UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version)

Onwuzurike, L; Mariconti, E; Andriotis, P; De Cristofaro, E; Stringhini, G; Ross, G; (2019) MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version). ACM Transactions on Privacy and Security , 22 (2) , Article 14. 10.1145/3313391. Green open access

[thumbnail of De Cristofaro newaccepted.pdf]
Preview
Text
De Cristofaro newaccepted.pdf - Accepted Version

Download (2MB) | Preview

Abstract

As Android becomes increasingly popular, so does malware targeting it, this motivating the research community to propose many different detection techniques. However, the constant evolution of the Android ecosystem, and of malware itself, makes it hard to design robust tools that can operate for long periods of time without the need for modifications or costly re-training. Aiming to address this issue, we set to detect malware from a behavioral point of view, modeled as the sequence of abstracted API calls. We introduce MAMADROID, a staticanalysis based system that abstracts app’s API calls to their class, package, or family, and builds a model from their sequences obtained from the call graph of an app as Markov chains. This ensures that the model is more resilient to API changes and the features set is of manageable size. We evaluate MAMADROID using a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it effectively detects malware (with up to 0.99 F-measure) and keeps its detection capabilities for long periods of time (up to 0.87 F-measure two years after training). We also show that MAMADROID remarkably improves over DROIDAPIMINER, a state-of-the-art detection system that relies on the frequency of (raw) API calls. Aiming to assess whether MAMADROID’s effectiveness mainly stems from the API abstraction or from the sequencing modeling, we also evaluate a variant of it that uses frequency (instead of sequences), of abstracted API calls. We find that it is not as accurate, failing to capture maliciousness when trained on malware samples including API calls that are equally or more frequently used by benign apps.

Type: Article
Title: MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (Extended Version)
Open access status: An open access version is available from UCL Discovery
DOI: 10.1145/3313391
Publisher version: http://doi.org/10.1145/3313391
Language: English
Additional information: This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions.
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science
URI: https://discovery.ucl.ac.uk/id/eprint/10067943
Downloads since deposit
50Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item