DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware

Guillermo Suarez de Tangil Rotaeche; Santanu Dash; Mansour Ahmadi; Johannes Kinder; Giorgio Giacinto; Lorenzo Cavallaro

doi:10.1145/3029806.3029825

DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware

Guillermo Suarez de Tangil Rotaeche, Santanu Dash, Mansour Ahmadi, Johannes Kinder, Giorgio Giacinto, Lorenzo Cavallaro

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

96 Downloads (Pure)

Abstract

With more than two million applications, Android marketplaces require automatic and scalable methods to efficiently vet apps for the absence of malicious threats. Recent techniques have successfully relied on the extraction of lightweight syntactic features suitable for machine learning classification, but despite their promising results, the very nature of such features suggest they would unlikely--on their own--be suitable for detecting obfuscated Android malware. To address this challenge, we propose DroidSieve, an Android malware classifier based on static analysis that is fast, accurate, and resilient to obfuscation. For a given app, DroidSieve first decides whether the app is malicious and, if so, classifies it as belonging to a family of related malware.

DroidSieve exploits obfuscation-invariant features and artifacts introduced by obfuscation mechanisms used in malware. At the same time, these purely static features are designed for processing at scale and can be extracted quickly.

For malware detection, we achieve up to 99.82% accuracy with zero false positives; for family identification of obfuscated malware, we achieve 99.26% accuracy at a fraction of the computational cost of state-of-the-art techniques.

Original language	English
Title of host publication	ACM CODASPY
Publisher	ACM
Pages	309-320
Number of pages	12
ISBN (Print)	978-1-4503-4523-1
DOIs	https://doi.org/10.1145/3029806.3029825
Publication status	Published - 22 Mar 2017

Access to Document

10.1145/3029806.3029825

Accepted ManuscriptAccepted author manuscript, 433 KB

http://s2lab.isg.rhul.ac.uk/papers/files/codaspy2017.pdf

MobSec: Malware and Security in the Mobile Age
Cavallaro, L. & Kinder, J.
Eng & Phys Sci Res Council EPSRC
10/11/14 → 4/05/19
Project: Research

Cite this

@inproceedings{b317af23c5ab4956a701bd6fdf04cd24,

title = "DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware",

abstract = "With more than two million applications, Android marketplaces require automatic and scalable methods to efficiently vet apps for the absence of malicious threats. Recent techniques have successfully relied on the extraction of lightweight syntactic features suitable for machine learning classification, but despite their promising results, the very nature of such features suggest they would unlikely--on their own--be suitable for detecting obfuscated Android malware. To address this challenge, we propose DroidSieve, an Android malware classifier based on static analysis that is fast, accurate, and resilient to obfuscation. For a given app, DroidSieve first decides whether the app is malicious and, if so, classifies it as belonging to a family of related malware.DroidSieve exploits obfuscation-invariant features and artifacts introduced by obfuscation mechanisms used in malware. At the same time, these purely static features are designed for processing at scale and can be extracted quickly.For malware detection, we achieve up to 99.82% accuracy with zero false positives; for family identification of obfuscated malware, we achieve 99.26% accuracy at a fraction of the computational cost of state-of-the-art techniques.",

author = "{Suarez de Tangil Rotaeche}, Guillermo and Santanu Dash and Mansour Ahmadi and Johannes Kinder and Giorgio Giacinto and Lorenzo Cavallaro",

year = "2017",

month = mar,

day = "22",

doi = "10.1145/3029806.3029825",

language = "English",

isbn = "978-1-4503-4523-1 ",

pages = "309--320 ",

booktitle = "ACM CODASPY",

publisher = "ACM",

}

TY - GEN

T1 - DroidSieve

T2 - Fast and Accurate Classification of Obfuscated Android Malware

AU - Suarez de Tangil Rotaeche, Guillermo

AU - Dash, Santanu

AU - Ahmadi, Mansour

AU - Kinder, Johannes

AU - Giacinto, Giorgio

AU - Cavallaro, Lorenzo

PY - 2017/3/22

Y1 - 2017/3/22

N2 - With more than two million applications, Android marketplaces require automatic and scalable methods to efficiently vet apps for the absence of malicious threats. Recent techniques have successfully relied on the extraction of lightweight syntactic features suitable for machine learning classification, but despite their promising results, the very nature of such features suggest they would unlikely--on their own--be suitable for detecting obfuscated Android malware. To address this challenge, we propose DroidSieve, an Android malware classifier based on static analysis that is fast, accurate, and resilient to obfuscation. For a given app, DroidSieve first decides whether the app is malicious and, if so, classifies it as belonging to a family of related malware.DroidSieve exploits obfuscation-invariant features and artifacts introduced by obfuscation mechanisms used in malware. At the same time, these purely static features are designed for processing at scale and can be extracted quickly.For malware detection, we achieve up to 99.82% accuracy with zero false positives; for family identification of obfuscated malware, we achieve 99.26% accuracy at a fraction of the computational cost of state-of-the-art techniques.

AB - With more than two million applications, Android marketplaces require automatic and scalable methods to efficiently vet apps for the absence of malicious threats. Recent techniques have successfully relied on the extraction of lightweight syntactic features suitable for machine learning classification, but despite their promising results, the very nature of such features suggest they would unlikely--on their own--be suitable for detecting obfuscated Android malware. To address this challenge, we propose DroidSieve, an Android malware classifier based on static analysis that is fast, accurate, and resilient to obfuscation. For a given app, DroidSieve first decides whether the app is malicious and, if so, classifies it as belonging to a family of related malware.DroidSieve exploits obfuscation-invariant features and artifacts introduced by obfuscation mechanisms used in malware. At the same time, these purely static features are designed for processing at scale and can be extracted quickly.For malware detection, we achieve up to 99.82% accuracy with zero false positives; for family identification of obfuscated malware, we achieve 99.26% accuracy at a fraction of the computational cost of state-of-the-art techniques.

U2 - 10.1145/3029806.3029825

DO - 10.1145/3029806.3029825

M3 - Conference contribution

SN - 978-1-4503-4523-1

SP - 309

EP - 320

BT - ACM CODASPY

PB - ACM

ER -

DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware

Abstract

Access to Document

Projects

MobSec: Malware and Security in the Mobile Age

Cite this