MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models
Emiliano De Cristofaro, University College London
2-3pm 27th Jan 2017
The rise in popularity of the Android platform has resulted in an explosion of malware threats targeting it. As both Android malware and the operating system itself constantly evolve, it is very challenging to design robust malware mitigation techniques that can operate for long periods of time without the need for modifications or costly re-training. We present MaMaDroid, an Android malware detection system that relies on app behavior. MaMaDroid builds a behavioral model, in the form of a Markov chain, from the sequence of abstracted API calls performed by an app, and uses it to extract features and perform classification. By abstracting calls to their packages or families, MaMaDroid maintains resilience to API changes and keeps the feature set size manageable. We evaluate its accuracy on a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it not only effectively detects malware (with up to 99% F-measure), but also that the model built by the system keeps its detection capabilities for long periods of time (on average, 86% and 75% F-measure, respectively, one and two years after training). Finally, we compare against DroidAPIMiner, a state-of-the-art system that relies on the frequency of API calls performed by apps, showing that MaMaDroid significantly outperforms it. To appear in NDSS 2017.
Emiliano De Cristofaro is a Senior Lecturer at University College London (UCL). Prior to joining UCL in 2013, he was a research scientist at PARC. In 2011, he received a PhD in Networked Systems from the University of California, Irvine, advised, mostly, while running on the beach, by Gene Tsudik. His research interests include privacy technologies, applied cryptography, and systems security. He has served as program co-chair of the Privacy Enhancing Technologies Symposium (PETS) in 2013 and 2014, and of the Workshop on Genome Privacy and Security (GenoPri 2015). His homepage is available at https://emilianodc.com
Large Conference Room, O'Reilly Institute