Android malicious apps are currently the main security threat for mobile devices. Due to their exponential growth in number of samples, it is vital to timely recognize and classify any new threat, to identify and effectively apply specific countermeasures. In this paper we propose MalProfiler, a framework which performs fast and effective analysis of Android malicious apps, based on the analysis of a set of static app features. The proposed approach exploits an algorithm named Categorical Clustering Tree (CCTree), which can be used both as a divisive clustering algorithm, or as a trainable classifier for supervised learning classification. Hence, the CCTree has been exploited to perform both homogeneous clustering, grouping similar malicious apps for simplified analysis, and to classify them in predefined behavioral classes. The approach has been tested on a set of 3500 real malicious apps belonging to more than 200 families, showing both an high clustering capability, measured through internal and external evaluation, together with an accuracy of 97% in classifying malicious apps according to their behavior.
MalProfiler: Automatic and Effective Classification of Android Malicious Apps in Behavioral Classes
A La Marra;F Martinelli;A Saracino;M Sheikhalishahi
2016
Abstract
Android malicious apps are currently the main security threat for mobile devices. Due to their exponential growth in number of samples, it is vital to timely recognize and classify any new threat, to identify and effectively apply specific countermeasures. In this paper we propose MalProfiler, a framework which performs fast and effective analysis of Android malicious apps, based on the analysis of a set of static app features. The proposed approach exploits an algorithm named Categorical Clustering Tree (CCTree), which can be used both as a divisive clustering algorithm, or as a trainable classifier for supervised learning classification. Hence, the CCTree has been exploited to perform both homogeneous clustering, grouping similar malicious apps for simplified analysis, and to classify them in predefined behavioral classes. The approach has been tested on a set of 3500 real malicious apps belonging to more than 200 families, showing both an high clustering capability, measured through internal and external evaluation, together with an accuracy of 97% in classifying malicious apps according to their behavior.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
