DroidChain: A novel Android malware detection method based on behavior chains

详细信息    查看全文

• 作者：Zhaoguo Wang^a ; ^{wangzhaoguo@tsinghua.edu.cn" class="auth_mail" title="E-mail the corresponding author} ; Chenglong Li^b ; ^{lichenglong@cert.org.cn" class="auth_mail" title="E-mail the corresponding author} ; Zhenlong Yuan^c ; ^{yuanzl11@mails.tsinghua.edu.cn" class="auth_mail" title="E-mail the corresponding author} ; Yi Guan^a ; ^{guanyi@hit.edu.cn" class="auth_mail" title="E-mail the corresponding author} ; Yibo Xue^d ; ^{yiboxue@tsinghua.edu.cn" class="auth_mail" title="E-mail the corresponding author}
• 关键词：Android malware ; Behavior chain ; Privacy leakage ; SMS financial charge ; Malware installation ; Privilege escalation
• 刊名：Pervasive and Mobile Computing
• 出版年：2016
• 出版时间：October 2016
• 年：2016
• 卷：32
• 期：Complete
• 页码：3-14
• 全文大小：1604 K

文摘

The drastic increase of Android malware has led to strong interest in automating malware analysis. In this paper, to fight against malware variants and zero-day malware, we proposed DroidChain: a method combining static analysis and a behavior chain model. We transform the malware detection problem into more accessible matrix form. Using this method, we propose four kinds of malware models, including privacy leakage, SMS financial charges, malware installation, and privilege escalation. To reduce time complexity, we propose the WxShall-extend algorithm. We had moved the prototype to GitHub and evaluate using 1260 malware samples. Experimental malware detection results demonstrate accuracy, precision, and recall of 73%–93%, 71%–99%, and 42%–92%, respectively. Calculation time accounts for 6.58% of the well-known Warshall algorithm’s expense. Results demonstrate that our method, which can detect four kinds of malware simultaneously, is better than Androguard and Kirin.