Mariconti, E;
Onwuzurike, L;
Andriotis, P;
De Cristofaro, E;
Ross, G;
Stringhini, G;
(2017)
MamaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models.
In:
Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS).
Internet Society: San Diego, CA, USA.
Preview |
Text
Stringhini_mamadroid.pdf Download (1MB) | Preview |
Abstract
The rise in popularity of the Android platform has resulted in an explosion of malware threats targeting it. As both Android malware and the operating system itself constantly evolve, it is very challenging to design robust malware mitigation techniques that can operate for long periods of time without the need for modifications or costly re-training. In this paper, we present MAMADROID, an Android malware detection system that relies on app behavior. MAMADROID builds a behavioral model, in the form of a Markov chain, from the sequence of abstracted API calls performed by an app, and uses it to extract features and perform classification. By abstracting calls to their packages or families, MAMADROID maintains resilience to API changes and keeps the feature set size manageable. We evaluate its accuracy on a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it not only effectively detects malware (with up to 99% F-measure), but also that the model built by the system keeps its detection capabilities for long periods of time (on average, 86% and 75% F-measure, respectively, one and two years after training). Finally, we compare against DROIDAPIMINER, a state-of-the-art system that relies on the frequency of API calls performed by apps, showing that MAMADROID significantly outperforms it.
| Type: | Proceedings paper |
|---|---|
| Title: | MamaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models |
| Event: | NDSS '17: Network and Distributed Systems Security Symposium 2017 |
| Location: | San Diego, California, USA |
| Dates: | 26 February 2017 - 01 March 2017 |
| ISBN: | 1-1891562-46-0 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.14722/ndss.2017.23353 |
| Publisher version: | http://dx.doi.org/10.14722/ndss.2017.23353 |
| Language: | English |
| Additional information: | Copyright © 2017 Internet Society. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author’s employer if the paper was prepared within the scope of employment. |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences > Dept of Statistical Science |
| URI: | https://discovery-pp.ucl.ac.uk/id/eprint/1532047 |
Archive Staff Only
 |
View Item |
