MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models (1612.04433v3)

Abstract: The rise in popularity of the Android platform has resulted in an explosion of malware threats targeting it. As both Android malware and the operating system itself constantly evolve, it is very challenging to design robust malware mitigation techniques that can operate for long periods of time without the need for modifications or costly re-training. In this paper, we present MaMaDroid, an Android malware detection system that relies on app behavior. MaMaDroid builds a behavioral model, in the form of a Markov chain, from the sequence of abstracted API calls performed by an app, and uses it to extract features and perform classification. By abstracting calls to their packages or families, MaMaDroid maintains resilience to API changes and keeps the feature set size manageable. We evaluate its accuracy on a dataset of 8.5K benign and 35.5K malicious apps collected over a period of six years, showing that it not only effectively detects malware (with up to 99% F-measure), but also that the model built by the system keeps its detection capabilities for long periods of time (on average, 86% and 75% F-measure, respectively, one and two years after training). Finally, we compare against DroidAPIMiner, a state-of-the-art system that relies on the frequency of API calls performed by apps, showing that MaMaDroid significantly outperforms it.

• The paper introduces a novel approach using Markov chains of API calls to accurately classify Android apps as benign or malicious.
• It demonstrates outstanding robustness with up to 99% F-measure and effective performance maintained over multiple years without frequent retraining.
• Key experiments confirm its efficiency, making it suitable for practical app store screening and scalable malware detection implementations.

Evaluation of MAMADROID for Android Malware Detection

The research labeled MAMADROID introduces an innovative methodology for detecting malware on Android platforms by building Markov chains of behavioral models abstracted at the level of API calls. Through a series of detailed experiments, the research establishes that MAMADROID demonstrates high efficacy in accurately classifying Android applications as benign or malicious, maintaining robust performance over time without requiring frequent retraining.

Key Aspects of MAMADROID Methodology

The approach employed by MAMADROID centers around modeling the API call sequences of applications using Markov chains, wherein each call is abstracted either to its package name or its family. By using this abstraction, the system encapsulates the general behavior intrinsic to the application, allowing it to be resilient to API changes due to the progressive evolution of the Android framework as well as the code evolution tactics employed by malware authors.

1. Markov Chains and Abstraction Levels: The use of Markov chains establishes a structured model that captures state transitions associated with API calls. The abstraction can be implemented at two levels – 'family' or 'package', each offering a trade-off between granularity and system overhead. This abstraction significantly mitigates the risk posed by deprecated API calls and evolving malware patterns that tend to leverage newer API features not captured by systems reliant on specific API call frequencies.
2. Comparison With Prior Work: Compared to state-of-the-art detection systems such as DROIDAPIMINER, MAMADROID illustrates superior accuracy. For instance, over a dataset of 44,000 apps, MAMADROID achieved an F-measure of up to 99%, outperforming DROIDAPIMINER, especially as test and training datasets diverge over years. This demonstrates the robustness of the abstracted Markov chain model in adapting to newer malware without necessitating frequent re-calibration of models.
3. Temporal Analysis: The experimental design includes the investigation of MAMADROID's detection capabilities when trained on datasets several years apart from those used during testing. The system maintained an F-measure of 87% one year post-training and 73% two years post-training, indicative of significant resilience to the temporal evolution in malware characteristics and distribution, a feat largely unmet by many traditional signature-based detection approaches.
4. Efficiency: The system exhibits scalable runtime performance, asserting feasibility in deployment scenarios such as app store vetting processes. The reported processing time averages under 34 seconds per benign app and 13 seconds per malicious app, from initial call graph extraction to classification. Such efficiency is crucial for practical deployment where processing overhead is often a critical constraint.

Implications and Future Work

The MAMADROID approach significantly contributes to the field with its ability to abstractly model app behaviors for malware detection. This effectiveness, documented over a large, longitudinal dataset, provides foundational improvements over existing methods that are susceptible to obsolescence with evolving app environments.

Practically, MAMADROID could enhance the effectiveness of app store screening processes, potentially mitigating the risk of malware dissemination via legitimate platforms. Theoretically, this work prompts consideration of further refinement in model granularity and the incorporation of dynamic analysis components to pre-empt sophisticated evasion techniques like behavioral mimicry.

Future advancements might pivot towards hybrid systems merging the strengths of static and dynamic analysis, enhancing detection accuracy and further reducing false positives. Continued research might also focus on optimizing feature extraction processes and integrating real-time feedback loops for constant system improvement. MAMADROID thereby sets a new precedent in abstracting and modeling behavioral patterns, positioning itself as a pivotal advancement in Android malware detection technologies.