Skip to main content

Research Repository

Advanced Search

MaMaDroid: Detecting Android malware by building Markov chains of behavioral models (extended version)

Onwuzurike, Lucky; Mariconti, Enrico; Andriotis, Panagiotis; De Cristofaro, Emiliano; Ross, Gordon; Stringhini, Gianluca

MaMaDroid: Detecting Android malware by building Markov chains of behavioral models (extended version) Thumbnail


Authors

Lucky Onwuzurike

Enrico Mariconti

Profile image of Panos Andriotis

Dr Panos Andriotis Panagiotis.Andriotis@uwe.ac.uk
Senior Lecturer in Computer Forensics and Security

Emiliano De Cristofaro

Gordon Ross

Gianluca Stringhini



Abstract

As Android has become increasingly popular, so has malware targeting it, thus motivating the research community to propose different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MaMaDroid, a static-analysis-based system that abstracts app's API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MaMaDroid using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of 6 years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure 2 years after training). We also show that MaMaDroid remarkably overperforms DroidAPIMiner, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MaMaDroid's effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples that include API calls that are equally or more frequently used by benign apps.

Journal Article Type Article
Acceptance Date Feb 12, 2019
Online Publication Date Apr 30, 2019
Publication Date Apr 1, 2019
Deposit Date Mar 4, 2019
Publicly Available Date Mar 4, 2019
Journal ACM Transactions on Privacy and Security
Print ISSN 2471-2566
Electronic ISSN 2471-2574
Publisher Association for Computing Machinery (ACM)
Peer Reviewed Peer Reviewed
Volume 22
Issue 2
Article Number 14
DOI https://doi.org/10.1145/3313391
Keywords Android, malware detection, static analysis
Public URL https://uwe-repository.worktribe.com/output/847828
Publisher URL http://dx.doi.org/10.1145/3313391
Additional Information Additional Information : This is the author's accepted manuscript. The final published version is available here: http://dx.doi.org/10.1145/3313391.
Contract Date Mar 4, 2019

Files






You might also like



Downloadable Citations