Berger, H;
Dvir, A;
Mariconti, E;
Hajaj, C;
(2023)
Breaking the structure of MaMaDroid.
Expert Systems with Applications
, 228
, Article 120429. 10.1016/j.eswa.2023.120429.
Preview |
Text
mamadroid2_expert_systems_revision.pdf - Accepted Version Download (504kB) | Preview |
Abstract
Android malware is a continuously expanding threat to billions of mobile users around the globe. Detection systems are updated constantly to address these threats. However, a backlash takes the form of evasion attacks, in which an adversary changes malicious samples in the wild such that they will be misclassified as benign. This paper comprehensively inspects a well-known Android malware detection system, MaMaDroid, which analyzes the control flow graph of the application. Changes in the portion of benign samples in the training set are considered to reveal their effect on the resulting classifier. These changes in the ratio between benign and malicious samples have a clear effect on each of the models, resulting in a decrease of more than 40% in their detection rate, model confidence, and reliability. Moreover, adopted Machine Learning models were implemented as well, including 5-NN, Decision Tree, and Adaboost. Exploration of the six models showed a typical behavior in different cases, of tree-based models and distance-based models. Moreover, three novel attacks that manipulate the Control Flow Graph (CFG) are described for each of the targeted models. The attacks decrease the detection rate of most models to less than 10%, with regards to different ratios of benign to malicious apps. As a result, a new version of MaMaDroid is engineered, which fuses the CFG of the app and static analysis of features of the app. This improved model is proven to be robust against evasion attacks targeting CFG-based models and static analysis models, achieving a detection rate of ∼80%.
| Type: | Article |
|---|---|
| Title: | Breaking the structure of MaMaDroid |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1016/j.eswa.2023.120429 |
| Publisher version: | https://doi.org/10.1016/j.eswa.2023.120429 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| Keywords: | Machine learning, Evasion attacks, Android malware detection |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science |
| URI: | https://discovery-pp.ucl.ac.uk/id/eprint/10173904 |
Archive Staff Only
 |
View Item |
