The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper we propose AndroDFA: an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtain a classification accuracy of 82%, %proving that our methodology achieves an accuracy comparable with works from the state of art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS and, by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide their malicious behavior. The experiments on the AMD dataset give similar results, with an overall mean accuracy of 78%. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.

AndroDFA: Android Malware Classification Based on Resource Consumption / Massarelli, Luca; Aniello, Leonardo; Ciccotelli, Claudio; Querzoni, Leonardo; Ucci, Daniele; Baldoni, Roberto. - In: INFORMATION. - ISSN 2078-2489. - 11:6(2020). [10.3390/info11060326]

AndroDFA: Android Malware Classification Based on Resource Consumption

Luca Massarelli
;
Claudio Ciccotelli;Leonardo Querzoni;Daniele Ucci;Roberto Baldoni
2020

Abstract

The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper we propose AndroDFA: an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtain a classification accuracy of 82%, %proving that our methodology achieves an accuracy comparable with works from the state of art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS and, by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide their malicious behavior. The experiments on the AMD dataset give similar results, with an overall mean accuracy of 78%. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.
File allegati a questo prodotto
File Dimensione Formato  
Massarelli_AndroDFA_2020.pdf

accesso aperto

Tipologia: Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza: Creative commons
Dimensione 1.4 MB
Formato Adobe PDF
1.4 MB Adobe PDF Visualizza/Apri PDF

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11573/1413959
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 3
  • ???jsp.display-item.citation.isi??? 4
social impact