovici, Y., & Rokach, L. (2008). Detection of unknown computer worms based on behavioral classification of the host. Computational Statistics and Data Analysis, 52(9), 4544–4566.CrossRefMATHMathSciNet

Muthukumaran, D., et al. (2008). Measuring integrity on mobile phone systems. In Proceedings of the 13th ACM symposium on access control models and technologies.

Nash, D. C., et al. (2005). Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices. In Pervasive computing and communications workshops.

Neter, J., Kutner, M. H., Nachtsheim, C. J., & Wasserman, W. (1996). Applied linear statistical models. McGraw-Hill.

Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2009). Semantically rich application-centric security in android. In Proceedings of the 25th annual computer security applications conference (ACSAC). Honolulu.

Pearl, J. (1988). Probabilistic reasoning in intelligent systems: Networks of plausible inference. Massachusetts: Morgan Kaufmann.

Piercy, M. (2004). Embedded devices next on the virus target list. IEEE Electronics Systems and Software, 2, 42–43.CrossRef

Quinlan, J. R. (1993). C4.5: Programs for machine learning. San Francisco: Morgan Kaufmann.

Rieck, K., Holz, T., Willems, C., Düssel, P., & Laskov, P. (2008). Learning and classification of malware behavior. In Proc. of the conference on detection of intrusions and malware & vulnerability assessment (pp. 108–125).

Russel, S., & Norvig, P. (2002). Artificial intelligence: A modern approach. Prentice Hall.

Samfat, D., & Molva, R. (1997). IDAMN: An intrusion detection architecture for mobile networks. IEEE Journal on Selected Areas in Communications, 15(7), 1373–1380.CrossRef

Schmidt, A. D., Schmidt, H. G., Yüksel, K. A., Kiraz, O., Camptepe, S. A., & Albayrak, S. (2008). Enhancing security of linux-based android devices. In Proc. of the 15th international linux system technology conference.

Schmidt, A. D., Peters, F., Lamour, F., Scheel, C., Camtepe, S. A., & Albayrak, S. (2009). Monitoring smartphones for anomaly detection. Mobile Networks and Applications (MONET ), 14(1), 92–106.CrossRef

Shabtai, A., Fledel, Y., & Elovici, Y. (2009a). Detecting malicious applications on android by applying machine learning classifiers to static features (Poster). Presented in the 25th annual computer security applications conference (ACSAC). Honolulu, Hawaii.

Shabtai, A., Fledel, Y., Elovici, Y., & Shahar, Y. (2009b). Knowledge-based temporal abstraction in clinical domains. Journal in Computer Virology, 8(3), 267–298.

Shabtai, A., Moskovitch, R., Elovici, Y., & Glezer, C. (2009c). Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Information Security Technical Report, 14(1):1–34.CrossRef

Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., & Dolev, S. (2009d). Google android: A state-of-the-art review of security mechanisms. CoRR abs/0912.5101.

Shabtai, A., Kanonov, U., & Elovici, Y. (2010a). Intrusion detection on mobile devices using the knowledge based temporal-abstraction method. Journal of Systems and Software, 83(8), 1524–1537.CrossRef

Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., & Glezer, C. (2010b) Google android: A comprehensive security assessment. IEEE Security and Privacy Magazine. doi:10.1109/MSP.2010.2.

Shannon, C. E. (1948). The mathematical theory of communication. The Bell system Technical Journal, 27(3), 379–423.MATHMathSciNet

Shih, D. H., Lin, B., Chiang, H. S., & Shih, M. H. (2008). Security aspects of mobile phone virus: A critical survey. Industrial Management & Data Systems, 108(4), 478–494.CrossRef

Yap, T. S., & Ewe, H. T. (2005). A mobile phone malicious software detection model with behavior checker. Lecture Notes in Computer Science, 3597, 57–65.CrossRef

Yin, H., Song, D., Egele, M., Krugel, C., & Kirda, E. (2007). Panorama: Capturing system-wide information flow for malware detection and analysis. In ACM conference on computer and communications security.

Title: “Andromaly”: a behavioral malware detection framework for android devices
Authors: Asaf Shabtai
Uri Kanonov
Yuval Elovici
Chanan Glezer
Yael Weiss
Publication date: 01-02-2012
Publisher: Springer US
Published in: Journal of Intelligent Information Systems / Issue 1/2012
Print ISSN: 0925-9902
Electronic ISSN: 1573-7675
DOI: https://doi.org/10.1007/s10844-010-0148-x

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2012

Knowledge-driven delivery of home care services

Probabilistic skylines on uncertain data: model and bounding-pruning-refining methods

Wavelet ridges for musical instrument classification

On context-aware co-clustering with metadata support

Learning Instance Weighted Naive Bayes from labeled and unlabeled data

Learning non-taxonomical semantic relations from domain texts

Premium Partner