Publication Type

Journal Article

Publication Date

4-2017

Abstract

Context: State-of-the-art works on automated detection of Android malware have leveraged app descriptionsto spot anomalies w.r.t the functionality implemented, or have used data flow information as afeature to discriminate malicious from benign apps. Although these works have yielded promising performance,we hypothesize that these performances can be improved by a better understanding of maliciousbehavior.Objective: To characterize malicious apps, we take into account both information on app descriptions,which are indicative of apps’ topics, and information on sensitive data flow, which can be relevant todiscriminate malware from benign apps.Method: In this paper, we propose a topic-specific approach to malware comprehension based on appdescriptions and data-flow information. First, we use an advanced topic model, adaptive LDA with GA, tocluster apps according to their descriptions. Then, we use information gain ratio of sensitive data flowinformation to build so-called “topic-specific data flow signatures”.Results: We conduct an empirical study on 3691 benign and 1612 malicious apps. We group them into118 topics and generate topic-specific data flow signature. We verify the effectiveness of the topic-specificdata flow signatures by comparing them with the overall data flow signature. In addition, we perform adeeper analysis on 25 representative topic-specific signatures and yield several implications.Conclusion: Topic-specific data flow signatures are efficient in highlighting the malicious behavior, andthus can help in characterizing malware.

Discipline

OS and Networks | Software Engineering

Research Areas

Cybersecurity

Publication

Information and Software Technology

Volume

90

First Page

27

Last Page

39

ISSN

0950-5849

Identifier

10.1016/j.infsof.2017.04.007

Publisher

Elsevier

Creative Commons License

Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Additional URL

https://doi.org/10.1016/j.infsof.2017.04.007

Share

COinS