Skip to main content
SpringerLink
Log in

MalProfiler: Automatic and Effective Classification of Android Malicious Apps in Behavioral Classes

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10128))

Included in the following conference series:

Abstract

Android malicious apps are currently the main security threat for mobile devices. Due to their exponential growth in number of samples, it is vital to timely recognize and classify any new threat, to identify and effectively apply specific countermeasures. In this paper we propose MalProfiler, a framework which performs fast and effective analysis of Android malicious apps, based on the analysis of a set of static app features. The proposed approach exploits an algorithm named Categorical Clustering Tree (CCTree), which can be used both as a divisive clustering algorithm, or as a trainable classifier for supervised learning classification. Hence, the CCTree has been exploited to perform both homogeneous clustering, grouping similar malicious apps for simplified analysis, and to classify them in predefined behavioral classes. The approach has been tested on a set of 3500 real malicious apps belonging to more than 200 families, showing both an high clustering capability, measured through internal and external evaluation, together with an accuracy of 97% in classifying malicious apps according to their behavior.

This work has been partially funded by the EU Funded Projects H2020 C3IISP, GA #700294, H2020 NeCS, GA #675320, EIT Digital MCloudDaaS.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    We made the software available at: www.android-security.it/RetrieveFeatures.jar.

  2. 2.

    http://contagiominidump.blogspot.com.

References

  1. Sophos mobile security threat reports (2014). http://www.sophos.com/en-us/threat-center/mobile-security-threat-report.aspx. Accessed 21 July 2017

  2. Alishahi, M.S., Mejri, M., Tawbi, N.: Clustering spam emails into campaigns. In: ICISSP 2015 - Proceedings of the 1st International Conference on Information Systems Security and Privacy, ESEO, Angers, Loire Valley, France, 9–11 February 2015, pp. 90–97 (2015)

    Google Scholar 

  3. Amigó, E., Gonzalo, J., Artiles, J., Verdejo, F.: A comparison of extrinsic clustering evaluation metrics based on formal constraints. Inf. Retr. 12(4), 461–486 (2009)

    Article  Google Scholar 

  4. Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K.: Drebin: effective and explainable detection of android malware in your pocket. In: Proceedings of NDSS (2014)

    Google Scholar 

  5. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS, vol. 9, pp. 8–11. Citeseer (2009)

    Google Scholar 

  6. Canfora, G., Lorenzo, A.D., Medvet, E., Mercaldo, F., Visaggio, C.A.: Effectiveness of opcode ngrams for detection of multi family android malware. In: 10th International Conference on Availability, Reliability and Security, ARES 2015, Toulouse, France, 24–27 August 2015, pp. 333–340 (2015)

    Google Scholar 

  7. Christian Funk, M.G.: Kaspersky security bullettin 2013, December 2013. http://media.kaspersky.com/pdf/KSB_2013_EN.pdf

  8. Dini, G., Martinelli, F., Matteucci, I., Petrocchi, M., Saracino, A., Sgandurra, D.: Evaluating the trust of android applications through an adaptive and distributed multi-criteria approach. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 1541–1546, July 2013

    Google Scholar 

  9. Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Proceedings of Computer Network Security - 6th International Conference on Mathematical Methods, Models and Architectures for Computer Network Security, MMM-ACNS 2012, St. Petersburg, Russia, 17–19 October 2012, pp. 240–253 (2012)

    Google Scholar 

  10. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, 17–21 October 2011, pp. 627–638 (2011)

    Google Scholar 

  11. Garcia, S., Luengo, J., Saez, J.A., Lopez, V., Herrera, F.: A survey of discretization techniques: taxonomy and empirical analysis in supervised learning. IEEE Trans. Knowl. Data Eng. 25(4), 734–750 (2013)

    Article  Google Scholar 

  12. Han, J., Kamber, M., Pei, J.: Data Mining: Concepts and Techniques, 3rd edn. Morgan Kaufmann Publishers Inc., San Francisco (2011)

    MATH  Google Scholar 

  13. Kerber, R.: Chimerge: discretization of numeric attributes. In: Proceedings of the Tenth National Conference on Artificial Intelligence, AAAI 1992, pp. 123–128. AAAI Press (1992)

    Google Scholar 

  14. Kindsight Security Labs: Kindsight security labs malware report h1 2014 (2014). http://resources.alcatel-lucent.com/?cid=180437

  15. Quinlan, J.R.: Induction of decision trees. Mach. Learn. 1(1), 81–106 (1986). http://dx.doi.org/10.1023/A:1022643204877

    Google Scholar 

  16. Salvador, S., Chan, P.: Determining the number of clusters/segments in hierarchical clustering/segmentation algorithms. In: Proceedings of the 16th IEEE International Conference on Tools with Artificial Intelligence, ICTAI 2004, pp. 576–584. IEEE Computer Society, Washington, DC (2004)

    Google Scholar 

  17. Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Tran. Dependable Secure Comput. (2016)

    Google Scholar 

  18. Sheikhalishahi, M., Saracino, A., Mejri, M., Tawbi, N., Martinelli, F.: Digital waste sorting: a goal-based, self-learning approach to label spam email campaigns. In: Foresti, S. (ed.) STM 2015. LNCS, vol. 9331, pp. 3–19. Springer, Heidelberg (2015). doi:10.1007/978-3-319-24858-5_1

    Chapter  Google Scholar 

  19. Sheikhalishahi, M., Saracino, A., Mejri, M., Tawbi, N., Martinelli, F.: Fast and effective clustering of spam emails based on structural similarity. In: Garcia-Alfaro, J., Kranakis, E., Bonfante, G. (eds.) FPS 2015. LNCS, vol. 9482, pp. 195–211. Springer, Heidelberg (2016). doi:10.1007/978-3-319-30303-1_12

    Chapter  Google Scholar 

  20. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, New York, NY, USA, pp. 1105–1116. ACM (2014)

    Google Scholar 

  21. Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 95–109. IEEE Computer Society, Washington, DC (2012)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Istituto di Informatica e Telematica, Consiglio Nazionale delle ricerche, Pisa, Italy

    Antonio La Marra, Fabio Martinelli, Andrea Saracino & Mina Sheikhalishahi

Authors
  1. Antonio La Marra
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Martinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Andrea Saracino
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mina Sheikhalishahi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Andrea Saracino .

Editor information

Editors and Affiliations

  1. Télécom Bretagne, Cesson Sévigné, France

    Frédéric Cuppens

  2. Concordia Inst for Info, Concordia University, Montreal, Québec, Canada

    Lingyu Wang

  3. Cesson-Sevigne, Télécom Bretagne, Cesson Sévigné, France

    Nora Cuppens-Boulahia

  4. Local 3950, pavillon Adrien Pouliot, Université Laval, Quebec, Québec, Canada

    Nadia Tawbi

  5. Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

La Marra, A., Martinelli, F., Saracino, A., Sheikhalishahi, M. (2017). MalProfiler: Automatic and Effective Classification of Android Malicious Apps in Behavioral Classes. In: Cuppens, F., Wang, L., Cuppens-Boulahia, N., Tawbi, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2016. Lecture Notes in Computer Science(), vol 10128. Springer, Cham. https://doi.org/10.1007/978-3-319-51966-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-51966-1_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-51965-4

  • Online ISBN: 978-3-319-51966-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation