Abstract
Unwanted behaviours, such as interception and forwarding of incoming messages, have been repeatedly seen in Android malware. We study the problem of learning unwanted behaviours from malware instances and verifying the application in question to deny these behaviours. We approximate an application’s behaviours by an automaton, i.e., finite control-sequences of events, actions, and annotated API calls, and develop an efficient machine-learning-centred method to construct and choose abstract sub-automata, to characterise unwanted behaviours exhibited in hundreds and thousands of malware instances. By taking the verification results against unwanted behaviours as input features, we show that the performance of detecting new malware is improved dramatically, in particular, the precision and recall are respectively 8% and 51% better than those using API calls and permissions, which are the best performing features known so far. This is the first automatic approach to generate unwanted behaviours for machine-learning-based Android malware detection. We also demonstrate unwanted behaviours constructed for well-known malware families. They compare well to those described in human-authorised descriptions of these families.
| Original language | English |
|---|---|
| Title of host publication | 4th Workshop on Hot Issues in Security Principles and Trust (HotSpot 2016) |
| Pages | 17-32 |
| Number of pages | 15 |
| Publication status | Published - 2016 |
| Event | 4th Workshop on Hot Issues in Security Principles and Trust - Eindhoven, Netherlands Duration: 3 Apr 2016 → 3 Apr 2016 https://members.loria.fr/VCortier/files/HotSpot2016/ |
Workshop
| Workshop | 4th Workshop on Hot Issues in Security Principles and Trust |
|---|---|
| Abbreviated title | HotSpot 2016 |
| Country/Territory | Netherlands |
| City | Eindhoven |
| Period | 3/04/16 → 3/04/16 |
| Internet address |