DAMBA: Detecting Android Malware by ORGB Analysis

Weizhe Zhang; Huanran Wang; Hui He; Peng Liu

doi:10.1109/TR.2019.2924677

DAMBA: Detecting Android Malware by ORGB Analysis

Weizhe Zhang, Huanran Wang, Hui He, Peng Liu

Research output: Contribution to journal › Article › peer-review

32 Scopus citations

Abstract

With the rapid development of smart devices, mobile phones have permeated many aspects of our life. Unfortunately, their widespread popularization attracted endless attacks that are serious threats for users. As the mobile system with the largest market share, Android has already become the hardest hit for years. To Detect Android Malware by ORGB Anlysis, in this paper, we present DAMBA, a novel prototype system based on a C/S architecture. DAMBA extracts the static and dynamic features of apps. For further analyses, we propose TANMAD algorithm, a two-step Android malware detection algorithm, which reduces the range of possible malware families, and then utilizes subgraph isomorphism matching for malware detection. The key novelty of this paper is the modeling of object reference information by constructing directed graphs, which is called object reference graph birthmarks (ORGB). To achieve better efficiency and accuracy, in this paper, we present several optimization strategies for hybrid analysis. DAMBA is evaluated on a large real-world dataset of 2239 malicious and 1000 popular benign apps. The detection accuracy reaches 100% in most cases, and the average detection time is less than 5 s. Experimental results show that DAMBA outperforms the well-known detector, McAfee, which is based on signature recognition. In addition, DAMBA is demonstrated to resist the known malware attacks and their variants efficiently, as well as malware that uses obfuscation techniques.

Original language	English (US)
Article number	8981927
Pages (from-to)	55-69
Number of pages	15
Journal	IEEE Transactions on Reliability
Volume	69
Issue number	1
DOIs	https://doi.org/10.1109/TR.2019.2924677
State	Published - Mar 2020

All Science Journal Classification (ASJC) codes

Safety, Risk, Reliability and Quality
Electrical and Electronic Engineering

Access to Document

10.1109/TR.2019.2924677

Cite this

@article{b0b4ddac8dd44478bc8d07541094c661,

title = "DAMBA: Detecting Android Malware by ORGB Analysis",

abstract = "With the rapid development of smart devices, mobile phones have permeated many aspects of our life. Unfortunately, their widespread popularization attracted endless attacks that are serious threats for users. As the mobile system with the largest market share, Android has already become the hardest hit for years. To Detect Android Malware by ORGB Anlysis, in this paper, we present DAMBA, a novel prototype system based on a C/S architecture. DAMBA extracts the static and dynamic features of apps. For further analyses, we propose TANMAD algorithm, a two-step Android malware detection algorithm, which reduces the range of possible malware families, and then utilizes subgraph isomorphism matching for malware detection. The key novelty of this paper is the modeling of object reference information by constructing directed graphs, which is called object reference graph birthmarks (ORGB). To achieve better efficiency and accuracy, in this paper, we present several optimization strategies for hybrid analysis. DAMBA is evaluated on a large real-world dataset of 2239 malicious and 1000 popular benign apps. The detection accuracy reaches 100% in most cases, and the average detection time is less than 5 s. Experimental results show that DAMBA outperforms the well-known detector, McAfee, which is based on signature recognition. In addition, DAMBA is demonstrated to resist the known malware attacks and their variants efficiently, as well as malware that uses obfuscation techniques.",

author = "Weizhe Zhang and Huanran Wang and Hui He and Peng Liu",

note = "Funding Information: Manuscript received May 25, 2018; revised October 16, 2018 and March 24, 2019; accepted June 19, 2019. Date of publication February 4, 2020; date of current version March 2, 2020. This work was supported in part by the National Key Research and Development Plan under Grant 2017YFB0801801, in part by the National Science Foundation of China (NSFC) under Grant 61672186 and Grant 61872110. The work of P. Liu was supported by NSF CNS-1505664, and NSF CNS-1814679. Associate Editor: Lei Bu. (Corresponding author: Weizhe Zhang.) W. Zhang is with the School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China, and also with the Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen 518055, China (e-mail: wzzhang@hit.edu.cn). Publisher Copyright: {\textcopyright} 1963-2012 IEEE.",

year = "2020",

month = mar,

doi = "10.1109/TR.2019.2924677",

language = "English (US)",

volume = "69",

pages = "55--69",

journal = "IEEE Transactions on Reliability",

issn = "0018-9529",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

number = "1",

}

TY - JOUR

T1 - DAMBA

T2 - Detecting Android Malware by ORGB Analysis

AU - Zhang, Weizhe

AU - Wang, Huanran

AU - He, Hui

AU - Liu, Peng

N1 - Funding Information: Manuscript received May 25, 2018; revised October 16, 2018 and March 24, 2019; accepted June 19, 2019. Date of publication February 4, 2020; date of current version March 2, 2020. This work was supported in part by the National Key Research and Development Plan under Grant 2017YFB0801801, in part by the National Science Foundation of China (NSFC) under Grant 61672186 and Grant 61872110. The work of P. Liu was supported by NSF CNS-1505664, and NSF CNS-1814679. Associate Editor: Lei Bu. (Corresponding author: Weizhe Zhang.) W. Zhang is with the School of Computer Science and Technology, Harbin Institute of Technology, Harbin 150001, China, and also with the Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen 518055, China (e-mail: wzzhang@hit.edu.cn). Publisher Copyright: © 1963-2012 IEEE.

PY - 2020/3

Y1 - 2020/3

N2 - With the rapid development of smart devices, mobile phones have permeated many aspects of our life. Unfortunately, their widespread popularization attracted endless attacks that are serious threats for users. As the mobile system with the largest market share, Android has already become the hardest hit for years. To Detect Android Malware by ORGB Anlysis, in this paper, we present DAMBA, a novel prototype system based on a C/S architecture. DAMBA extracts the static and dynamic features of apps. For further analyses, we propose TANMAD algorithm, a two-step Android malware detection algorithm, which reduces the range of possible malware families, and then utilizes subgraph isomorphism matching for malware detection. The key novelty of this paper is the modeling of object reference information by constructing directed graphs, which is called object reference graph birthmarks (ORGB). To achieve better efficiency and accuracy, in this paper, we present several optimization strategies for hybrid analysis. DAMBA is evaluated on a large real-world dataset of 2239 malicious and 1000 popular benign apps. The detection accuracy reaches 100% in most cases, and the average detection time is less than 5 s. Experimental results show that DAMBA outperforms the well-known detector, McAfee, which is based on signature recognition. In addition, DAMBA is demonstrated to resist the known malware attacks and their variants efficiently, as well as malware that uses obfuscation techniques.

AB - With the rapid development of smart devices, mobile phones have permeated many aspects of our life. Unfortunately, their widespread popularization attracted endless attacks that are serious threats for users. As the mobile system with the largest market share, Android has already become the hardest hit for years. To Detect Android Malware by ORGB Anlysis, in this paper, we present DAMBA, a novel prototype system based on a C/S architecture. DAMBA extracts the static and dynamic features of apps. For further analyses, we propose TANMAD algorithm, a two-step Android malware detection algorithm, which reduces the range of possible malware families, and then utilizes subgraph isomorphism matching for malware detection. The key novelty of this paper is the modeling of object reference information by constructing directed graphs, which is called object reference graph birthmarks (ORGB). To achieve better efficiency and accuracy, in this paper, we present several optimization strategies for hybrid analysis. DAMBA is evaluated on a large real-world dataset of 2239 malicious and 1000 popular benign apps. The detection accuracy reaches 100% in most cases, and the average detection time is less than 5 s. Experimental results show that DAMBA outperforms the well-known detector, McAfee, which is based on signature recognition. In addition, DAMBA is demonstrated to resist the known malware attacks and their variants efficiently, as well as malware that uses obfuscation techniques.

UR - http://www.scopus.com/inward/record.url?scp=85081668568&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85081668568&partnerID=8YFLogxK

U2 - 10.1109/TR.2019.2924677

DO - 10.1109/TR.2019.2924677

M3 - Article

AN - SCOPUS:85081668568

SN - 0018-9529

VL - 69

SP - 55

EP - 69

JO - IEEE Transactions on Reliability

JF - IEEE Transactions on Reliability

IS - 1

M1 - 8981927

ER -

DAMBA: Detecting Android Malware by ORGB Analysis

Abstract

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this