A behaviour-based analytical malware detection framework for android smartphones

The fast growth in the number of Android smartphone users and the lack of suitable malware detection techniques for these devices attract vicious minds to infect users with malicious software. The fact is that today, after more than seven years of initial Android release, there are still malwares spreading in official Android markets. It is necessary to mention that not only the number of users are being increased, the user’s data becoming more and more sensitive. Nowadays, a typical smartphone can contain contact information, private messages, location information, emails or even credit card numbers. Previous studies reported that the initial detection rate of a newly created Android virus is less than 5%, which indicate that the available products in the market are not really effective. Considering the sharp increase in number of mobile malwares and the ineffectiveness of current malware detection solutions, Android users are facing a great problem. In this research, we propose a behaviour-based analytical malware detection framework for Android smartphones (which in known as Nestor). This framework has three main models. The first model is in charge of keeping the primary dataset up to dated. Then the analyser model, M0Droid, utilises behaviour-based malware detection approach to obtain the behavioural factors and generate a signature for every application. This signature is generated based on the system call requests by application and then normalised with median and z-score for generating more accurate and effective signature. It then uses Spearman's rank correlation coefficient to identify similar malware signatures in a previously generated blacklist of malwares signature. The result of all these processing appears in a safe Android market that the end user can download Android application without worrying about malware infection. The outcome of the M0Droid accuracy measurement experiment against malware dataset indicates 60.16% positives malware detection, 39.43% false-positives and 0.4% false-negatives with choosing Spearman correlation coefficient rank of 0.90 as the threshold. This threshold is directly proportional to the false-negative rate while it is inversely proportional to positive and false-positive rates. Moreover, to compare our result with a similar model, we employed the same evaluation method as Crowdroid used to test M0Droid. The result represents an improvement in detection rate since Crowdroid were able to detect 97% of malwares while M0Droid detect all malwares in test environment. It is notable, that the novelty of this work and the most effective factors in obtaining these results are due to employing Linux Monkey for mimicking the user input, zscore for signature normalisation and Spearman's rank correlation coefficient for signatures comparison. We hope this research can be a stepping stone for improvement in Android malware detection techniques and development of safe Android markets which eventually increase the security of end-user devices.

Preview Text FSKTM 2014 24IR.pdf Download (1MB) | Preview

Actions (login required)

View Item