Advertisement

Deep learning for image-based mobile malware detection

  • 5 Accesses

Abstract

Current anti-malware technologies in last years demonstrated their evident weaknesses due to the signature-based approach adoption. Many alternative solutions were provided by the current state of art literature, but in general they suffer of a high false positive ratio and are usually ineffective when obfuscation techniques are applied. In this paper we propose a method aimed to discriminate between malicious and legitimate samples in mobile environment and to identify the belonging malware family and the variant inside the family. We obtain gray-scale images directly from executable samples and we gather a set of features from each image to build several classifiers. We experiment the proposed solution on a data-set of 50,000 Android (24,553 malicious among 71 families and 25,447 legitimate) and 230 Apple (115 samples belonging to 10 families) real-world samples, obtaining promising results.

This is a preview of subscription content, log in to check access.

Access options

Buy single article

Instant unlimited access to the full article PDF.

US$ 39.95

Price includes VAT for USA

Subscribe to journal

Immediate online access to all issues from 2019. Subscription will auto renew annually.

US$ 99

This is the net price. Taxes to be calculated in checkout.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Notes

  1. 1.

    https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/

  2. 2.

    https://www.statista.com/topics/870/iphone/.

  3. 3.

    https://www.statista.com/statistics/263794/number-of-downloads-from-the-apple-app-store/.

  4. 4.

    http://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2016.pdf.

  5. 5.

    http://amd.arguslab.org/.

  6. 6.

    https://play.google.com/.

  7. 7.

    https://www.virustotal.com.

  8. 8.

    http://www.apple.com/iphone/appstore.

  9. 9.

    http://contagiominidump.blogspot.it/.

  10. 10.

    https://github.com/appknox/AFE.

References

  1. 1.

    Ah: Myth. https://github.com/AhMyth/AhMyth-Android-RAT (2018)

  2. 2.

    Apk: Tool. https://ibotpeaches.github.io/Apktool/ (2018)

  3. 3.

    Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM SIGPLAN Not. 49(6), 259–269 (2014)

  4. 4.

    Barbuti, R., De Francesco, N., Santone, A., Vaglini, G.: Reduced models for efficient CCS verification. Form. Methods Syst. Des. 26(3), 319–350 (2005)

  5. 5.

    Bhodia, N., Prajapati, P., Di Troia, F., Stamp, M.: Transfer learning for image-based malware classification. arXiv preprint arXiv:1903.11551 (2019)

  6. 6.

    Blasing, T., Schmidt, A.D., Batyuk, L., Camtepe, S.A., Albayrak, S.: An android application sandbox system for suspicious software detection. In: Proceedings of 5th International Conference on Malicious and Unwanted Software (2010)

  7. 7.

    Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Formal methods for prostate cancer gleason score and treatment prediction using radiomic biomarkers. Magn. Reson. Imaging (2019). https://doi.org/10.1016/j.mri.2019.08.030

  8. 8.

    Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: Neural networks for lung cancer detection through radiomic features. In: 2019 International Joint Conference on Neural Networks (IJCNN), pp. 1–10. IEEE (2019)

  9. 9.

    Brunese, L., Mercaldo, F., Reginelli, A., Santone, A.: An ensemble learning approach for brain cancer detection exploiting radiomic features. Comput. Methods Programs Biomed. 185, 105134 (2020)

  10. 10.

    Canfora, G., Di Sorbo, A., Mercaldo, F., Visaggio, C.A.: Obfuscation techniques against signature-based detection: a case study. In: 2015 Mobile Systems Technologies Workshop (MST), pp. 21–26. IEEE (2015)

  11. 11.

    Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng. 45(12), 1230–1252 (2018)

  12. 12.

    Canfora, G., Mercaldo, F., Moriano, G., Visaggio, C.A.: Composition-malware: building android malware at run time. In: 2015 10th International Conference on Availability, Reliability and Security (ARES), pp. 318–326. IEEE (2015)

  13. 13.

    Canfora, G., Mercaldo, F., Visaggio, C.A.: A classifier of malicious android applications. In: Proceedings of the 2nd International Workshop on Security of Mobile Applications, in conjunction with the International Conference on Availability, Reliability and Security (2013)

  14. 14.

    Ceccarelli, M., Cerulo, L., Santone, A.: De novo reconstruction of gene regulatory networks from time series data, an approach based on formal methods. Methods 69(3), 298–305 (2014). https://doi.org/10.1016/j.ymeth.2014.06.005

  15. 15.

    Cimitile, A., Martinelli, F., Mercaldo, F.: Machine Learning Meets iOS Malware: Identifying Malicious Applications on Apple Environment. In: ICISSP, pp. 487–492 (2017)

  16. 16.

    Cimitile, A., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Formal methods meet mobile code obfuscation identification of code reordering technique. In: 2017 IEEE 26th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 263–268. IEEE (2017)

  17. 17.

    Cimitile, A., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Talos: no more ransomware victims with formal methods. Int. J. Inf. Secur. 17, 1–20 (2017)

  18. 18.

    Ciobanu, M.G., Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: A data life cycle modeling proposal by means of formal methods. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 670–672. ACM (2019)

  19. 19.

    Ciobanu, M.G., Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Model checking for data anomaly detection. Procedia Comput. Sci. 159, 1277–1286 (2019)

  20. 20.

    Damopoulos, D., Kambourakis, G., Gritzalis, S.: iSAM: an iPhone stealth airborne malware. In: IFIP International Information Security Conference, pp. 17–28. Springer (2011)

  21. 21.

    Digital: Trends. https://www.digitaltrends.com/android/smartphone-sales-exceed-those-of-pcs-for-first-time-apple-smashes-record/ (2011)

  22. 22.

    Dixon, B., Jiang, Y., Jaiantilal, A., Mishra, S.: Location based power analysis to detect malicious code in smartphones. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (2011)

  23. 23.

    Droid: Jack. http://droidjack.net/ (2018)

  24. 24.

    Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)

  25. 25.

    Martinelli, F., Mercaldo, F., Orlando, A., Nardone, V., Santone, A., Sangaiah, A.K.: Human behavior characterization for driving style recognition in vehicle system. Comput. Elec. Eng. (2018). https://doi.org/10.1016/j.compeleceng.2017.12.050

  26. 26.

    Faiella, M., La Marra, A., Martinelli, F., Mercaldo, F., Saracino, A., Sheikhalishahi, M.: A distributed framework for collaborative and dynamic analysis of android malware. In: 2017 25th Euromicro International Conference on Parallel, Distributed and Network-Based Processing (PDP), pp. 321–328. IEEE (2017)

  27. 27.

    Farrokhmanesh, M., Hamzeh, A.: Music classification as a new approach for malware detection. J. Comput. Virol. Hacking Tech. 15(2), 77–96 (2019)

  28. 28.

    Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Measuring mobile applications quality and security in higher education. In: 2018 IEEE International Conference on Big Data (Big Data), pp. 5319–5321. IEEE (2018)

  29. 29.

    Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Energy consumption metrics for mobile device dynamic malware detection. Procedia Comput. Sci. 159, 1045–1052 (2019)

  30. 30.

    Fasano, F., Martinelli, F., Mercaldo, F., Santone, A.: Investigating mobile applications quality in official and third-party marketplaces. In: Proceedings of the 14th International Conference on Evaluation of Novel Approaches to Software Engineering, pp. 169–178. SCITEPRESS-Science and Technology Publications, Lda (2019)

  31. 31.

    Feizollah, A., Anuar, N.B., Salleh, R., Suarez-Tangil, G., Furnell, S.: Androdialysis: analysis of android intent effectiveness in malware detection. Comput. Secur. 65, 121–134 (2017)

  32. 32.

    Ferrante, A., Medvet, E., Mercaldo, F., Milosevic, J., Visaggio, C.A.: Spotting the malicious moment: Characterizing malware behavior using dynamic features. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 372–381. IEEE (2016)

  33. 33.

    Francesco, Nd, Lettieri, G., Santone, A., Vaglini, G.: Grease: a tool for efficient “nonequivalence” checking. ACM Trans. Softw. Eng. Methodol. (TOSEM) 23(3), 24 (2014)

  34. 34.

    Gandotra, E., Bansal, D., Sofat, S.: Malware analysis and classification: a survey. J. Inf. Secur. 5(02), 56 (2014)

  35. 35.

    Garcıa, L., Rodrıguez, R.J.: A peek under the hood of iOS malware. In: 2016 10th International Conference on Availability, Reliability and Security (ARES) (2016)

  36. 36.

    Goodfellow, I., Bengio, Y., Courville, A.: Deep Learning. MIT press, Cambridge (2016)

  37. 37.

    Google: Play. https://play.google.com/store (2015)

  38. 38.

    Hashemi, H., Hamzeh, A.: Visual malware detection using local malicious pattern. J. Comput. Virol. Hacking Tech. 15(1), 1–14 (2019)

  39. 39.

    Ioffe, S., Szegedy, C.: Batch normalization: accelerating deep network training by reducing internal covariate shift. In: Proceedings of the 32nd International Conference on International Conference on Machine Learning—Volume 37, ICML’15, pp. 448–456. JMLR.org (2015). http://dl.acm.org/citation.cfm?id=3045118.3045167

  40. 40.

    Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012)

  41. 41.

    Kim, H., Smith, J., Shin, K.G.: Detecting energy-greedy anomalies and mobile malware variants. In: Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services (2008)

  42. 42.

    Lindorfer, M., Miller, B., Neugschwandtner, M., Platzer, C.: Take a bite-finding the worm in the apple. In: 2013 9th International Conference on Information, Communications and Signal Processing (ICICS), pp. 1–5. IEEE (2013)

  43. 43.

    Lindorfer, M., Neugschwandtner, M., Platzer, C.: Marvin: Efficient and comprehensive mobile app classification through static and dynamic analysis. In: 2015 IEEE 39th Annual Computer Software and Applications Conference (COMPSAC), vol. 2, pp. 422–433. IEEE (2015)

  44. 44.

    Mannor, S., Peleg, D., Rubinstein, R.: The cross entropy method for classification. In: Proceedings of the 22nd International Conference on Machine Learning, ICML ’05, pp. 561–568. ACM, New York (2005). https://doi.org/10.1145/1102351.1102422

  45. 45.

    Martinelli, F., Mercaldo, F., Nardone, V., Santone, A.: Car hacking identification through fuzzy logic algorithms. In: 2017 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), pp. 1–7. IEEE (2017)

  46. 46.

    Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Sangaiah, A.K., Cimitile, A.: Evaluating model checking for cyber threats code obfuscation identification. J. Parallel Distrib. Comput. 119, 203–218 (2018)

  47. 47.

    Martinelli, F., Mercaldo, F., Santone, A.: Social network polluting contents detection through deep learning techniques. In: 2019 International Joint Conference on Neural Networks (IJCNN), pp. 1–10. IEEE (2019)

  48. 48.

    Martinelli, F., Mercaldo, F., Saracino, A.: Bridemaid: An hybrid tool for accurate detection of android malware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 899–901. ACM (2017)

  49. 49.

    Mercaldo, F., Nardone, V., Santone, A.: Ransomware inside out. In: 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 628–637. IEEE (2016)

  50. 50.

    Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Hey malware, i can find you! In: 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 261–262. IEEE (2016)

  51. 51.

    Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Ransomware steals your phone. formal methods rescue it. In: International Conference on Formal Techniques for Distributed Objects, Components, and Systems, pp. 212–221. Springer (2016)

  52. 52.

    Nataraj, L., Karthikeyan, S., Jacob, G., Manjunath, B.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)

  53. 53.

    Oberheide, J., Mille, C.: Dissecting the android bouncer. In: SummerCon (2012)

  54. 54.

    Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android: an essential step towards holistic security analysis. In: Presented as Part of the 22nd USENIX Security Symposium (USENIX Security 13), pp. 543–558 (2013)

  55. 55.

    Parnas, D.L.: The real risks of artificial intelligence. Commun. ACM 60(10), 27–31 (2017)

  56. 56.

    Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, p. 5. ACM (2014)

  57. 57.

    Polino, M., Scorti, A., Maggi, F., Zanero, S.: Jackdaw: Towards automatic reverse engineering of large datasets of binaries. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 121–143. Springer (2015)

  58. 58.

    Rastogi, V., Chen, Y., Jiang, X.: Droidchameleon: evaluating android anti-malware against transformation attacks. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, pp. 329–334. ACM (2013)

  59. 59.

    Rastogi, V., Chen, Y., Jiang, X.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)

  60. 60.

    Santone, A.: Automatic verification of concurrent systems using a formula-based compositional approach. Acta Inform. 38(8), 531–564 (2002)

  61. 61.

    Santone, A.: Clone detection through process algebras and java bytecode. In: IWSC, pp. 73–74. Citeseer (2011)

  62. 62.

    Scalas, M., Maiorca, D., Mercaldo, F., Visaggio, C.A., Martinelli, F., Giacinto, G.: On the effectiveness of system API-related information for android ransomware detection. Comput. Secur. 86, 168–182 (2019). https://doi.org/10.1016/j.cose.2019.06.004

  63. 63.

    Shabtai, A., Kanonov, U., Elovici, Y.: Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method. J. Syst. Softw. 83(8), 1524–1537 (2010)

  64. 64.

    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly” : a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)

  65. 65.

    Szydlowski, M., Egele, M., Kruegel, C., Vigna, G.: Challenges for dynamic analysis of iOS applications. In: Open Problems in Network Security, pp. 65–77. Springer (2012)

  66. 66.

    Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA’17), pp. 252–276. Springer, Bonn (2017)

  67. 67.

    Wei, F., Roy, S., Ou, X., et al.: Amandroid: a precise and general inter-component data flow analysis framework for security vetting of android apps. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1329–1341. ACM (2014)

  68. 68.

    Xiao, X., Zhang, S., Mercaldo, F., Hu, G., Sangaiah, A.K.: Android malware detection based on system call sequences and LSTM. Multimed. Tools Appl. 78(4), 3979–3999 (2019)

Download references

Author information

Correspondence to Francesco Mercaldo.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Appendix

Appendix

See Table 7.

Table 7 Android malware families with relative variants involved in the study

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Mercaldo, F., Santone, A. Deep learning for image-based mobile malware detection. J Comput Virol Hack Tech (2020) doi:10.1007/s11416-019-00346-7

Download citation

Keywords

  • Malware
  • Android
  • Apple
  • Security
  • Machine learning
  • Deep learning
  • Artificial intelligence
  • Image
  • Classification