ANDRODET: An adaptive Android obfuscation detector

Mirzaei, Omid; Fuentes García-Romero de Tejada, José María de; Estévez Tapiador, Juan Manuel; González Manzano, Lorena

dc.contributor.author	Mirzaei, Omid
dc.contributor.author	Fuentes García-Romero de Tejada, José María de
dc.contributor.author	Estévez Tapiador, Juan Manuel
dc.contributor.author	González Manzano, Lorena
dc.date.accessioned	2021-12-15T15:14:06Z
dc.date.available	2021-12-15T15:14:06Z
dc.date.issued	2019-01-01
dc.identifier.bibliographicCitation	Mirzaei, O., Fuentes, J.M., Tapiador, J. González- Manzano, L. (2019). AndrODet: An adaptive Android obfuscation detector. Future Generation Computer Systems, 90, pp. 240-261. https://doi.org/10.1016/j.future.2018.07.066
dc.identifier.issn	0167-739X
dc.identifier.uri	http://hdl.handle.net/10016/33775
dc.description.abstract	Obfuscation techniques modify an app's source (or machine) code in order to make it more difficult to analyze. This is typically applied to protect intellectual property in benign apps, or to hinder the process of extracting actionable information in the case malware. Since malware analysis often requires considerable resource investment, detecting the particular obfuscation technique used may contribute to apply the right analysis tools, thus leading to some savings. In this paper, we propose ANDRODET, a mechanism to detect three popular types of obfuscation in Android applications, namely identifier renaming, string encryption, and control flow obfuscation. ANDRODET leverages online learning techniques, thus being suitable for resource-limited environments that need to operate in a continuous manner. We compare our results with a batch learning algorithm using a dataset of 34,962 apps from both malware and benign apps. Experimental results show that online learning approaches are not only able to compete with batch learning methods in terms of accuracy, but they also save significant amount of time and computational resources. Particularly, ANDRODET achieves an accuracy of 92.02% for identifier renaming detection, 81.41% for string encryption detection, and 68.32% for control flow obfuscation detection, on average. Also, the overall accuracy of the system when apps might be obfuscated with more than one technique is around 80.66%. (C) 2018 The Authors. Published by Elsevier B.V.
dc.description.sponsorship	This work has been partially supported by MINECO grantTIN2016-79095-C2-2-R (SMOG-DEV) and CAM grant S2013/ICE-3095 (CIBERDINE), co-funded with European FEDER funds. Furthermore, it has been partially supported by the UC3M’sgrant Programa de Ayudas para la Movilidad
dc.language.iso	eng
dc.publisher	Elsevier
dc.rights	© 2018 The Authors. Published by Elsevier B.V.
dc.rights	Atribución-NoComercial-SinDerivadas 3.0 España
dc.rights.uri	http://creativecommons.org/licenses/by-nc-nd/3.0/es/
dc.subject.other	obfuscation detection
dc.subject.other	android
dc.subject.other	machine learning
dc.subject.other	malware
dc.title	ANDRODET: An adaptive Android obfuscation detector
dc.type	article
dc.subject.eciencia	Informática
dc.identifier.doi	https://doi.org/10.1016/j.future.2018.07.066
dc.rights.accessRights	openAccess
dc.relation.projectID	Comunidad de Madrid. S2013/ICE-3095
dc.relation.projectID	Gobierno de España. TIN2016-79095-C2-2-R
dc.type.version	publishedVersion
dc.identifier.publicationfirstpage	240
dc.identifier.publicationlastpage	261
dc.identifier.publicationtitle	Future Generation Computer Systems-The International Journal of eScience
dc.identifier.publicationvolume	90
dc.identifier.uxxi	AR/0000022235
dc.contributor.funder	European Commission
dc.contributor.funder	Ministerio de Economía y Competitividad (España)
dc.contributor.funder	Universidad Carlos III de Madrid
dc.affiliation.dpto	UC3M. Departamento de Informática
dc.affiliation.grupoinv	UC3M. Grupo de Investigación: COSEC (Computer SECurity Lab)