Android malware detection based on system call sequences and LSTM

• Published in: Multimedia tools and applications Vol. 78; no. 4; pp. 3979 - 3999
• Main Authors: Xiao, Xi, Zhang, Shaofeng, Mercaldo, Francesco, Hu, Guangwu, Sangaiah, Arun Kumar
• Format: Journal Article
• Language: English
• Published: New York Springer US 01.02.2019; Springer Nature B.V
• Subjects: Classifiers; Computer Communication Networks; Computer Science; Data Structures and Information Theory; Electronic devices; Machine learning; Malware; Multimedia Information Systems; Sequences; Special Purpose and Application-Based Systems; Deep learning; System call sequences; Android malware detection; LSTM language model
• ISSN: 1380-7501; 1573-7721
• DOI: 10.1007/s11042-017-5104-0

As Android-based mobile devices become increasingly popular, malware detection on Android is very crucial nowadays. In this paper, a novel detection method based on deep learning is proposed to distinguish malware from trusted applications. Considering there is some semantic information in system call sequences as the natural language, we treat one system call sequence as a sentence in the language and construct a classifier based on the Long Short-Term Memory (LSTM) language model. In the classifier, at first two LSTM models are trained respectively by the system call sequences from malware and those from benign applications. Then according to these models, two similarity scores are computed. Finally, the classifier determines whether the application under analysis is malicious or trusted by the greater score. Thorough experiments show that our approach can achieve high efficiency and reach high recall of 96.6% with low false positive rate of 9.3%, which is better than the other methods.