The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper we propose AndroDFA: an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtain a classification accuracy of 82%, %proving that our methodology achieves an accuracy comparable with works from the state of art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS and, by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide their malicious behavior. The experiments on the AMD dataset give similar results, with an overall mean accuracy of 78%. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.
AndroDFA: Android Malware Classification Based on Resource Consumption / Massarelli, Luca; Aniello, Leonardo; Ciccotelli, Claudio; Querzoni, Leonardo; Ucci, Daniele; Baldoni, Roberto. - In: INFORMATION. - ISSN 2078-2489. - 11:6(2020). [10.3390/info11060326]
AndroDFA: Android Malware Classification Based on Resource Consumption
Luca Massarelli
;Claudio Ciccotelli;Leonardo Querzoni;Daniele Ucci;Roberto Baldoni
2020
Abstract
The vast majority of today's mobile malware targets Android devices. An important task of malware analysis is the classification of malicious samples into known families. In this paper we propose AndroDFA: an approach to Android malware family classification based on dynamic analysis of resource consumption metrics available from the proc file system. These metrics can be easily measured during sample execution. From each malware we extract features through detrended fluctuation analysis (DFA) and Pearson's correlation, then a support vector machine is employed to classify malware into families. We provide an experimental evaluation based on malware samples from two datasets, namely Drebin and AMD. With the Drebin dataset, we obtain a classification accuracy of 82%, %proving that our methodology achieves an accuracy comparable with works from the state of art like DroidScribe. However, compared to DroidScribe, our approach is easier to reproduce because it is based on publicly available tools only, does not require any modification to the emulated environment or Android OS and, by design, can also be used on physical devices rather than exclusively on emulators. The latter is a key factor because modern mobile malware can detect the emulated environment and hide their malicious behavior. The experiments on the AMD dataset give similar results, with an overall mean accuracy of 78%. Furthermore, we make the software we developed publicly available, to ease the reproducibility of our results.File | Dimensione | Formato | |
---|---|---|---|
Massarelli_AndroDFA_2020.pdf
accesso aperto
Tipologia:
Versione editoriale (versione pubblicata con il layout dell'editore)
Licenza:
Creative commons
Dimensione
1.4 MB
Formato
Adobe PDF
|
1.4 MB | Adobe PDF |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.