Android Malware Detection via (Somewhat) Robust Irreversible Feature Transformations

As the most widely used OS on earth, Android is heavily targeted by malicious hackers. Though much work has been done on detecting Android malware, hackers are becoming increasingly adept at evading ML classifiers. We develop <inline-formula> <tex-math notation="LaTeX">\textsf...

Full description

Saved in:
Bibliographic Details
Published inIEEE transactions on information forensics and security Vol. 15; pp. 3511 - 3525
Main Authors Han, Qian, Subrahmanian, V. S., Xiong, Yanhai
Format Journal Article
LanguageEnglish
Published New York IEEE 2020
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Android
Androids
Banking
Banking Trojans
Classification
Computer viruses
Feature extraction
feature transformation
Humanoid robots
machine learning
Malware
malware detection
Mobile operating systems
Robustness
rooting malware
Spyware
Transformations (mathematics)
Online AccessGet full text

Cover

More Information
Summary:As the most widely used OS on earth, Android is heavily targeted by malicious hackers. Though much work has been done on detecting Android malware, hackers are becoming increasingly adept at evading ML classifiers. We develop <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula>, a Feature transformation based A nd R oid M alware detector. <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula> takes well-known features for Android malware detection and introduces three new types of feature transformations that transform these features irreversibly into a new feature domain. We first test <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula> on 6 Android classification problems separating goodware and "other malware" from 3 classes of malware: rooting malware, spyware, and banking trojans. We show that <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula> beats standard baselines when no attacks occur. Though we cannot guess all possible attacks that an adversary might use, we propose three realistic attacks on <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula> and show that <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula> is very robust to these attacks in all classification problems. Additionally, <inline-formula> <tex-math notation="LaTeX">\textsf {FARM} </tex-math></inline-formula> has automatically identified two malware samples which were not previously classified as rooting malware by any of the 61 anti-viruses on VirusTotal. These samples were reported to Google's Android Security Team who subsequently confirmed our findings.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2020.2975932