Publication Type
Journal Article
Version
acceptedVersion
Publication Date
6-2016
Abstract
Most existing mobile malware detection methods (e.g., Kirin and DroidMat) are designed based on the resources required by malwares (e.g., permissions, application programming interface (API) calls, and system calls). These methods capture the interactions between mobile apps and Android system, but ignore the communications among components within or cross application boundaries. As a consequence, the majority of the existing methods are less effective in identifying many typical malwares, which require a few or no suspicious resources, but leverage on inter-component communication (ICC) mechanism when launching stealthy attacks. To address this challenge, we propose a new malware detection method, named ICCDetector. ICCDetector outputs a detection model after training with a set of benign apps and a set of malwares, and employs the trained model for malware detection. The performance of ICCDetector is evaluated with 5264 malwares, and 12 026 benign apps. Compared with our benchmark, which is a permission-based method proposed by Peng et al. in 2012 with an accuracy up to 88.2%, ICCDetector achieves an accuracy of 97.4%, roughly 10% higher than the benchmark, with a lower false positive rate of 0.67%, which is only about a half of the benchmark. After manually analyzing false positives, we discover 43 new malwares from the benign data set, and reduce the number of false positives to seven. More importantly, ICCDetector discovers 1708 more advanced malwares than the benchmark, while it misses 220 obvious malwares, which can be easily detected by the benchmark. For the detected malwares, ICCDetector further classifies them into five newly defined malware categories, which help understand the relationship between malicious behaviors and ICC characteristics. We also provide a systemic analysis of ICC patterns of benign apps and malwares.
Keywords
ICC, malware detection, Android
Discipline
Computer Sciences | Information Security
Research Areas
Cybersecurity
Publication
IEEE Transactions on Information Forensics and Security
Volume
11
Issue
6
First Page
1252
Last Page
1264
ISSN
1556-6013
Identifier
10.1109/TIFS.2016.2523912
Publisher
Institute of Electrical and Electronics Engineers (IEEE)
Citation
KE, Xu; Yingjiu LI; and DENG, Robert H..
ICCDetector: ICC-based malware detection on Android. (2016). IEEE Transactions on Information Forensics and Security. 11, (6), 1252-1264.
Available at: https://ink.library.smu.edu.sg/sis_research/3296
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1109/TIFS.2016.2523912