Publication Type
Conference Proceeding Article
Version
publishedVersion
Publication Date
10-2020
Abstract
Android platform has dominated the smart phone market for years now and, consequently, gained a lot of attention from attackers. Malicious apps (malware) pose a serious threat to the security and privacy of Android smart phone users. Available approaches to detect mobile malware based on machine learning rely on features extracted with static analysis or dynamic analysis techniques. Dif- ferent types of machine learning classi ers (such as support vector machine and random forest) deep learning classi ers (based on deep neural networks) are then trained on extracted features, to produce models that can be used to detect mobile malware. The usually-analyzed features include permissions requested/used, fre- quency of API calls, use of API calls, and sequence of API calls. The API calls are analyzed at various granularity levels such as method, class, package, and family.
In the view of the proposals of di erent types of classi ers and the use of di erent types of features and di erent underlying analy- ses used for feature extraction, there is a need for a comprehensive evaluation on the e ectiveness of the current state-of-the-art stud- ies in malware detection on a common benchmark. In this work, we provide a baseline comparison of several conventional machine learning classi ers and deep learning classi ers, without ne tun- ing. We also provide the evaluation of di erent types of features that characterize the use of API calls at class level and the sequence of API calls at method level. Features have been extracted from a common benchmark of 4572 benign samples and 2399 malware samples, using both static analysis and dynamic analysis.
Among other interesting ndings, we observed that classi ers trained on the use of API calls generally perform better than those trained on the sequence of API calls. Classi ers trained on static analysis-based features perform better than those trained on dy- namic analysis-based features. Deep learning classi ers, despite their sophistication, are not necessarily better than conventional classi ers, especially when they are not optimized. However, deep learning classi ers do perform better than conventional classi ers when trained on dynamic analysis-based features.
Keywords
Malware detection, machine learning, deep learning, Android
Discipline
Software Engineering
Research Areas
Software and Cyber-Physical Systems
Publication
MOBILESoft 2020: Proceedings of the 7th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Seoul, South Korea, October 5-6
First Page
50
Last Page
60
ISBN
9781450379595
Identifier
10.1145/3387905.3388596
Publisher
ACM
City or Country
New York
Embargo Period
4-27-2020
Citation
SHAR, Lwin Khin; DEMISSIE, Biniam Fisseha; CECCATO, Mariano; and MINN, Wei.
Experimental comparison of features and classifiers for Android malware detection. (2020). MOBILESoft 2020: Proceedings of the 7th IEEE/ACM International Conference on Mobile Software Engineering and Systems, Seoul, South Korea, October 5-6. 50-60.
Available at: https://ink.library.smu.edu.sg/sis_research/5115
Copyright Owner and License
Publisher
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1145/3387905.3388596