Publication Type

Journal Article

Version

acceptedVersion

Publication Date

3-2022

Abstract

A novel slow-aging solution named SDAC is proposed to address the model aging problem in Android malware detection, which is due to the lack of adapting to the changes in Android specifications during malware detection. Different from periodic retraining of detection models in existing solutions, SDAC evolves effectively by evaluating new APIs' contributions to malware detection according to existing API's contributions. In SDAC, the contributions of APIs are evaluated by their contexts in the API call sequences extracted from Android apps. A neural network is applied on the sequences to assign APIs to vectors, among which the differences of API vectors are regarded as the semantic distances. SDAC then clusters all APIs based on their semantic distances to create a feature set in the training phase, and extends the feature set to include all new APIs in the detecting phase. Without being trained by any new set of real-labelled apps, SDAC can adapt to the changes in Android specifications by simply identifying new APIs appearing in the detection phase. In extensive experiments with datasets dated from 2011 to 2016, SDAC achieves a significantly higher accuracy and a significantly slower aging speed compared with MaMaDroid, a state-of-the-art Android malware detection solution which maintains resilience to API changes.

Keywords

Android Malware Detection, Mobile Security

Discipline

Information Security

Research Areas

Cybersecurity

Publication

IEEE Transactions on Dependable and Secure Computing

Volume

19

Issue

2

First Page

1149

Last Page

1163

ISSN

1545-5971

Identifier

10.1109/TDSC.2020.3005088

Publisher

IEEE

Embargo Period

6-11-2021

Copyright Owner and License

Authors

Additional URL

https://doi.org/10.1109/TDSC.2020.3005088

Download

Share

COinS