What does the memory say? Towards the most indicative features for efficient malware detection

Malware detection methods are divided in two groups: static and dynamic. While methods based on static analysis might be lightweight and suitable for constrained resources of mobile devices, they suffer from inability to detect malware during its execution. On the other side, dynamic detection metho...

Full description

Saved in:
Bibliographic Details
Published in2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC) pp. 759 - 764
Main Authors Milosevic, Jelena, Ferrante, Alberto, Malek, Miroslaw
Format Conference Proceeding Journal Article
LanguageEnglish
Published IEEE 01.01.2016
Subjects
Batteries
Conferences
Consumption
Dynamics
Feature extraction
Lightweight
Malware
Mobile communication
Mobile communication systems
Mobile handsets
Mobile operating systems
Monitoring
Principal component analysis
Weight reduction
Online AccessGet full text

Cover

More Information
Summary:Malware detection methods are divided in two groups: static and dynamic. While methods based on static analysis might be lightweight and suitable for constrained resources of mobile devices, they suffer from inability to detect malware during its execution. On the other side, dynamic detection methods are usually too complex to be run on mobile devices. This paper is about dynamic, but lightweight, detection methods and, in particular, about features that can be used in these methods to identify malware. We take into account all the features related to memory and CPU usage that can be collected and observed on the mobile device through its operating system. We analyze these features and their significance within the malware families they belong to, and take into account the most indicative ones for each family. Furthermore, we analyze the occurrence of features in all the families. By taking into account the most indicative features per malware family we determine ones that are more resistant to variety of mobile malware rather than just observe the overall significance of features. Results show that the number of occurrences of features among the most indicative ones varies; some features appear as good candidates for malware detection in general, some features appear as good candidates for detection of specific malware families, and some others are simply irrelevant.
Bibliography:ObjectType-Article-2
SourceType-Scholarly Journals-1
ObjectType-Conference-1
ObjectType-Feature-3
content type line 23
SourceType-Conference Papers & Proceedings-2
ISSN:2331-9860
DOI:10.1109/CCNC.2016.7444874