Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices

522 views

Published on

Android is targeted the most by malware coders as the number of Android users is increasing. Although there are many Android anti-malware solutions available in the market, almost all of them are based on malware signatures, and more advanced solutions based on machine learning techniques are not deemed to be practical for the limited computational resources of mobile devices. In this paper, we aim to show not only that the computational resources of consumer mobile devices allow deploying an efficient anti-malware solution based on machine learning techniques, but also that such a tool provides an effective defense against novel malware, for which signatures are not yet available. To this end, we first propose the extraction of a set of lightweight yet effective features from Android applications. Then, we embed these features in a vector space and use a pre-trained machine learning model on the device for detecting malicious applications. We show that without resorting to any signatures and relying only on a training phase involving a reasonable set of samples, the proposed system outperforms many commercial anti-malware products, as well as providing slightly better performances than the most effective commercial products.

Published in: Software
  • Be the first to comment

IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices

  1. 1. Pattern Recognition and Applications Lab IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices Mansour Ahmadi Post-Doctoral Researcher, University of Cagliari, Italy With: Angelo Sotgiu , Giorgio Giacinto 1: University of Cagliari, Italy CD-MAKE’17, 31th August Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 1 / 16
  2. 2. Prerequisite Android If you haven’t heard about Android, You probably live under a rock Malware - short for Malicious software Classification - A Machine Learning task for prediction Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 2 / 16
  3. 3. Problem Android Malware - People need to protect their device from Android Malware Reaction of some people - What? - Are you joking? Is there Malware for Android? Our reply - New Android malware found every 10 seconds Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 3 / 16
  4. 4. Problem Android Malware - People need to protect their device from Android Malware Reaction of some people - What? - Are you joking? Is there Malware for Android? Our reply - New Android malware found every 10 seconds Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 3 / 16
  5. 5. Problem Android Malware - People need to protect their device from Android Malware Reaction of some people - What? - Are you joking? Is there Malware for Android? Our reply - New Android malware found every 10 seconds Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 3 / 16
  6. 6. This work IntelliAV - Identify if an Android application is Goodware/Malware - The detection is performed by Machine Learning and On-Device Reaction of some people - What? There are hundreds of papers on this topic. - Are you joking? Do you mean yet another paper?? Our reply - Yes & NO Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 4 / 16
  7. 7. This work IntelliAV - Identify if an Android application is Goodware/Malware - The detection is performed by Machine Learning and On-Device Reaction of some people - What? There are hundreds of papers on this topic. - Are you joking? Do you mean yet another paper?? Our reply - Yes & NO Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 4 / 16
  8. 8. This work IntelliAV - Identify if an Android application is Goodware/Malware - The detection is performed by Machine Learning and On-Device Reaction of some people - What? There are hundreds of papers on this topic. - Are you joking? Do you mean yet another paper?? Our reply - Yes & NO Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 4 / 16
  9. 9. Related works (based on Machine Learning) Year Method Detection Feature On-Device Available 2014 DroidAPIMiner − − API,PKG,PAR 2014 DroidMiner − − CG,API SEQ 2014 Drebin − PER,STR,API,INT 2014 DroidSIFT − − API Flow 2015 AppAudit − API Flow 2015 MudFlow − API Fow 2017 MaMaDroid − CG,API SEQ 2017 DroidSieve − − API,PER,INT,PKG,STR,STAT 2017 Qualcomm − Not Available Ours IntelliAV PER,INT,API,STAT Table : The systems that are mostly based on API, API-F, and API SEQ would fail against reflection. IntelliAV is the only on-device system that is available in the market. Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 5 / 16
  10. 10. Why On-Device Learning-based system? Why On-Device? 1 Google Play store is not totally free of malware. 2 Third-party app stores are popular among mobile users. 3 Malware might be added to Android devices during supply chain. 4 Droppers can simply evade offline detection systems. Why Machine-Learning? 1 Detecting zero-day malware. 2 Almost all of major AVs do not still use Machine Learning. 3 Being robust against simple evasion techniques. Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 6 / 16
  11. 11. Overview of IntelliAV Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 7 / 16
  12. 12. Feature Extraction Features - Rely on our previous works - 3955 features from Permissions, Intents, Statistical, APIs - To avoid over-fitting, select top 1000 meaningful features Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 8 / 16
  13. 13. Model Construction Classifier - Algorithm: Random Forest - Library: TensorFlow (Multi-platform) - Train on 9,664 Malicious and 10,058 Benign applications Testing on-Device - The model can be transferred to the mobile device - Size of model is 3.3 MB - We don’t need root permission to read APKs - Give a probability to each application (Between 0 and 1) - Safe (0 P 0.4) , Suspicious ( 0.4 P 0.6) , Risky ( 0.6 P 1) Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 9 / 16
  14. 14. Capabilities of IntelliAV Scan Installed applications Single APK Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 10 / 16
  15. 15. Evaluation - Detecting new malware Results - Testing on 2,311 malware, first seen in 2017 - 72% Detection Rate - 7.5% False Positive on 2,898 Benign Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 11 / 16
  16. 16. Independant Test by 3rd party Results - Test on 500 common and recent Android malware in 2017 - IntelliAV achieved 96% Detection Rate Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 12 / 16
  17. 17. Detecting Droppers on Device Droppers do not carry any malicious activities by themselves - Offline analysis systems would fail to detect the dropped Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 13 / 16
  18. 18. IntelliAV Overhead API Extraction is the slowest part - AirBnB has 15 Dex files ( Make the feature extraction process slow) Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 14 / 16
  19. 19. Summary 1 First practical Intelligent AV for Android (Available with details) 2 Careful selection of a set of lightweight features 3 A robust classification model, and a representative set of training samples 4 Intelliav can help the end user to provide easy protection on the device 5 IntelliAV allows researchers to better explore the idea of having intelligent security systems on mobile devices Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 15 / 16
  20. 20. Make it a Try Follow us Http://www.IntelliAV.com Twitter Facebook: @IntelliAV Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKE’17, 31th August 16 / 16

×