PhD Dissertation Defense by XU Ke | Advanced Malware Detection for Android Platform

In the first quarter of 2018, 75.66% of smartphones sales were devices running Android. Due to its popularity, cyber-criminals have increasingly targeted this ecosystem. Malware running on Android severely violates end users security and privacy, allowing many attacks such as defeating two factor authentication of mobile banking applications, capturing real-time voice calls and leaking sensitive information. Detecting malware on mobile devices presents additional challenges compared to desktop/laptop computers: smartphones have limited battery life, making it infeasible to use traditional approaches requiring constant scanning and complex computation. In this dissertation, we aim to detect Android malware both effectively and efficiently, and propose three different advanced malware detection systems, including ICC-based malware detection system (ICCDetector), multi-layer malware detection system (DeepRefiner), and self-evolving and scalable malware detection system (DroidEvolver).

Most existing malware detection methods are designed based on the resources required by malware. These methods capture the interactions between applications and Android system, but ignore the communications among components within or cross application boundaries. As a consequence, the majority of the existing methods are less effective in identifying many typical malware which requires few or no suspicious resources, but leverage on Inter-Component Communication (ICC) mechanism when launching stealthy attacks. To address this challenge, we systemically analyze ICC patterns of benign applications and malware, and propose a new malware detection system, ICCDetector, which detects malware based on not required resources, but ICC patterns. ICCDetector, as well as most existing malware detection methods, relies on predefined features and builds single classification model for malware detection. However, as the complexities of mobile malicious behaviors vary significantly across malware, it is difficult to perform effective and efficient detection applying single classifier. In addition, both Android system and malware rapidly evolve over years. As a consequence, it is also challenging to practically detect malware relying on laborious human feature engineering and complicated feature extraction process. We then propose DeepRefiner, a novel detection system which identifies malware both effectively and efficiently. DeepRefiner includes multiple detection layers to distinguish malware complexities, and applies deep neural networks to automatically learn detection features and patterns from applications. Given the frequent changes in the Android framework and the continuous evolution of Android malware, it is challenging to detect malware over time in an effective and scalable manner. To address this challenge, we propose DroidEvolver, a malware detection system that can automatically and continually update itself during malware detection. Different from most learning-based malware detection system which rely on batch learning algorithms for generating immutable detection models with fixed feature sets, DroidEvolver applies online learning algorithms to make necessary update to its detection models with evolving feature set.

XU Ke is a PhD candidate in School of Information Systems, Singapore Management University, specialising in Cyber Security under the supervision of Professor Robert H. Deng and Associate Professor Yingjiu Li. Her current research focus on malware detection, mobile platform security and application analysis.