Robust deep learning early alarm prediction model based on the behavioural smell for android malware

Eslam Amer*, Shaker El-Sappagh

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

Abstract

Due to the widespread expansion of the Android malware industry, malicious Android processes mining became a necessity to understand their behavior. Nevertheless, due to the complexities of size, length, and associations of some essential and distinguishing Android applications’ features such as API calls and system calls, mining malicious Android processes become a prominent obstacle. The malicious process mining obstacle is also coupled with the increasing rate of zero-day attacks, with no prior knowledge about those kinds of behaviors. Hence, malware detection alone is no longer enough; instead, we need new methodologies to predict malicious behaviors early. In this paper, we propose a behavioral Android malware smell predictor model. Our model relies on various static and dynamic features. We overcame the problem of massive feature size and complex associations by encapsulating related features in a few cluster classes. Accordingly, the cluster classes are exchangeably used to represent the features in the original calling sequences. Regarding substantially long sequences, experimental results showed that our model could predict whether a process is behaving maliciously or not based on rapid-sequence-snapshot analysis. The proposed model counted on the LSTM model to classify the reformed API and system call sequences snapshots. Moreover, we used ensemble machine learning classifiers to classify Android permissions. We trained the LSTM model using random snapshots of the newly formed API and system call cluster sequences. We tested our model against common ransomware attacks. We found that our trained LSTM model showed stable performance at a particular snapshot size. The model showed competitive accuracy in predicting new sequences. Accordingly, we proposed an early alarm solution for blocking malicious payloads instead of identifying them after their fulfillment. Hence, we can avoid the cost of future damage.

Original languageEnglish
Article number102670
Number of pages13
JournalComputers and Security
Volume116
Early online date28 Feb 2022
DOIs
Publication statusPublished - 1 May 2022

Keywords

  • Android malware prediction
  • API Calls
  • Behavioral analysis
  • Contextual behaviour
  • Permissions
  • Process mining
  • Sequence reformulation
  • System calls

Fingerprint

Dive into the research topics of 'Robust deep learning early alarm prediction model based on the behavioural smell for android malware'. Together they form a unique fingerprint.

Cite this