Android Malware Detection via (Somewhat) Robust Irreversible Feature TransformationsDownload PDFOpen Website

Qian Han, V. S. Subrahmanian, Yanhai Xiong

2020 (modified: 02 Nov 2022)IEEE Trans. Inf. Forensics Secur. 2020Readers: Everyone
Abstract: As the most widely used OS on earth, Android is heavily targeted by malicious hackers. Though much work has been done on detecting Android malware, hackers are becoming increasingly adept at evading ML classifiers. We develop <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> , a Feature transformation based <underline xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">A</u> nd <underline xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">R</u> oid <underline xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">M</u> alware detector. <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> takes well-known features for Android malware detection and introduces three new types of feature transformations that transform these features irreversibly into a new feature domain. We first test <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> on 6 Android classification problems separating goodware and “other malware” from 3 classes of malware: rooting malware, spyware, and banking trojans. We show that <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> beats standard baselines when no attacks occur. Though we cannot guess all possible attacks that an adversary might use, we propose three realistic attacks on <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> and show that <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> is very robust to these attacks in all classification problems. Additionally, <inline-formula xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink"> <tex-math notation="LaTeX">$\textsf {FARM}$ </tex-math></inline-formula> has automatically identified two malware samples which were not previously classified as rooting malware by any of the 61 anti-viruses on VirusTotal. These samples were reported to Google’s Android Security Team who subsequently confirmed our findings.
0 Replies