Edinburgh Research Explorer

On Robust Malware Classifiers by Verifying Unwanted Behaviours

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Original languageEnglish
Title of host publicationIntegrated Formal Methods
Subtitle of host publication12th International Conference, IFM 2016, Reykjavik, Iceland, June 1-5, 2016, Proceedings
PublisherSpringer International Publishing
Number of pages15
ISBN (Electronic)978-3-319-33693-0
ISBN (Print)978-3-319-33692-3
Publication statusPublished - Jun 2016
Event12th International Conference on integrated Formal Methods - Reykjavik, Iceland
Duration: 1 Jun 20163 Jun 2016

Publication series

NameLecture Notes in Computer Science
PublisherSpringer International Publishing
ISSN (Print)0302-9743


Conference12th International Conference on integrated Formal Methods
Abbreviated titleIFM 2016
Internet address


Machine-learning-based Android malware classifiers perform badly on the detection of new malware, in particular, when they take API calls and permissions as input features, which are the best performing features known so far. This is mainly because signature-based features are very sensitive to the training data and cannot capture general behaviours of identified malware. To improve the robustness of classifiers, we study the problem of learning and verifying unwanted behaviours abstracted as automata. They are common patterns shared by malware instances but rarely seen in benign applications, e.g., interception and forwarding incoming SMS messages. We show that by taking the verification results against unwanted behaviours as input features, the classification performance of detecting new malware is improved dramatically. In particular, the precision and recall are respectively 8% and 51% better than those using API calls and permissions, measured against industrial datasets collected across several years. Our approach integrates several methods: formal methods, machine learning and text mining techniques. It is the first to automatically generate unwanted behaviours for Android malware detection. We also demonstrate unwanted behaviours constructed for well-known malware families. They compare well to those described in human-authored descriptions of these families.


12th International Conference on integrated Formal Methods


Reykjavik, Iceland

Event: Conference

Download statistics

No data available

ID: 24389270