Malicious Application Detection Research Articles

ANDROID MALWARE CLASSIFICATION USING BASIC MACHINE LEARNING METHODS

Android malware attacks grow in both sophistication and volume day by day, thus android users are vulnerable to cyber-attacks. Researchers have developed many machine learning techniques to detect, block or mitigate these attacks. However, technological advancements, increase in Android mobile devices and the applications used on these devices, also increase problems in terms of user privacy due to malware. In this study, a comprehensive study is presented on the detection and classification of malicious applications using an up-to-date dataset containing 241 attributes. First, incorrect and missing data are detected and the relevant lines are removed, then normalization-based scaling is performed. After this preprocessing step, the data set is randomly divided into 70% training and 30% testing using hold-out cross validation. Finally, classification is carried out using 6 different machine learning methods: Multilayer Perceptron (MLP), Logistic Regression (LOGR), K-Nearest Neighbor (KNN), Decision Tree Classifier (DTC), Random Forest (RF). The comparison of modeling results demonstrates that RF machine learning technique can achieve the best performance with the level of 97% accuracy and the various other metrics for Android malware detection in real-world Android application sets.

KFFPDet: Android malicious application detection system with assisted detection of adversarial samples

Machine learning methods are widely used in Android malware detection, but carefully scrambled adversarial samples can effectively evade detection. Adversarial defence methods such as retraining and ensemble learning have high training costs and significant errors. This paper proposes a novel Android malware detection system, KFFPDet, to detect adversarial samples. It can detect adversarial samples efficiently. Firstly, this paper uses K-Nearest Neighbor (KNN) as the primary detection algorithm. In addition, this paper proposes a three-stage adversarial sample detection method, which saves the detection cost and reduces the error through prior knowledge. In the first stage, the frequency difference between benign typical features and malicious typical features is used to filter adversarial samples. In the second stage, the feature continuous values of benign typical features are used for adversarial sample filtering. The third stage filters adversarial samples by detecting isolation permissions and application programming interface (API). Experiments on various benchmark datasets verify the detection effect of KFFPDet. KFFPDet achieves 96% accuracy of adversarial sample detection on the VirusShare dataset. Compared with other advanced methods, KFFPDet ’s adversarial sample detection accuracy is improved by 4.43% to 94.53%. The experimental results show that the proposed three-stage adversarial sample detection method is useful and will help design a more effective adversarial sample detection scheme.

Malicious Application Detection in Windows Using Machine Learning

As the proliferation of digital technology continues, the threat landscape for Windows operating systems has become increasingly complex. Malicious applications, including viruses, ransomware, and spyware, pose a significant risk to both individuals and organizations. To combat this growing threat, there is a pressing need for effective and efficient methods for detecting and mitigating malicious applications. This research paper presents an innovative approach to Malicious Application Detection in Windows using Support Vector Machine (SVM) algorithms. SVM is a powerful machine learning technique that has been successfully applied in various classification tasks, including malware detection. The primary objective of this study is to develop a robust and reliable system that can differentiate between benign and malicious applications in a Windows environment. We start by collecting a comprehensive dataset of Windows applications, comprising both legitimate and malicious software samples. Feature extraction techniques are employed to convert the application data into a suitable format for SVM analysis. These features may include file attributes, system call sequences, and behaviour analysis metrics

Fight Hardware with Hardware: Systemwide Detection and Mitigation of Side-channel Attacks Using Performance Counters

We present a kernel-level infrastructure that allows systemwide detection of malicious applications attempting to exploit cache-based side-channel attacks to break the process confinement enforced by standard operating systems. This infrastructure relies on hardware performance counters to collect information at runtime from all applications running on the machine. High-level detection metrics are derived from these measurements to maximize the likelihood of promptly detecting a malicious application. Our experimental assessment shows that we can catch a large family of side-channel attacks with a significantly reduced overhead. We also discuss countermeasures that can be enacted once a process is suspected of carrying out a side-channel attack to increase the overall tradeoff between the system’s security level and the delivered performance under non-suspected process executions.

Malicious Android Application Detection Method using Machine Learning

With the increasing popularity of the Android platform, we have seen the rapid growth of malicious Android applications recently. Considering that the heavy use of applications on mobile phones such as games, emails, and social network services has become a crucial part of our daily life, we have become more vulnerable to malicious applications running on mobile devices. This paper demonstrates on the problem of detecting malicious applications in the mobile internet, which is of great importance for personal information security and privacy security. We convert the android internet malicious application detection problem to a classification problem, and utilize the SVM classifier to solve it. Finally, we conduct an experiment to test the performance of the proposed method. Experimental results that the proposed can detect android internet malicious application with higher accuracy, true positive rate, and lower false positive rate.

Android Malware Detection in Bytecode Level Using TF-IDF and XGBoost

Abstract Android is the dominant operating system in the smartphone market and there exists millions of applications in various application stores. The increase in the number of applications has necessitated the detection of malicious applications in a short time. As opposed to dynamic analysis, it is possible to obtain results in a shorter time in static analysis as there is no need to run the applications. However, obtaining various information from application packages using reverse engineering techniques still requires a substantial amount of processing power. Although some attempts have been made to solve this problem by analyzing binary files without decoding the source code, there is still more work to be done in this area. In this study, we analyzed the applications in bytecode level without decoding the binary source files. We proposed a model using Term Frequency - Inverse Document Frequency (TF-IDF) word representation for feature extraction and Extreme Gradient Boosting (XGBoost) method for classification. The experimental results show that our model classifies a given application package as a malware or benign in 2.75 s with 99.05% F1-score on a balanced dataset, and in 3.30 s with 99.35% F1-score on an imbalanced dataset containing obfuscated malwares.

Lightweight On-Device Detection of Android Malware Based on the Koodous Platform and Machine Learning.

Currently, Android is the most popular operating system among mobile devices. However, as the number of devices with the Android operating system increases, so does the danger of using them. This is especially important as smartphones increasingly authenticate critical activities(e-banking, e-identity). BotSense Mobile is a tool already integrated with some critical applications (e-banking, e-identity) to increase user safety. In this paper, we focus on the novel functionality of BotSense Mobile: the detection of malware applications on a user device. In addition to the standard blacklist approach, we propose a machine learning-based model for unknown malicious application detection. The lightweight neural network model is deployed on an edge device to avoid sending sensitive user data outside the device. For the same reason, manifest-related features can be used by the detector only. We present a comprehensive empirical analysis of malware detection conducted on recent data (May–June, 2022) from the Koodous platform, which is a collaborative platform where over 70 million Android applications were collected. The research highlighted the problem of machine learning model aging. We evaluated the lightweight model on recent Koodous data and obtained and high precision ().

Behaviour analysis of inter-app communication using a lightweight monitoring app for malware detection

Smartphone communications are becoming more and more useful for businesses to plan and organize their work and are mainly operated with android applications. The development of android applications has increased the curiosity of using the smartphone and also has many loopholes for the attackers to trigger the malicious activity. The detection of malicious activity is known as malware detection. Malware collusion is a new threat approach in which two or more malicious apps combine to accomplish their goals due to the fact that each app may appear benign to standard detection methods. To detect the malicious app, a behaviour analysis app is used to detect the communication between the two or more apps. Malicious application detection is a difficult task, especially because the user is sometimes entirely ignorant of the behaviour of the applications placed on their device. In this paper, the proposed model is a lightweight monitoring system used to detect malware by the behaviour analysis of the app. The designed model monitors the behaviour of the app by checking the app activities with the log file. These Log files consist of real-time activities and permissions of the app. Policy-based permissions are evaluated, and according to that, the malware apps are denied or granted to use the permissions of the other app. This designed model is implemented on Python 3.8 for performance metrics such as accuracy, precision, execution time, error, etc. The acquired accuracy for the proposed model is 95%, which is greater compared to the existing techniques such as MoDroid, CrowDroid and dl-Droid. Thus, the proposed model instantly detects the malware app based on the evaluation of the policy-based permissions.

Android Malware Detection Method Based on Permission Complement and API Calls

The dynamic code loading mechanism of the Android system allows an application to load executable files externally at runtime. This mechanism makes the development of applications more convenient, but it also brings security issues. Applications that hide malicious behavior in the external file by dynamic code loading are becoming a new challenge for Android malware detection. To overcome this challenge, based on dynamic code loading mechanisms, three types of threat models, i.e. Model I, Model II, and Model III are defined. For the Model I type malware, its malicious behavior occurs in DexCode, so the application programming interface (API) classes were used to characterize the behavior of the DexCode file. For the Model II type and Model III type malwares whose malicious behaviors occur in an external file, the permission complement is defined to characterize the behaviors of the external file. Based on permission complement and API calls, an Android malicious application detection method is proposed, of which feature sets are constructed by improving a feature selection method. Five datasets containing 15,581 samples are used to evaluate the performance of the proposed method. The experimental results show that our detection method achieves accuracy of 99.885% on general dataset, and performes the best on all evaluation metrics on all datasets in all comparison methods.

Detecting Malicious Facebook Applications

With daily installs, third-party Apps may be a very important cause for the recognition and attractiveness of Facebook or any on-line social media. Sadly, cyber criminals get return to appreciate the potential of victimisation apps for spreading spam and malware. we have a tendency to notice that a minimum of thirteen of Facebook apps within the dataset ar sometimes malevolent. but with their findings , many problems like fake profiles, malicious applications have put together grown There are not any potential solutions to those issues. throughout this project, we have a tendency to tend to return up with a framework that automatic detection of malicious applications is possible and is economical. Suppose there is a Facebook application, can the Facebook user verify that the app is malicious or not. actually the Facebook user cannot establish that so The key contribution is in developing the primary tool dedicated to detection deceitful apps on Facebook is FRAppE-Rigorous Facebook's Application authority. we have a tendency to tend to leverage information nonheritable from the posting behaviour of Facebook applications seen by uncountable Facebook users to develop FRAppE. initial we have a tendency to establish a collection of options that facilitate United States to research malicious from benign ones. Second, investing these identifying options ,where we have a tendency to show that FRAppE will discover malicious apps with ninety five.9% accuracy. Finally, we have a tendency to explore the ecosystems of malicious Facebook apps and establish mechanisms that these apps use to unfold. Key Words:apps, malicious, on-line social networks.

An Android Malicious Application Detection Method with Decision Mechanism in the Operating Environment of Blockchain

Recently, security policies and behaviour detection methods have been proposed to improve the security of blockchain by many researchers. However, these methods cannot discover the source of typical behaviours, such as the malicious applications in the blockchain environment. Android application is an important part of the blockchain operating environment, and machine learning-based Android malware application detection method is significant for blockchain user security. The way of constructing features in these methods determines the performance. The single-feature mechanism, training classifiers with one type of features, cannot detect the malicious applications effectively which exhibit the typical behaviours in various forms. The multifeatures fusion mechanism, constructing mixed features from multiple types of data sources, can cover more kinds of information. However, different types of data sources will interfere with each other in the mixed features constructed by this mechanism. That limits the performance of the model. In order to improve the detection performance of Android malicious applications in complex scenarios, we propose an Android malicious application detection method which includes parallel feature processing and decision mechanism. Our method uses RGB image visualization technology to construct three types of RGB image which are utilized to train different classifiers, respectively, and a decision mechanism is designed to fuse the outputs of subclassifiers through weight analysis. This approach simultaneously extracts different types of features, which preserve application information comprehensively. Different classifiers are trained by these features to guarantee independence of each feature and classifier. On this basis, a comprehensive analysis of many methods is performed on the Android malware dataset, and the results show that our method has better efficiency and adaptability than others.

Learning-Based Detection for Malicious Android Application Using Code Vectorization

The malicious APK (Android Application Package) makers use some techniques such as code obfuscation and code encryption to avoid existing detection methods, which poses new challenges for accurate virus detection and makes it more and more difficult to detect the malicious code. A report indicates that a new malicious app for Android is created every 10 seconds. To combat this serious malware activity, a scalable malware detection approach is needed, which can effectively and efficiently identify the malware apps. Common static detection methods often rely on Hash matching and analysis of viruses, which cannot quickly detect new malicious Android applications and their variants. In this paper, a malicious Android application detection method is proposed, which is implemented by the deep network fusion model. The hybrid model only needs to use the sample training model to achieve high accuracy in the identification of the malicious applications, which is more suitable for the detection of the new malicious Android applications than the existing methods. This method extracts the static features in the core code of the Android application by decompiling APK files, then performs code vectorization processing, and uses the deep learning network for classification and discrimination. Our experiments with a data set containing 10,170 apps show that the decisions from the hybrid model can increase the malware detection rate significantly on a real device, which verifies the superiority of this method in the detection of malicious codes.

Permission Sensitivity-Based Malicious Application Detection for Android

Since a growing number of malicious applications attempt to steal users’ private data by illegally invoking permissions, application stores have carried out many malware detection methods based on application permissions. However, most of them ignore specific permission combinations and application categories that affect the detection accuracy. The features they extracted are neither representative enough to distinguish benign and malicious applications. For these problems, an Android malware detection method based on permission sensitivity is proposed. First, for each kind of application categories, the permission features and permission combination features are extracted. The sensitive permission feature set corresponding to each category label is then obtained by the feature selection method based on permission sensitivity. In the following step, the permission call situation of the application to be detected is compared with the sensitive permission feature set, and the weight allocation method is used to quantify this information into numerical features. In the proposed method of malicious application detection, three machine-learning algorithms are selected to construct the classifier model and optimize the parameters. Compared with traditional methods, the proposed method consumed 60.94% less time while still achieving high accuracy of up to 92.17%.

SUIP: An Android malware detection method based on data flow features

Currently static detection is the most commonly used in Android malware detection. Among them, the extraction of various features is particularly important. In analysing the data flow features of applications, researchers usually use taint analysis method to extract. However, this method lack intermediate process features. So in this paper, we analyse the features of Android components to obtain application data transfer features for complementing the application data flow features and build a more complete combination of data flow features. Based on this, we propose a new Android malicious application detection method—SUIP. This method complements the missing features based on taint analysis, and combines the LightGBM algorithm to build a detection model. Finally, we use the sample set in Virusshare for experiments. Compared with the traditional static detection method of Android malicious code, the result shows that our detection method has a high detection accuracy of 98.50%.

Detecting Colluding Inter-App Communication in Mobile Environment

The increase in computing capabilities of mobile devices has, in the last few years, made possible a plethora of complex operations performed from smartphones and tablets end users, for instance, from a bank transfer to the full management of home automation. Clearly, in this context, the detection of malicious applications is a critical and challenging task, especially considering that the user is often totally unaware of the behavior of the applications installed on their device. In this paper, we propose a method to detect inter-app communication i.e., a colluding communication between different applications with data support to silently exfiltrate sensitive and private information. We based the proposed method on model checking, by representing Android applications in terms of automata and by proposing a set of logic properties to reduce the number of comparisons and a set of logic properties automatically generated for detecting colluding applications. We evaluated the proposed method on a set of 1092 Android applications, including different colluding attacks, by obtaining an accuracy of 1, showing the effectiveness of the proposed method.

MVIIDroid: A Multiple View Information Integration Approach for Android Malware Detection and Family Identification

With the rapid growth of Android applications, there is an urgent need for powerful Android malware detection technology nowadays. Existing classification models can be summarized with the following two steps-feature extraction and classification model learning. To further enhance the representation ability of existing classification models, this article presents an Android malicious application detection framework termed multiview information integration technology (MVIIDroid). To be specific, in our approach, we extract applications’ multiple components, transform them into embedding feature vectors and train a multiple Kernel learning model as the classifier. To illustrate the effectiveness of our model, we evaluate MVIIDroid on two Android malware datasets of 6820 malware and 6820 benign applications. Results show that we have superior classification performances when separating malware from benign applications. Moreover, we further evaluate MVIIDroid's ability to attribute malicious applications to their actual families. The experimental results well demonstrate the effectiveness of the proposed model.

Machine Learning Based Malicious Android Application Detection

The ultimate aim of the project is to improve permission for detecting the malicious android mobile application using machine learning algorithms. In recent years, the usages of smartphones are increasing steadily and also growth of Android application users are increasing. Due to growth of Android application users, some intruders are creating malicious android applications as a tool to steal the sensitive data and identity theft/fraud mobile bank, mobile wallets. There are so many malicious applications detection tools and software are available. But an effectiveness of malicious applications detection tools is the need for the hour. They are needed to tackle and handle new complex malicious apps created by intruder or hackers.

MADFU: An Improved Malicious Application Detection Method Based on Features Uncertainty.

Millions of Android applications (apps) are widely used today. Meanwhile, the number of malicious apps has increased exponentially. Currently, there are many security detection technologies for Android apps, such as static detection and dynamic detection. However, the uncertainty of the features in detection is not considered sufficiently in these technologies. Permissions play an important role in the security detection of Android apps. In this paper, a malicious application detection model based on features uncertainty (MADFU) is proposed. MADFU uses logistic regression function to describe the input (permissions) and output (labels) relationship. Moreover, it uses the Markov chain Monte Carlo (MCMC) algorithm to solve features’ uncertainty. After experimenting with 2037 samples, for malware detection, MADFU achieves an accuracy of up to 95.5%, and the false positive rate (FPR) is 1.2%. MADFU’s Android app detection accuracy is higher than the accuracy of directly using 24 dangerous permission. The results also indicate that the method for an unknown/new sample’s detection accuracy is 92.7%. Compared to other state-of-the-art approaches, the proposed method is more effective and efficient, by detecting malware.

Detecting Malicious Apps in Android Devices using SVM, Random Forest & Decision Trees

In recent years, the usages of smart phones are increasing steadily and also growth of Android application users are increasing. Due to growth of Android application user, some intruder are creating malicious android application as tool to steal the sensitive data. We need an effective and efficient malicious applications detection tool to handle new complex malicious apps created by intruder or hackers. This project deals with idea of using machine learning approaches for detecting the malicious android application. First we have to gather dataset of past malicious apps as training set and with the help of Support vector machine algorithm and decision tree algorithm make up comparison with training dataset and trained dataset we can predict the malware android apps upto 93.2 % unknown / New malware mobile application. By implementing SIGPID, Significant Permission Identification (SIGPID).The goal of the sigid is to improve the apps permissions effectively and efficiently. This SIGPID system improves the accuracy and efficient detection of malware application. With the help of machine learning algorithms such as SVM, Random Forest Classifier and Decision Tree algorithms we make a comparison between training dataset and trained dataset to classify malicious application and benign app.

Detection of Android malicious applications based on APIs

Machine learning technology is widely used to detect Android malware, among which the selection of features is particularly important. Compared with the permission applied, the APIs invoked by applications can better reflect the behavior of the application. Therefore, many researches choose APIs as the features of machine learning classification algorithm to detect Android malware. Generally, researchers simply select APIs as features, rather than focus on how to select features more beneficial for detection. This paper proposes an Android malware detection method based on APIs frequent pattern selection and use Relief and particle swarm optimization algorithm to jointly select feature subset for detection.