Android Malware Clustering through Malicious Payload Mining

Preprint English OPEN
Li, Yuping ; Jang, Jiyong ; Hu, Xin ; Ou, Xinming (2017)
  • Subject: Computer Science - Cryptography and Security

Clustering has been well studied for desktop malware analysis as an effective triage method. Conventional similarity-based clustering techniques, however, cannot be immediately applied to Android malware analysis due to the excessive use of third-party libraries in Android application development and the widespread use of repackaging in malware development. We design and implement an Android malware clustering system through iterative mining of malicious payload and checking whether malware samples share the same version of malicious payload. Our system utilizes a hierarchical clustering technique and an efficient bit-vector format to represent Android apps. Experimental results demonstrate that our clustering approach achieves precision of 0.90 and recall of 0.75 for Android Genome malware dataset, and average precision of 0.98 and recall of 0.96 with respect to manually verified ground-truth.
  • References (33)
    33 references, page 1 of 4

    1. Allix, K., Bissyande, T.F., Klein, J., Le Traon, Y.: Androzoo: Collecting millions of android apps for the research community. In: Proceedings of the 13th International Conference on Mining Software Repositories. pp. 468{471. ACM (2016)

    2. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS. vol. 9, pp. 8{11 (2009)

    3. Broder, A.Z.: On the resemblance and containment of documents. In: Compression and Complexity of Sequences 1997. Proceedings. pp. 21{29. IEEE (1997)

    4. Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In: Proceedings of the 36th International Conference on Software Engineering. pp. 175{186. ACM (2014)

    5. Chen, K., Wang, P., Lee, Y., Wang, X., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale. In: USENIX Security Symposium. vol. 15 (2015)

    6. Crussell, J., Gibler, C., Chen, H.: Attack of the clones: Detecting cloned applications on android markets. In: Computer Security{ESORICS 2012, pp. 37{54. Springer (2012)

    7. Dexdump. (2015)

    8. Egele, M., Brumley, D., Fratantonio, Y., Kruegel, C.: An empirical study of cryptographic misuse in android applications. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. pp. 73{84. ACM (2013)

    9. Glenn Fowler, Landon Curt Noll, K.P.V.: Fnv hash. chongo/tech/comp/fnv/ (2015)

    10. Grace, M., Zhou, Y., Zhang, Q., Zou, S., Jiang, X.: Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th international conference on Mobile systems, applications, and services. pp. 281{294. ACM (2012)

  • Metrics
    No metrics available
Share - Bookmark