CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains. (September 2018)
- Record Type:
- Journal Article
- Title:
- CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains. (September 2018)
- Main Title:
- CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains
- Authors:
- Martín, Alejandro
Rodríguez-Fernández, Víctor
Camacho, David - Abstract:
- Abstract: Malware writers are usually focused on those platforms which are most used among common users, with the aim of attacking as many devices as possible. Due to this reason, Android has been heavily attacked for years. Efforts dedicated to combat Android malware are mainly concentrated on detection, in order to prevent malicious software to be installed in a target device. However, it is equally important to put effort into an automatic classification of the type, or family, of a malware sample, in order to establish which actions are necessary to mitigate the damage caused. In this paper, we present CANDYMAN, a tool that classifies Android malware families by combining dynamic analysis and Markov chains. A dynamic analysis process allows to extract representative information of a malware sample, in form of a sequence of states, while a Markov chain allows to model the transition probabilities between the states of the sequence, which will be used as features in the classification process. The space of features built is used to train classical Machine Learning, including methods for imbalanced learning, and Deep Learning algorithms, over a dataset of malware samples from different families, in order to evaluate the proposed method. Using a collection of 5, 560 malware samples grouped into 179 different families (extracted from the Drebin dataset), and once made a selection based on a minimum number of relevant and valid samples, a final set of 4, 442 samples groupedAbstract: Malware writers are usually focused on those platforms which are most used among common users, with the aim of attacking as many devices as possible. Due to this reason, Android has been heavily attacked for years. Efforts dedicated to combat Android malware are mainly concentrated on detection, in order to prevent malicious software to be installed in a target device. However, it is equally important to put effort into an automatic classification of the type, or family, of a malware sample, in order to establish which actions are necessary to mitigate the damage caused. In this paper, we present CANDYMAN, a tool that classifies Android malware families by combining dynamic analysis and Markov chains. A dynamic analysis process allows to extract representative information of a malware sample, in form of a sequence of states, while a Markov chain allows to model the transition probabilities between the states of the sequence, which will be used as features in the classification process. The space of features built is used to train classical Machine Learning, including methods for imbalanced learning, and Deep Learning algorithms, over a dataset of malware samples from different families, in order to evaluate the proposed method. Using a collection of 5, 560 malware samples grouped into 179 different families (extracted from the Drebin dataset), and once made a selection based on a minimum number of relevant and valid samples, a final set of 4, 442 samples grouped into 24 different malware families was used. The experimental results indicate a precision performance of 81.8% over this dataset. Highlights: New model to represent sequences of states of malware samples based on Markov Chains. A study of Android malware families based on states transition probabilities. An evaluation of the proposed method over a large dataset. Five different experiments using Machine Learning and Deep Learning techniques. … (more)
- Is Part Of:
- Engineering applications of artificial intelligence. Volume 74(2018)
- Journal:
- Engineering applications of artificial intelligence
- Issue:
- Volume 74(2018)
- Issue Display:
- Volume 74, Issue 2018 (2018)
- Year:
- 2018
- Volume:
- 74
- Issue:
- 2018
- Issue Sort Value:
- 2018-0074-2018-0000
- Page Start:
- 121
- Page End:
- 133
- Publication Date:
- 2018-09
- Subjects:
- Android malware -- Dynamic analysis -- Classification -- Deep Learning -- Markov chains
Engineering -- Data processing -- Periodicals
Artificial intelligence -- Periodicals
Expert systems (Computer science) -- Periodicals
Ingénierie -- Informatique -- Périodiques
Intelligence artificielle -- Périodiques
Systèmes experts (Informatique) -- Périodiques
Artificial intelligence
Engineering -- Data processing
Expert systems (Computer science)
Periodicals
620.00285 - Journal URLs:
- http://www.sciencedirect.com/science/journal/09521976 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.engappai.2018.06.006 ↗
- Languages:
- English
- ISSNs:
- 0952-1976
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3755.704500
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 17112.xml