Research on the Hybrid Detection Method for Mobile Malware Applications

Abstract

This paper suggests a novel hybrid framework to detect Android malware. The proposed hybrid framework uses both of the static analysis method and the dynamic analysis method to take advantages of both of analysis method in malware detection. In the framework, a static analysis based detection component using various static features is first performed. This static analysis based detection component utilizes various features in order to reflect the properties of an application in various aspects. A multimodal deep learning algorithm is used to build the malware detection model. The proposed multimodal neural network model first processes different types of features of an application separately in its initial networks and then merges the results of the initial networks to determine whether the application is malicious or not. After the static analysis detection is over, the dynamic analysis based detection component conducts the analysis for the application that is not filtered by the previous component. The dynamic analysis based detection component uses the detection model in the form a suffix tree contains the probabilistic confidence values that are generated using hidden markov model and calculate scores using the model to determine whether the application behavior is malicious or not. In addition, an application rewriting method to monitor and deliver application behaviors is used to alleviate the degrade of the usability. In the evaluation for the static analysis based detection component, the detection accuracies of the proposed multimodal neural network method, plain deep neural network method, support vector machine method, and random forest method were measured and compared each other. In addition, The performance of static analysis based detection component in various aspects including the efficiency in model updates was measured and the usefulness of features is also checked. Experimental results show that the static analysis based detection component is effective enough to detect the malware. In case of the dynamic analysis based detection component, the malware detection accuracy with different parameters and the time overhead in various aspects were measured by conducting the experiments. As a result, the experimental results showed that the proposed detection component can distinguish the malware effectively and efficiently.