UCL logo

UCL Discovery

UCL home » Library Services » Electronic resources » UCL Discovery

MamaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models

Mariconti, E; Onwuzurike, L; Andriotis, P; De Cristofaro, E; Ross, G; Stringhini, G; (2017) MamaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models. In: Proceedings of the ISOC Network and Distributed Systems Security Symposium (NDSS). Internet Society: San Diego, CA, USA. Green open access

[img]
Preview
Text
Stringhini_mamadroid.pdf

Download (1MB) | Preview

Abstract

The rise in popularity of the Android platform has resulted in an explosion of malware threats targeting it. As both Android malware and the operating system itself constantly evolve, it is very challenging to design robust malware mitigation techniques that can operate for long periods of time without the need for modifications or costly re-training. In this paper, we present MAMADROID, an Android malware detection system that relies on app behavior. MAMADROID builds a behavioral model, in the form of a Markov chain, from the sequence of abstracted API calls performed by an app, and uses it to extract features and perform classification. By abstracting calls to their packages or families, MAMADROID maintains resilience to API changes and keeps the feature set size manageable. We evaluate its accuracy on a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it not only effectively detects malware (with up to 99% F-measure), but also that the model built by the system keeps its detection capabilities for long periods of time (on average, 86% and 75% F-measure, respectively, one and two years after training). Finally, we compare against DROIDAPIMINER, a state-of-the-art system that relies on the frequency of API calls performed by apps, showing that MAMADROID significantly outperforms it.

Type: Proceedings paper
Title: MamaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models
Event: NDSS '17: Network and Distributed Systems Security Symposium 2017
Location: San Diego, California, USA
Dates: 26 February 2017 - 01 March 2017
ISBN: 1-1891562-46-0
Open access status: An open access version is available from UCL Discovery
DOI: 10.14722/ndss.2017.23353
Publisher version: http://dx.doi.org/10.14722/ndss.2017.23353
Language: English
Additional information: Copyright © 2017 Internet Society. Permission to freely reproduce all or part of this paper for noncommercial purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited without the prior written consent of the Internet Society, the first-named author (for reproduction of an entire paper only), and the author’s employer if the paper was prepared within the scope of employment.
UCL classification: UCL > Provost and Vice Provost Offices
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Maths and Physical Sciences > Dept of Statistical Science
URI: http://discovery.ucl.ac.uk/id/eprint/1532047
Downloads since deposit
136Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item