Towards Obfuscation Resilient Feature Design for Android Malware Detection-KTSODroid

Abstract

The widespread use of obfuscation techniques in malware creation is a challenging problem for detection systems. Obfuscation is also being applied in applications of an Android platform for changing the signature of known applications and hiding the semantics of suspicious new applications. Obfuscation significantly affects static analysis schemes as the structure of the application is not a true representative of its behavior or is totally incomprehensible in case of encryption. The design of obfuscation independent schemes for malware detection and categorization is a critical task in designing malware detection schemes. The focus of this study is to find and evaluate features that are representative of the application’s behavior as well as independent of most obfuscation techniques. It has been found that memory-based features extracted from kernel task structure contain much information about the working of the application and are not affected by obfuscation schemes as they model the run time behavior of the application. In this study, an application’s profile is generated from the kernel task structure of the process in memory. All extracted features of the kernel task structure are thoroughly analyzed for their significance in classification. The proposed system is then tested for different obfuscation schemes in order to determine the effectiveness against malicious obfuscated applications. The results reveal that the proposed solution is able to detect the obfuscated malicious applications accurately.