Abstract
Due to the widespread expansion of the Android malware industry, malicious Android processes mining became a necessity to understand their behavior. Nevertheless, due to the complexities of size, length, and associations of some essential and distinguishing Android applications’ features such as API calls and system calls, mining malicious Android processes become a prominent obstacle. The malicious process mining obstacle is also coupled with the increasing rate of zero-day attacks, with no prior knowledge about those kinds of behaviors. Hence, malware detection alone is no longer enough; instead, we need new methodologies to predict malicious behaviors early. In this paper, we propose a behavioral Android malware smell predictor model. Our model relies on various static and dynamic features. We overcame the problem of massive feature size and complex associations by encapsulating related features in a few cluster classes. Accordingly, the cluster classes are exchangeably used to represent the features in the original calling sequences. Regarding substantially long sequences, experimental results showed that our model could predict whether a process is behaving maliciously or not based on rapid-sequence-snapshot analysis. The proposed model counted on the LSTM model to classify the reformed API and system call sequences snapshots. Moreover, we used ensemble machine learning classifiers to classify Android permissions. We trained the LSTM model using random snapshots of the newly formed API and system call cluster sequences. We tested our model against common ransomware attacks. We found that our trained LSTM model showed stable performance at a particular snapshot size. The model showed competitive accuracy in predicting new sequences. Accordingly, we proposed an early alarm solution for blocking malicious payloads instead of identifying them after their fulfillment. Hence, we can avoid the cost of future damage.
Original language | English |
---|---|
Article number | 102670 |
Number of pages | 13 |
Journal | Computers and Security |
Volume | 116 |
Early online date | 28 Feb 2022 |
DOIs | |
Publication status | Published - 1 May 2022 |
Keywords
- Android malware prediction
- API Calls
- Behavioral analysis
- Contextual behaviour
- Permissions
- Process mining
- Sequence reformulation
- System calls