Learning and Verifying Unwanted Behaviours

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

Unwanted behaviours, such as interception and forwarding of incoming messages, have been repeatedly seen in Android malware. We study the problem of learning unwanted behaviours from malware instances and verifying the application in question to deny these behaviours. We approximate an application’s behaviours by an automaton, i.e., finite control-sequences of events, actions, and annotated API calls, and develop an efficient machine-learning-centred method to construct and choose abstract sub-automata, to characterise unwanted behaviours exhibited in hundreds and thousands of malware instances. By taking the verification results against unwanted behaviours as input features, we show that the performance of detecting new malware is improved dramatically, in particular, the precision and recall are respectively 8% and 51% better than those using API calls and permissions, which are the best performing features known so far. This is the first automatic approach to generate unwanted behaviours for machine-learning-based Android malware detection. We also demonstrate unwanted behaviours constructed for well-known malware families. They compare well to those described in human-authorised descriptions of these families.
Original languageEnglish
Title of host publication4th Workshop on Hot Issues in Security Principles and Trust (HotSpot 2016)
Number of pages15
Publication statusPublished - 2016
Event4th Workshop on Hot Issues in Security Principles and Trust - Eindhoven, Netherlands
Duration: 3 Apr 20163 Apr 2016


Workshop4th Workshop on Hot Issues in Security Principles and Trust
Abbreviated titleHotSpot 2016
Internet address


Dive into the research topics of 'Learning and Verifying Unwanted Behaviours'. Together they form a unique fingerprint.

Cite this