Dealing with Class Imbalance in Android Malware Detection by Cascading Clustering and Classification

  • Giuseppina AndresiniEmail author
  • Annalisa Appice
  • Donato Malerba
Part of the Studies in Computational Intelligence book series (SCI, volume 880)


The high number of Android devices that are active around the world makes these platforms appealing targets for malware attacks. A malware is shorthand for malicious applications developed by cyber attackers with the intention of gaining access or causing damage to a computer device or network, often while the victim remains oblivious to the fact there’s been a compromise. Android security requires machine learning approaches to quickly and accurately flag malicious applications. This paper describes a supervised learning approach for classifying Android applications as genuine or malicious. It uses reverse engineering to look for dangerous capabilities within the application code and structure before it is executed and applies to an intriguing combination of clustering and classification, in order to deal with the imbalanced data problem and avoid a detection system that skews towards modeling the genuine applications. We use benchmark Android applications to assess that the presented approach is able to correctly detect malware applications. The significance of the computed detection patterns is evaluated using established machine learning metrics.



This work is carried out in partial fulfillment of the research objectives of ATENEO Project 2014 on “Mining of network data” and ATENEO Project 2015 on “Models and Methods to Mine Complex and Large Data” funded by the University of Bari Aldo Moro.


  1. 1.
    Ajaeiya, G., Elhajj, I.H., Chehab, A., Kayssi, A., Kneppers, M.: Mobile apps identification based on network flows. Knowl. Inf. Syst. 55(3), 771–796 (2018)CrossRefGoogle Scholar
  2. 2.
    Alam, M.S., Vuong, S.T.: Random forest classification for detecting android malware. In: Proceedings of the 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, pp. 663–669 (2013)Google Scholar
  3. 3.
    Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K.: DREBIN: effective and explainable detection of android malware in your pocket. In: Proceedings of the 21st Annual Network and Distributed System Security Symposium. The Internet Society (2014)Google Scholar
  4. 4.
    Bhatia, T., Kaushal, R.: Malware detection in android based on dynamic analysis. In: Proceedings of the 2017 International Conference on Cyber Security And Protection Of Digital Services (Cyber Security), pp. 1–6 (2017)Google Scholar
  5. 5.
    Biggio, B., Rieck, K., Ariu, D., Wressnegger, C., Corona, I., Giacinto, G., Roli, F.: Poisoning behavioral malware clustering. In: Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop, AISec ’14, pp. 27–36. ACM (2014)Google Scholar
  6. 6.
    Burnap, P., French, R., Turner, F., Jones, K.: Malware classification using self organising feature maps and machine activity data. Comput. Secur. 73, 399–410 (2018)CrossRefGoogle Scholar
  7. 7.
    Chakraborty, T., Pierazzi, F., Subrahmanian, V.S.: EC2: ensemble clustering and classification for predicting android malware families. IEEE Trans. Dependable Secur. Comput., 1–1 (2018)Google Scholar
  8. 8.
    Chawla, N.V. et al.: Synthetic minority over-sampling technique. J. Artif. Intell. Res. 16, 321–357 (2002)Google Scholar
  9. 9.
    Demontis, A., Melis, M., Biggio, B., Maiorca, D., Arp, D., Rieck, K., Corona, I., Giacinto, G., Roli, F.: Yes, machine learning can be more secure! a case study on android malware detection. IEEE Trans. Dependable Secur. Comput. (99), 1–1 (2017)Google Scholar
  10. 10.
    Goyal, R., Spognardi, A., Dragoni, N., Argyriou, M.: Safedroid: A distributed malware detection service for android. In: Proceedings of the 2016 IEEE 9th International Conference on Service-Oriented Computing and Applications (SOCA), pp. 59–66 (2016)Google Scholar
  11. 11.
    Idrees, F., Rajarajan, M.: Investigating the android intents and permissions for malware detection. In: Proceedings of the IEEE 10th International Conference on Wireless and Mobile Computing, Networking and Communications, pp. 354–358 (2014)Google Scholar
  12. 12.
    Japkowicz, N.: The class imbalance problem: Significance and strategies. In: Proceedings of the 2000 International Conference on Artificial Intelligence (IC-AI’2000), vol. 1, pp. 111–117 (2000)Google Scholar
  13. 13.
    Kao, Y., Reich, B., Storlie, C., Anderson, B.: Malware detection using nonparametric bayesian clustering and classification techniques. Technometrics 57(4), 535–546 (2015)MathSciNetCrossRefGoogle Scholar
  14. 14.
    Lin, W., Wu, Z., Lin, L., Wen, A., Li, J.: An ensemble random forest algorithm for insurance big data analysis. IEEE Access 5, 16568–16575 (2017)CrossRefGoogle Scholar
  15. 15.
    Mehrotra, S., Kohli, S.: Comparative analysis of k-means with other clustering algorithms to improve search result. In: 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), pp. 309–313 (2015)Google Scholar
  16. 16.
    Milosevic, N., Dehghantanha, A., Choo, K.K.R.: Machine learning aided android malware classification. Comput. Electr. Eng. 61, 266–274 (2017)CrossRefGoogle Scholar
  17. 17.
    Nissim, N., Moskovitch, R., BarAd, O., Rokach, L., Elovici, Y.: Aldroid: efficient update of android anti-virus software using designated active learning methods. Knowl. Inf. Syst. 49(3), 795–833 (2016)CrossRefGoogle Scholar
  18. 18.
    Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. In: Proceedings of the IEEE 25th International Conference on Tools with Artificial Intelligence, pp. 300–305 (2013)Google Scholar
  19. 19.
    Raff, E., Nicholas, C.: Malware classification and class imbalance via stochastic hashed lzjd. In: Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, AISec ’17, pp. 111–120. ACM (2017)Google Scholar
  20. 20.
    Rovelli, P., Vigfússon, Ý.: Pmds: permission-based malware detection system. In: A. Prakash, R. Shyamasundar (eds.) Proceedings of the Information Systems Security, pp. 338–357. Springer International Publishing (2014)Google Scholar
  21. 21.
    Sheen, S., Anitha, R., Natarajan, V.: Android based malware detection using a multifeature collaborative decision fusion approach. Neurocomputing 151, 905–912 (2015)CrossRefGoogle Scholar
  22. 22.
    Shijo, P., Salim, A.: Integrated static and dynamic analysis for malware detection. Procedia Comput. Sci. 46, 804–811 (2015)CrossRefGoogle Scholar
  23. 23.
    Suarez-Tangil, G., Dash, S.K., Ahmadi, M., Kinder, J., Giacinto, G., Cavallaro, L.: Droidsieve: fast and accurate classification of obfuscated android malware. In: Proceedings of the 7th ACM on Conference on Data and Application Security and Privacy, CODASPY 2017, pp. 309–320 (2017)Google Scholar
  24. 24.
    Tajoddin, A., Jalili, S.: HM3aID: polymorphic malware detection using program behavior-aware hidden Markov model. Appl. Sci. 8, 1044 (2018)CrossRefGoogle Scholar
  25. 25.
    Talha, K.A., Alper, D.I., Aydin, C.: Apk auditor: permission-based android malware detection system. Digit. Investig. 13, 1–14 (2015)CrossRefGoogle Scholar
  26. 26.
    Witten, I.H., Frank, E., Hall, M.A.: Data Mining: Practical Machine Learning Tools and Techniques. The Morgan Kaufmann Series in Data Management Systems, 3rd edn. Morgan Kaufmann, Boston (2011)Google Scholar
  27. 27.
    Yerima, S.Y., Sezer, S., Muttik, I.: Android malware detection using parallel machine learning classifiers. In: Proceedings of the 8th International Conference on Next Generation Mobile Apps, Services and Technologies, pp. 37–42 (2014)Google Scholar
  28. 28.
    Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 95–109 (2012)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2020

Authors and Affiliations

  • Giuseppina Andresini
    • 1
    Email author
  • Annalisa Appice
    • 1
    • 2
  • Donato Malerba
    • 1
    • 2
  1. 1.Dipartimento di InformaticaUniversità degli Studi di Bari Aldo Moro via OrabonaBariItaly
  2. 2.Consorzio Interuniversitario Nazionale per l’Informatica - CINIRomeItaly

Personalised recommendations