Академический Документы
Профессиональный Документы
Культура Документы
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
Abstract—The alarming growth rate of malicious apps has alone, over 3.25 million new malicious Android apps have
become a serious issue that sets back the prosperous mobile been uncovered. This roughly translates to an introduction of
ecosystem. A recent report indicates that a new malicious app a new malicious Android app every 10 seconds [4]. These
for Android is introduced every 10 seconds. To combat this
serious malware campaign, we need a scalable malware detection malicious apps are created to perform different types of attacks
approach that can effectively and efficiently identify malware in the form of trojans, worms, exploits, and viruses. Some
apps. Numerous malware detection tools have been developed, notorious malicious apps have more than 50 variants, which
including system-level and network-level approaches. However, makes it extremely challenging to detect them all [5].
scaling the detection for a large bundle of apps remains a To address these elevating security concerns, researchers
challenging task. In this paper, we introduce S IG PID, a malware
detection system based on permission usage analysis to cope and analysts have used various approaches to develop
with the rapid increase in the number of Android malware. Android malware detection tools [6]–[19]. For example,
Instead of extracting and analyzing all Android permissions, we R ISK R ANKER [6] utilizes static analysis to discover mali-
develop 3-levels of pruning by mining the permission data to cious behaviors in Android apps. However, static analysis
identify the most significant permissions that can be effective in approaches generally assume more behaviors are possible than
distinguishing between benign and malicious apps. S IG PID then
utilizes machine-learning based classification methods to classify actually would be, which may lead to a large number of false
different families of malware and benign apps. Our evaluation positives. To improve the analysis accuracy, researchers have
finds that only 22 permissions are significant. We then compare also proposed various dynamic analysis methods to capture
the performance of our approach, using only 22 permissions, real-time execution context. For example, TAINT D ROID [8]
against a baseline approach that analyzes all permissions. The dynamically tracks multiple sensitive data source simultane-
results indicate that when Support Vector Machine (SVM) is
used as the classifier, we can achieve over 90% of precision, ously using tainting analysis. However, dynamic analysis ap-
recall, accuracy, and F-measure, which are about the same as proaches, in general, need adequate input suites to sufficiently
those produced by the baseline approach while incurring the exercise execution paths. As we can use cloud computing to
analysis times that are 4 to 32 times less than those of using all satisfy those requirements, the privacy concerns then become
permissions. Compared against other state-of-the-art approaches, potential problem [20]–[22]. Petra et al. [23], [24] show that
S IG PID is more effective by detecting 93.62% of malware in the
data set, and 91.4% unknown/new malware samples. there is another broad range of anti-analysis techniques can be
employed by advanced malware to successfully evade dynamic
analysis based malware detection.
I. I NTRODUCTION Recently, more efforts have been spent on analyzing apps’
Android is currently the most used smart-mobile device behavioral data both in the Android system and other online
platform in the world, occupying 85% of market share [1]. data process system [25]–[27]. The apps’ requested permis-
As of now, there are nearly 3 million apps available for sions have been used to enforce least-privilege, which to some
downloading from Google Play, and more than 65 billion extent indicate the apps’ functionalities as well as runtime
downloads to date [2]. Unfortunately, the popularity of An- behaviors. As a result, researchers use machine learning and
droid also spurs interests from cyber-criminals who create data mining techniques to detect Android malware based on
malicious apps that can steal sensitive information and com- permission usage. For example, DREBIN [9] combines static
promise mobile systems. Unlike other competing smart-mobile analysis and machine learning techniques to detect Android
device platforms, such as iOS, Android allows users to install malware. The experimental result shows that DREBIN can
applications from unverified sources such as third party app achieve high detection accuracy by incorporating as many
stores and file sharing websites. The malware infection issue features as possible to aid detection. However, using more fea-
has been so serious that a recent report indicates that 97% tures leads to increased modeling complexity, which increases
of all mobile malware target Android devices [3]. In 2016 the computational overhead of their system. Considering the
large amount of new malicious apps, we need a detection
∗∗ Corresponding author: yan@unl.edu system that can operate efficiently to identify these apps.
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
Google also identifies 24 permissions out of the total of more favorably with those achieved by an approach that uses
than 300 permissions as “dangerous” [28]. At first glance, the all 135 permissions as well as just the dangerous permis-
list of dangerous permissions can be used as a guideline to sion list. Compare with other state-of-the-art malware
help identify malicious applications. Yet, as will be shown in detection approaches, we find that S IG PID is more
this paper, using just this list to identify malware still yields effective by detecting 93.62% of malicious apps in the
suboptimal detection effectiveness. data set and 91.4% unknown malware.
In this paper, we present S IG PID, an approach that extracts 3) To show that the approach can work generically with a
significant permissions from apps, and uses the extracted wide range of supervised learning algorithms, we apply
information to effectively detect malware using supervised S IG PID with 67 commonly used supervised learning
learning algorithms. The design objective of S IG PID is to algorithms and a much larger dataset (5,494 malicious
detect malware efficiently and accurately. As stated earlier, and 310,926 benign apps). We find that 55 out of 67
the number of newly introduced malware is growing at an algorithms can achieve F-measure of at least 85%, while
alarming rate. As such, being able to detect malware efficiently the average running time can be reduced by 85.6%
would allow analysts to be more productive in identifying compared with the baseline approach.
and analyzing them. Our approach analyzes permissions and The rest of this paper is organized as follows. Section II il-
then identifies only the ones that are significant in distin- lustrates the design details of the proposed S IG PID. Section III
guishing between malicious and benign apps. Specifically, reports the results of our empirical evaluations. Section IV
we propose a multi-level data pruning approach including compares our work to other related work. The last section
permission ranking with negative rate, permission mining with concludes this paper.
association rules and support based permission ranking to
extract significant permissions strategically. Then, machine- II. I NTRODUCING S IG PID
learning based classification algorithms are used to classify The goal of Significant Permission IDentification (S IG PID)
different types of malware and benign apps. system is to achieve high malware detection accuracy and
The results of our empirical evaluation show that S IG PID efficiency while analyzing the minimal number of permissions.
can drastically reduce the number of permissions that we To achieve this goal, our system extracts permission uses
need to analyze to just 22 out of 135 (84% reduction), while from application packages, but instead of focusing on all the
maintaining over 90% malware detection accuracy and F- requested permissions, S IG PID mainly focuses on permissions
measure when Support Vector Machine (SVM) is used as that can reliably improve the malware detection rate. This
the classifier. We also find that the number of significant approach, in effect, eliminates the need to analyze permissions
permissions identified by our approach (22) is lower than that have little or no significant influence on malware detection
the number of “dangerous” permissions identified by Google effectiveness. In a nutshell, S IG PID prunes permissions that
(24). Moreover, only 8 permissions jointly appear on our list have low impacts on detection effectiveness using multi-level
and their list. This is because, as a data-driven approach, data pruning to reduce analysis efforts. Our system consists
S IG PID dynamically determines significant permissions based of three major components, designed based on real-time data
on actual usage by the applications instead of statically defin- analysis: (i) permission ranking with negative rate; (ii) support
ing dangerous permissions based on their intended services. based permission ranking; and (iii) permission mining with
This fundamental difference allows our approach to detect association rules. After pruning, S IG PID employs supervised
more malware than the approach that uses the dangerous list machine learning classification methods to identify potential
alone. To show the generality of this approach, we also test Android malware. Finally, S IG PID reports malware detection
S IG PID with 67 commonly used supervised algorithms and summary to the analysts. The complete system architecture
find that it maintains very high accuracy with all these algo- of SigPID is shown in Figure 1. We then describe the key
rithms. Furthermore, we compare the accuracy and running- components in the remainder of this section.
time performance of our approach against two state-of-the-
art approaches, DREBIN [9], P ERMISSION -I NDUCED R ISK A. Multi-Level Data Pruning (MLDP)
M ALWARE D ETECTION [29], and existing virus scanners. The first component of S IG PID is the multi-level data
Again, we find that our approach can detect more malware pruning process to identify significant permissions to eliminate
samples than the other approaches with significantly less the need of considering all available permissions in Android.
overhead. No app requests all the permissions, and the ones that an
In summary, our paper makes the following contributions: app requests are listed in the Android application package
1) We develop S IG PID, an approach that identifies an (APK) as part of manifest.xml. When we need to analyze a
essential subset of permissions (significant permissions) large number of apps (e.g., several hundred thousand), the
that can be used to effectively identify Android malware. total number of permissions requested by all apps can be
By using our technique, the number of permissions that overwhelmingly large, resulting in long analysis time. This
needs to be analyzed is reduced by 84%. high analysis overhead can negatively affect the malware
2) We evaluate the effectiveness of our approach using only detection efficiency as it reduces analyst productivity.
a fifth of the total number of permissions in Android. We propose three levels of data pruning methods to filter
We find that SigPID can achieve over 90% in precision, out permissions that contribute little to the malware detec-
recall, accuracy, and F-measure. These results compare tion effectiveness. Thus, they can be safely removed without
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
permission matrix
benign apps (an app constructs a vector)
1 5 7
3
Decision Tree
negatively affecting malware detection accuracy. The complete differentiate between malware and benign apps. In essence,
three-step procedure is illustrated in Figure 2. We then describe risky permissions only focus on the permissions which can
each level in the pruning process. help detect the malware, while significant permissions not only
1) Permission Ranking with Negative Rate (PRNR): Each care about the identification of the malware, but also take into
permission describes a particular operation that an app is account whether benign apps can be identified or not.
allowed to perform. For instance, permission INTERNET Our approach, referred to as Permission Ranking with
indicates whether the app has access to the Internet. Different Negative Rate or PRNR, provides a concise ranking and
types of benign apps and malicious apps may request a variety comprehensible result. The approach operates on two matrices,
of permissions corresponding to their operational needs. For M and B. M represents a list of permissions used by malware
malicious apps, we hypothesize that their needs may have samples and B represents a list of permissions used by
common subsets [9] [29], and we do not need to analyze all the benign apps. Mij represents whether the j th permission is
permissions to build an effective malware detection system. requested by the ith malware sample, while ‘1’ indicates yes,
‘0’ indicates no. Bij represents whether the j th permission is
As a result, on one hand, our focus is more on the
requested by the ith benign app sample.
permissions that create high risk attack surfaces and are Before computing the support of permissions from matrices
frequently requested by malware samples. On the other hand, M and B, we first check their sizes. Typically, the number of
the permissions that are rarely requested by malware samples benign apps (310,926 in this paper) tends to be much larger
are also good indicators in differentiating between malicious than the number of malicious apps (5,494 samples in this
and benign apps. Therefore, Our pruning procedure identifies paper); therefore, the size of B is much larger than the size
both types of highly differentiable permissions so that we can of M . With our ranking scheme, we prefer the data set on the
use this information to classify malicious and benign apps. two matrices to be balanced. Training over imbalanced dataset
At the same time, we exclude permissions that are commonly can lead to skewed models [30]. To balance the two matrices,
used by both benign and malicious apps, as they introduce we use Equation 1 to calculate the support of each permission
ambiguity in the malware detection process. For instance, in the larger dataset and then proportionally scales down the
permission INTERNET are frequently requested by both mal- corresponding support to match that of the smaller dataset. In
ware and benign apps, as almost all apps will request to case that the number of rows of B is bigger than that of M ,
access the Internet. Therefore, our approach prunes permission we have: P
INTERNET. Bij
To identify these two types of significant permissions, we SB (Pj ) = i ∗ size(Mj ), (1)
size(Bj )
design a permission ranking scheme to rank permissions based
on how they are used by malicious and benign apps. Ranking where Pj denotes the j th permission, and SB (Pj ) represents
is not a new concept. Prior works have also used generic the support of j th permission in matrix B. PRNR can then
permission ranking strategy such as mutual information to be implemented using Equation 2:
identify high risk permissions [29]. However, their approaches P
Mij − SB (Pj )
tend to only focus on high-risk permissions, and ignore all the i
low-risk permissions, which are defined as significant permis- R(Pj ) = P (2)
Mij + SB (Pj )
sions in our approach. The reason that prior works ignoring i
low-risk permissions is that they are interested in identifying The PRNR algorithm is used to perform ranking of our
the permissions abused by malware, while our goal is to datasets. In the formula above, R(Pj ) represents the rate of j th
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
1 2
Permission Ranking with Negative Rate Support Based Permission Ranking Permission Mining with Association Rules
permission. The result of R(Pj ) has a value ranging between remove non-influential permissions even more. By inspecting
[-1, 1]. If R(Pj ) = 1, this means that permission Pj is only the reduced permission list that contains 25 significant permis-
used in malicious dataset, which is a high risk permission. sions, we find three pairs of permissions that always appear
If R(Pj ) = -1, this means that permission Pj is only used in together in an app. For example, permission WRITE SMS and
benign dataset which is a low risk permission. If R(Pj ) = 0, permission READ SMS are always used together. They also
this means that Pj has very little impact on malware detection both belong to the Google’s “dangerous” permission list. Yet,
effectiveness. Since both -1 and 1 are important, we build two it is unnecessary to consider both permissions, as one of them
ranked lists: one list is generated in an ascending order based is sufficient to characterize certain behaviors. As a result, we
on the value of R(Pj ), and the other list is generated in a can associate one, which has a higher support, to its partner.
descending order. In this example, we can remove permission WRITE SMS. In
Next, we design a novel Permission Incremental System order to find permissions that occur together, we propose a
(PIS) to include permissions based on the order in the two permission mining with association rules (PMAR) mechanism
lists. For example, we choose the top permission in the benign using association rule mining algorithm [31].
list and the top permission in the malicious list as our input Association rule mining has been used for discovering
features to build malware detection system. We then evaluate meaningful relations between variables in large databases. For
malware detection using the following metrics: true positive instance, if event A and B always co-occur, it is highly likely
TPR that these two events are associated. In this paper, we only
rate (TPR), false positive rate (FPR), precision(P = TPR+FPR ),
TPR 2P*R consider rules with high confidence, so that applying PMAR
recall (R = TPR+FNR ), accuracy, and F-measure( P+R ). Then,
we choose the top three permissions in both lists to build will only produce a small number of rules. We employ Apriori,
malware detection system. We repeat the process again while a commonly used association mining algorithm, to generate
increasing the number of top permissions to use for malware the association rules. Apriori [31] uses a breadth-first search
detection until the detection metrics plateau. The main goal strategy to count the support of itemsets and uses a candidate
is to find the smallest number of permissions that yields generation process, which exploits the downward closure
a very similar malware detection effectiveness as that of property of the support. Here, we only want to generate the
using the entire data set. Within our evaluation dataset with association rules with high confidence even if the permissions
5, 494 benign apps from 310, 926, the total number of distinct have small support values.
permissions requested by all the apps is 135. After applying In the end, we identify 3 association rules based on our
PRNR, we find that using 95 permissions performs nearly as permission dataset, corresponding to three pairs of associated
well as using the complete 135 permissions. Detailed results permissions, when we set 96.5% minimum confidence and
of our evaluation is provided in Section III. 10% minimum support. Finally, we are able to remove three
2) Support Based Permission Ranking (SPR): To further additional permissions, leaving 22 permissions that we con-
reduce the number of permissions, we turn our focus to the sider as significant.
support of each permission. Typically, if the support of a per-
mission is too low, it does not have much impact on malware B. Machine-Learning based Malware Detection using Signif-
detection performance. For instance, we find the permission icant Permissions
BIND TEXT SERVICE only in benign apps. As a result, we We first use SVM and a small dataset to test our proposed
may consider that any app that uses BIND TEXT SERVICE MLDP model. SVM determines a hyperplane that separates
is benign. However, this permissions is in fact only used both classes with a maximal margin based on the training
by one app out of over 310,926 benign apps. Consequently, dataset that includes benign and malicious applications. In this
only relying on the ranked rate provided by PRNR might case, one class is associated with malware, and the other class
be inaccurate. By incorporating permission support, we can is associated with benign apps. Then, we assume the testing
rule out permissions with low support to further improve the data as unknown apps, which are classified by mapping the
malware classification accuracy. data to the vector space to decide whether it is on the malicious
Similar to PRNR, we use PIS to find the least number of or benign side of the hyperplane. Then, we can compare all
permissions with high support while yielding good accuracy. analysis results with their original records to evaluate the
Within our dataset, after applying SPR, we are able to reduce malware detection correctness of the proposed model by using
the number of significant permissions to just 25 or 19% of the SVM.
total permissions. Again, the evaluation results are presented In order to show applicability and scalability of MLDP, we
in Section III. employ 67 commonly known machine learning algorithms and
3) Permission Mining with Association Rules (PMAR): enlarge our dataset. We compare the results between malware
After pruning 110 of 135 permissions by using PRNR and detection rate using all identified 135 permissions (baseline)
SPR with PIS, we want to further explore approaches that can and malware detection using MLDP for each supervised
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
machine learning algorithm, as shown in Section III-C. We Google play store in June 2013 [9], to carry out cross-
observe that, by analyzing all permissions, machine learning validation. The malicious apps are classified into 178 families,
algorithms with a tree structure, usually build better malware and the benign apps are grouped into a single family. We select
detection compared to others. Among all the machine learning the number of benign apps to be the same as malicious apps
algorithms with a tree structure, our method works best on to maintain balance during training, as the imbalanced dataset
decision tree, which is a very common classification method can result in skewed models [30]. We also create another
in machine learning. Decision tree should use training dataset newer collection of apps in June 2015 containing 2,650 new
to build a classifier to decide which class the testing data malware samples with no overlap with the initial sets. This new
should be, requires a lot of pre-processing work before the collection is used to evaluate the effectiveness of our detection
classifier was built. When there are too many attributes of system to pinpoint newer unknown malware. As the amount of
training dataset, decision tree hits a poor accuracy and the benign apps is much larger than the malicious one, it remains
training phase tend to take more time and memory. So, the uncertain whether our algorithm can be applied to larger
pruning of the decision tree is imperative, which is consistent datasets. So we performed another experiment over a much
with our MLDP. large dataset containing 54,694 different malware samples
Consequently, it is more advantageous to use MLDP to download from both Google Play and Anzhi Store from
perform malware detection as it can be as effective while Jan 2012 to Dec 2014 [29]. We compared our experiments
notably conserving time and memory. Since the time and using three different datasets, which can be seen in Table .V.
memory are limited in common computers, we can outsourcing Then, the requested permission list is built by extracting
the task to cloud in a suitable way to boost efficiency. Because permission requests from each app listed in AndroidManifest
of the permissions can be recorded perfectly by using binary file. The permission information is translated into a binary
vector, we could remove the mapping table and doing some format dataset where ‘1’ indicates that the app requests the
permutation before the outsourcing to preserve data’s privacy. permission, and ‘0’ indicates the opposite. The permission lists
We will provide more details in the next section. extracted from malicious apps and benign apps are combined
to form a holistic dataset for data analysis.
III. E VALUATION
In this section, we evaluate the malware detection effective- B. Evaluating Effectiveness of MLDP
ness of the S IG PID system. We first use SVM algorithm to We report the effectiveness of each component of multi-
evaluate the classification performance of our proposed MLDP level data pruning as well as the effectiveness of the approach
model. Through pruning, our system, as previously mentioned, of simply using dangerous permissions provided by Google.
identifies only 22 significant permissions (a reduction of 84%). The results are presented in Table I. As shown, the simple
On the other hand, Google lists 24 Android permissions approach of using dangerous permission to detect malware
as dangerous. We also use these 24 permissions to build a (last row) yields about the same recall rate or True Positive
malware detection system as part of our empirical evaluation Rate (TPR) as that of PRNR using 95 permissions (column
(referred to as “Android” method hereinafter). As mentioned 4). When we reduce the numbers of permissions to 25 and 22,
earlier, MLDP consists of three main components: permission using SPR and PMAR, respectively, we achieve higher recall
ranking with negative rate, support based permission ranking, rates of over 91%. However, this higher malware detection
and permission mining with association rules. We evaluate effectiveness comes at a cost of higher False Positive Rate
the malware detection performance by enabling these multiple (FPR) of over 8.5% (column 5).
levels sequentially to verify the performance improvement
contributed by each level of permission mining procedure. In TABLE I: Detection Results using SVM with Multi-Level
addition, we also evaluate the runtime efficiency of multi-level Data Pruning and Android Dangerous Permissions
data pruning. # of Approach Precision Recall FPR FM ACC
In most experiments, SVM algorithm is employed to per- Permissions (%) (TPR, %) (%) (%) (%)
95 PRNR 96.39 85.78 3.22 90.77 91.28
form malware detection. However, we also illustrate generality
25 PRNR+SPR 90.64 91.77 9.56 91.17 91.10
of S IG PID by employing 67 other commonly used machine 22 PRNR+SPR+PMAR 91.55 91.22 8.54 91.34 91.34
learning algorithms. We then identify the five best performing 135 All Permissions 98.81 83.73 1.01 90.65 91.36
algorithms and employ them to help detect malware in our sec- 24 Dangerous Permissions 98.64 85.12 1.12 91.38 91.97
ond collection of apps. Finally, we compare the classification
effectiveness of SigPID with results of approaches using other Discussion. To further explain the process of determining the
state-of-the-art permission ranking methods such as Mutual number of significant permissions after each pruning technique
Information [29] as well as signature based malware detection is applied, we present the performance changing curve after
commonly employed by commercial virus scanners. using PRNR w.r.t. the increasing number of permissions in
Fig. 3, which shows the key performance metrics of using
PRNR with PIS as we gradually vary the number of permis-
A. Collected Data Set sions. We also present performance changing curve after using
We generate ten datasets by randomly choosing 5,494 SPR in Fig. 4, which shows the deviation of key performance
benign apps from 310,926 benign apps, downloaded from metrics after the application of SPR.
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
95.00%
85.00%
Percentage
75.00%
65.00%
55.00%
45.00%
0 20 40 60 80 100 120
The Number of Permissions
Precision Recall FM AC
95.00%
85.00%
Percentage
75.00%
65.00%
55.00%
45.00%
0 10 20 30 40 50 60
The Number of Permissions
Precision Recall FM AC
According to Fig. 3 and Fig. 4, with an increasing number of is used mainly by malware. When we remove the permis-
permissions, the classification accuracy, recall and F-measure sion WRITE SMS, the applications requesting permission
are improving every round. Meanwhile, the precision slightly READ SMS will be likely to be classified as malware.
degrades every round, but always stays above 90%. One keen In addition, we find that WRITE HISTORY BOOKMARKS
observation is that the recalls, accuracies and F-measures and READ HISTORY BOOKMARKS, WAKE LOCK and
plateau after the number of permissions reaches 90 in Fig. 3, READ PHONE STATE have a high chance of being co-
and the permissions reaches 10 in Fig. 4. Maximum recall is occured/associated. After pruning these 3 more permission
achieved when we use 25 permissions. features in the dataset, we only retain 22 features. We then
Next, we implement permission mining with association observe that higher precision is achieved with the new model
rules (PMAR) to perform the last layer of permission mining. employing 22 instead of 25 permissions in Table I.
Here, we find 3 rules satisfying our associative requirements We then compare the list of significant permissions gen-
when we set our confidence level to 96.5%. The associa- erated by our approach to the top 22 permissions identified
tion rules mining shows that permission WRITE SMS and by another permission ranking method called Mutual Infor-
permission READ SMS have a 98.4034% chance to appear mation [29]. It uses 40 permissions and achieves 86.4% TPR
together. Meanwhile, in the cases when they do not appear (recall) and 1.4% FPR. We list these permissions in Table II.
together, permission WRITE SMS is very frequently used We conclude that different permission ranking methods
in both malware and benign applications while READ SMS induce different ranking lists. For example, using PRNR, we
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
TABLE II: Rankings by PRNR and Mutual Information higher, which is reasonable considering the improvement in
MLDP other evaluation metrics.
22 Permissions
ACCESS WIFI STATE READ LOGS
CAMERA READ PHONE STATE TABLE III: Optimal ML Algorithms For SigPID and Android
CHANGE NETWORK STATE READ SMS Dangerous Permissions
CHANGE WIFI STATE RECEIVE BOOT COMPLETED
DISABLE KEYGUARD RESTART PACKAGES Num of Feature Best ML Precision Recall(TPR) FPR FM ACC
GET TASKS SEND SMS SigPID (22) FT 97.54% 93.62% 2.36% 95.54% 95.63%
INSTALL PACKAGES SET WALLPAPER
Android (24) RandomForest 98.61% 90.35% 1.27% 94.30% 94.54%
READ CALL LOG SYSTEM ALERT WINDOW
READ CONTACTS WRITE APN SETTINGS
READ EXTERNAL STORAGE WRITE CONTACTS
READ HISTORY BOOKMARKS WRITE SETTINGS
Mutual Information TABLE IV: Training and Testing Time with Different Num-
Top 22 Permissions bers of Permissions
READ SMS WRITE CALL LOG
WRITE SMS VIBRATE
Num of Feature 22 40 135
SEND SMS CHANGE NETWORK STATE
WRITE APN SETTINGS DEVICE POWER
Algorithm Time(Seconds) Time More Time Time More Time
RECEIVE SMS WRITE SETTINGS RandomCommittee 1.376 2.078 51.02% 7.995 481.03%
INSTALL PACKAGES ADD SYSTEM SERVICE RotationForest 47.303 71.887 51.97% 236.944 400.91%
READ PHONE STATE ACCESS NETWORK STATE FT 0.731 2.14 192.75% 24.55 3258.41%
READ EXTERNAL STORAGE ACCESS LOCATION EXTRA COMMANDS PART 16.673 24.645 47.81% 104.74 528.20%
RESTART PACKAGES WAKE LOCK RandomForest 14.028 20.045 42.89% 59.991 327.65%
RECEIVE BOOT COMPLETED ACCESS COARSE LOCATION SVM 2.4722 2.7604 11.66% 3.6773 48.75%
WRITE CONTACTS GET ACCOUNTS
can also use an alternative pruning order such as SPR, PRNR, 83.0% 84.0% 85.0% 86.0% 87.0% 88.0% 89.0% 90.0% 91.0% 92.0%
and then PMAR. Android MLDP_22
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
100.00%
96.00%
94.00%
92.00%
90.00%
RotationForest PART FT RandomCommittee RandomForest
Precision Recall F_measure ACC
algorithms, 5 are designed with tree structures. The tree information. They use the permission ranking and choose the
structure based method usually takes a large amount of space top 40 risky permissions for malware detection. We reimple-
and time to run the classification process, so our MLDP mented their approach for comparison. Note that in their paper,
can serve as a solution to help significantly improve running they used a different data set and the ratio of their malicious
time efficiency of the malware detection model based on tree and benign apps in their dataset is dominated by benign apps.
structures. As such, their reported results, especially false positive rate,
When we use our approach and the approach that uses 24 are significantly different than the results achieved using our
dangerous permissions to detect a new collection of malware, data set.
we see a similar pattern, in which our system consistently The comparison results are shown in Table VI. D REBIN
produces higher recall rates. This experiment provides the uses more features than our S IG PID, including API calls and
evidence that the proposed approach can be used to effectively network addresses. As a result, D REBIN outperforms P ER -
detect malware beyond the initial data set that we used for MISSION C LASSIFIER in detection accuracy. We also compare
training and testing, which shows the potential applicability the results against 10 existing anti-virus scanners [9]. When
of S IG PID in practice. we combine S IG PID with FT, we can achieve the highest
detection rate (93.62%) using only 22 permissions.
D. Applicability of S IG PID Discussion. When we compare the result of our work to
other approaches that only consider risky permissions, S IG -
TABLE V: Testing Results using Different Datasets PID considers a broader criteria that also include non-risky
Num of Malapp 2,650 5,494 54,694 permissions (e.g., READ CALL LOG), which are only used
Precision 98.83% 97.54% 95.15% in benign apps and have high support values. We deem the
Recall 94.4% 93.62% 92.17%
FPR 1.17% 2.36% 4.85%
risky and non-risky permissions with high support values as
FM 94.97% 95.54% 93.63% significant permissions, allowing S IG PID to be more effective
ACC 96.47% 95.63% 93.67% in distinguishing between malicious and benign apps than
other existing approaches.
As described before, we have collected three different We also notice that the permission lists used by D REBIN
real-world datasets which contain 2,650, 5,494 and 54,694 contain many meaningless features. It is possible that perfor-
malapps, respectively. After evaluating the applicability of mance improvements can be achieved by integrating SigPID
our S IG PID using these datasets, we present the results in with FT into D REBIN to improve both malware detection
Table V, which shows that the FPR increases slowly with the accuracy and running time performance. We will explore this
growing size of datasets. However, our method can retain a integration in our future work.
high detection rate despite the size of the dataset is huge. We also see that, despite a small number of permissions,
our approach outperforms most of existing malware scanner
E. Comparison with Other Approaches available today. This is because most of these techniques rely
In this section, we compare our detection results with on signature matching; so if a type of malware signatures is not
other state-of-the-art malware detection approaches, listed as available, the system would not be able to detect that particular
follows: type. We also show that our approach is more effective than
D REBIN [9] is an approach that uses static analysis to DREBIN when we combine our permission pruning with FT.
build data set based on permissions and other features from DREBIN is a more complex malware detection approach that
apps. It then utilizes Support Vector Machine (SVM) algorithm also uses static program analysis. We plan to also explore a
to classify malware dataset. We did not reimplement their combination of using static program analysis with S IG PID to
approach since it requires significant program analysis in assess whether we can achieve higher detection effectiveness.
addition to permission analysis. Instead, we compare our
results with their reported results. IV. R ELATED W ORK
P ERMISSION - INDUCED R ISK M ALWARE D ETECTION [29] Previous research efforts have used Android permissions to
is an approach that applies permission ranking, such as mutual detect malware. Huang et al. [33] explored the possibilities
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
of detecting malicious applications based on permissions using accuracy. The extracted significant permissions can also be
machine learning mechanisms. They retrieved not only all the used by other commonly used supervised learning algorithms
permissions, but also several easy-to-retrieve features from to yield the F-measure of at least 85% in 55 out of 67 tested
each APK to help detect malware. Four common machine- algorithms. S IG PID is highly effective, when compared to
learning algorithms, AdaBoost, Naive Bayes, Decision Tree the state-of-the-art malware detection approaches as well as
and SVM [34], are employed in their system to evaluate existing virus scanners. It can detect 93.62% of malware in
the performance. Experimental results show that more than the data set, and 91.4% unknown/new malware.
80% of the malicious samples can be detected by the system.
Because the precision is not high, their system can only be ACKNOWLEDGMENT
used as a first level filter to help detect malware. A second We thank the anonymous reviewers for their insightful
pass of analysis is still needed for their system. Our proposed feedback on our work. This work is supported in part by
approach can achieve a much higher detection rate compared NSF, DARPA and Maryland Procurement Office under grant
to this work. numbers CNS-1566388, FA8750-14-2-0053 and H98230-14-
DREBIN [9] combines static analysis of permissions and C-0140, respectively. This work was also supported by Natural
APIs with machine learning to detect malware. They em- Science Foundation of Guangdong Province for Distinguished
bedded features in a vector space, discovered patterns of Young Scholars (2014A030306020), National Natural Science
malware from the vector space, and used these patterns to Foundation of China (No. 61472091) and National Natural
build the machine learning detection system. Their evaluation Science Foundation for Outstanding Youth Foundation (No.
results indicate that their proposed work can achieve high 61722203). Any opinions, findings, conclusions, or recom-
detection accuracy. However, their analysis is performed on mendations expressed here are those of the authors and do
the devices, and therefore requires that those devices be not necessarily reflect the views of the funding agencies or
rooted. They extracted as many features as possible to help the U.S. Government.
improve performance. However, our work only employs the
significant permission features, which reduces the overhead of R EFERENCES
computation while retaining a satisfying result. [1] IDC, “Smartphone os market share, 2017 q1.” [Online]. Available:
Wang et al. [29] explored the permission-induced risk in https://www.idc.com/promo/smartphone-market-share/os
Android apps using data mining. They perform an analysis [2] Statista, “Cumulative number of apps downloaded from the google
play as of may 2016.” [Online]. Available: https://www.statista.com/
of individual permission and collaborative permissions and statistics/281106/number-of-android-app-downloads-from-google-play/
apply three ranking methods on the permission features. After [3] G. Kelly, “Report: 97% of mobile malware is on android. this is the
the ranking step, they identify risky permission subsets using easy way you stay safe,” in Forbes Tech, 2014.
[4] G. DATA, “8,400 new android malware samples every
Sequential Forward Selection (SFS) and Principal Compo- day.” [Online]. Available: https://www.gdatasoftware.com/blog/2017/
nent Analysis (PCA). They evaluate their approach using 04/29712-8-400-new-android-malware-samples-every-day
SVM, decision tree and random forest. The result shows that [5] Symantec, “Latest intelligence for march 2016,” in Symantec Official
Blog, 2016.
their strategy for identifying risky permissions can achieve a [6] M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, “Riskranker: scal-
94.62% detection rate with a 0.6% false positive rate. Their able and accurate zero-day android malware detection,” in Proceedings
low false positive rate is brought by their use of a large of the 10th international conference on Mobile systems, applications,
and services. ACM, 2012, pp. 281–294.
benign datasets (80% of 310,926 benign apps) for model [7] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android
training, which incurs considerable overhead and produces permissions demystified,” in Proceedings of the 18th ACM conference
skewed model. As such, the reimplementation of their method on Computer and communications security. ACM, 2011, pp. 627–638.
[8] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox,
produces different results as shown in Section III-E. Moreover, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: an information-
our work needs less permissions compared to this work, but a flow tracking system for realtime privacy monitoring on smartphones,”
high detection rate can still be achieved. ACM Transactions on Computer Systems (TOCS), vol. 32, no. 2, p. 5,
2014.
[9] D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, K. Rieck, and
V. C ONCLUSION C. Siemens, “Drebin: Effective and explainable detection of android
malware in your pocket,” in Proceedings of the Annual Symposium on
In this paper, we have shown that it is possible to reduce Network and Distributed System Security (NDSS), 2014.
the number of permissions to be analyzed for mobile malware [10] C. Yang, Z. Xu, G. Gu, V. Yegneswaran, and P. Porras, “Droidminer:
detection, while maintaining high effectiveness and accuracy. Automated mining and characterization of fine-grained malicious behav-
iors in android applications,” in European Symposium on Research in
S IG PID has been designed to extract only significant permis- Computer Security. Springer, 2014, pp. 163–182.
sions through a systematic, 3-level pruning approach. Based on [11] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio,
our dataset, which includes over 2,000 malware, we only need V. Van Der Veen, and C. Platzer, “Andrubis–1,000,000 apps later: A view
on current android malware behaviors,” in Building Analysis Datasets
to consider 22 out of 135 permissions to improve the runtime and Gathering Experience Returns for Security (BADGERS), 2014 Third
performance by 85.6% while achieving over 90% detection International Workshop on. IEEE, 2014, pp. 3–17.
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TII.2017.2789219, IEEE
Transactions on Industrial Informatics
1551-3203 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.