Mobile malware anomaly-based detection systems using static analysis features / Ahmad Firdaus Zainal Abidin

摘要

Presently, the rise of demand for Android gadget motivates the unscrupulous author to develop malware to compromise mobile devices for malicious and private purposes. The categories of mobile malware types are root exploit, botnet, and Trojan. Consequently, in order to classify an application either malware or benign, security practitioners conduct two types of analysis, namely dynamic and static. Dynamic analysis classifies an application as malware by executing it and monitors the behavior. However, it demands high computing requirements and monitors in a limited range of time. On the other hand, static analysis reverses engineer an application and examine overall code thoroughly, therefore further capable of examining the whole structure of the application. Furthermore, static analysis consumes low resources (for instance, CPU, memory, storage) and less time processing. As static analysis concentrates on the code, security practitioners face challenges to select the best features among thousand lines of it. Although they suggest several features, however, there are still provides many features available to be explored. Furthermore, less attention has been given to root exploit features specifically. It is one of the critical malware which compromises operating system kernel to obtain root privileges. When the attackers obtain the privileges, they are able to bypass security mechanisms and install other possible types of malware to the devices. Moreover, in order to achieve an efficient malware prediction in machine learning, it needs features in a minimal amount to enhance accuracy with fewer data, less time processing and reduces model complexity. Therefore, to achieve the aim of finding the best and minimal features to detect malware with root exploit, this study adopts bio-inspired Genetic Search (GS), conveys the range ivudof repeated features in similar application, and investigates root exploit to gain the best features to predict unknown malware using machine learning. The features categories involved in all these experiments are the permission, directory path, code-based, system command, and telephony. In detecting root exploit, the category involved is the novel features called Android Debug Bridge (ADB). By obtaining the best features derived from these experiments, this study applies it in machine learning to predict unknown malware. To demonstrate the results, this experiment evaluated six benchmarks (for instance, accuracy, True Positive Rate (TPR), False Positive Rate (FPR), recall, precision, and f-measure) to test the prediction and performance. From the outstanding results being collected, a website was established to validate the unique static features with machine learning mechanism to investigate its efficiency and practicality. Through the outcomes assembled, this research has verified that the unique static features capable of predicting unknown malware together with root exploit. The contributions of this study were investigated, selected, proposed, designed and evaluated the best features in detecting malware by using static analysis.