Existing Android malware detection approaches use a variety of features suchas security sensitive APIs, system calls, control-flow structures andinformation flows in conjunction with Machine Learning classifiers to achieveaccurate detection. Each of these feature sets provides a unique semanticperspective (or view) of apps' behaviours with inherent strengths andlimitations. Meaning, some views are more amenable to detect certain attacksbut may not be suitable to characterise several other attacks. Most of theexisting malware detection approaches use only one (or a selected few) of theaforementioned feature sets which prevent them from detecting a vast majorityof attacks. Addressing this limitation, we propose MKLDroid, a unifiedframework that systematically integrates multiple views of apps for performingcomprehensive malware detection and malicious code localisation. The rationaleis that, while a malware app can disguise itself in some views, disguising inevery view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual informationfrom apps' dependency graphs and identify malice code patterns in each view.Subsequently, it employs Multiple Kernel Learning (MKL) to find a weightedcombination of the views which yields the best detection accuracy. Besidesmulti-view learning, MKLDroid's unique and salient trait is its ability tolocate fine-grained malice code portions in dependency graphs (e.g.,methods/classes). Through our large-scale experiments on several datasets(incl. wild apps), we demonstrate that MKLDroid outperforms threestate-of-the-art techniques consistently, in terms of accuracy whilemaintaining comparable efficiency. In our malicious code localisationexperiments on a dataset of repackaged malware, MKLDroid was able to identifyall the malice classes with 94% average recall.
展开▼
