Experimental comparison of features and classifiers for Android malware detection

Author

Lwin Khin SHAR, Singapore Management UniversityFollow
Biniam Fisseha DEMISSIE, Fondazione Bruno Kessler
Mariano CECCATO, University of Verona
Wei MINN, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

publishedVersion

Publication Date

10-2020

Abstract

Android platform has dominated the smart phone market for years now and, consequently, gained a lot of attention from attackers. Malicious apps (malware) pose a serious threat to the security and privacy of Android smart phone users. Available approaches to detect mobile malware based on machine learning rely on features extracted with static analysis or dynamic analysis techniques. Dif- ferent types of machine learning classi ers (such as support vector machine and random forest) deep learning classi ers (based on deep neural networks) are then trained on extracted features, to produce models that can be used to detect mobile malware. The usually-analyzed features include permissions requested/used, fre- quency of API calls, use of API calls, and sequence of API calls. The API calls are analyzed at various granularity levels such as method, class, package, and family.

In the view of the proposals of di erent types of classi ers and the use of di erent types of features and di erent underlying analy- ses used for feature extraction, there is a need for a comprehensive evaluation on the e ectiveness of the current state-of-the-art stud- ies in malware detection on a common benchmark. In this work, we provide a baseline comparison of several conventional machine learning classi ers and deep learning classi ers, without ne tun- ing. We also provide the evaluation of di erent types of features that characterize the use of API calls at class level and the sequence of API calls at method level. Features have been extracted from a common benchmark of 4572 benign samples and 2399 malware samples, using both static analysis and dynamic analysis.

Among other interesting ndings, we observed that classi ers trained on the use of API calls generally perform better than those trained on the sequence of API calls. Classi ers trained on static analysis-based features perform better than those trained on dy- namic analysis-based features. Deep learning classi ers, despite their sophistication, are not necessarily better than conventional classi ers, especially when they are not optimized. However, deep learning classi ers do perform better than conventional classi ers when trained on dynamic analysis-based features.

Keywords

Malware detection, machine learning, deep learning, Android

Discipline

Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

MOBILESoft 2020: Proceedings of the 7th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Seoul, South Korea, October 5-6

First Page

50

Last Page

60

ISBN

9781450379595

Identifier

10.1145/3387905.3388596

Publisher

ACM

City or Country

New York

Embargo Period

4-27-2020

Citation

SHAR, Lwin Khin; DEMISSIE, Biniam Fisseha; CECCATO, Mariano; and MINN, Wei. Experimental comparison of features and classifiers for Android malware detection. (2020). MOBILESoft 2020: Proceedings of the 7th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Seoul, South Korea, October 5-6. 50-60.
Available at: https://ink.library.smu.edu.sg/sis_research/5115

Copyright Owner and License

Publisher

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3387905.3388596