1. The document describes IntelliAV, a machine learning-based system for detecting Android malware directly on devices.
2. IntelliAV uses a random forest classifier trained on features extracted from app permissions, intents, APIs, and statistics to analyze apps and detect malware with 72% accuracy on new malware.
3. An independent third-party test found IntelliAV achieved 96% detection of 500 recent malware samples, and it can detect "droppers" that escape offline analysis by dropping malware only after installation.
IntelliAV: Toward the Feasibility of Building Intelligent Anti-Malware on Android Devices
1. Pattern Recognition and Applications Lab
IntelliAV: Toward the Feasibility of Building Intelligent
Anti-Malware on Android Devices
Mansour Ahmadi
Post-Doctoral Researcher, University of Cagliari, Italy
With: Angelo Sotgiu , Giorgio Giacinto
1: University of Cagliari, Italy
CD-MAKEâ17, 31th August
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 1 / 16
2. Prerequisite
Android
If you havenât heard about Android,
You probably live under a rock
Malware
- short for Malicious software
ClassiïŹcation
- A Machine Learning task for prediction
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 2 / 16
3. Problem
Android Malware
- People need to protect their device from Android Malware
Reaction of some people
- What?
- Are you joking? Is there Malware for Android?
Our reply
- New Android malware found every 10 seconds
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 3 / 16
4. Problem
Android Malware
- People need to protect their device from Android Malware
Reaction of some people
- What?
- Are you joking? Is there Malware for Android?
Our reply
- New Android malware found every 10 seconds
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 3 / 16
5. Problem
Android Malware
- People need to protect their device from Android Malware
Reaction of some people
- What?
- Are you joking? Is there Malware for Android?
Our reply
- New Android malware found every 10 seconds
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 3 / 16
6. This work
IntelliAV
- Identify if an Android application is Goodware/Malware
- The detection is performed by
Machine Learning and On-Device
Reaction of some people
- What? There are hundreds of papers on this topic.
- Are you joking? Do you mean yet another paper??
Our reply
- Yes & NO
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 4 / 16
7. This work
IntelliAV
- Identify if an Android application is Goodware/Malware
- The detection is performed by
Machine Learning and On-Device
Reaction of some people
- What? There are hundreds of papers on this topic.
- Are you joking? Do you mean yet another paper??
Our reply
- Yes & NO
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 4 / 16
8. This work
IntelliAV
- Identify if an Android application is Goodware/Malware
- The detection is performed by
Machine Learning and On-Device
Reaction of some people
- What? There are hundreds of papers on this topic.
- Are you joking? Do you mean yet another paper??
Our reply
- Yes & NO
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 4 / 16
9. Related works (based on Machine Learning)
Year Method
Detection
Feature
On-Device Available
2014 DroidAPIMiner â â API,PKG,PAR
2014 DroidMiner â â CG,API SEQ
2014 Drebin â PER,STR,API,INT
2014 DroidSIFT â â API Flow
2015 AppAudit â API Flow
2015 MudFlow â API Fow
2017 MaMaDroid â CG,API SEQ
2017 DroidSieve â â API,PER,INT,PKG,STR,STAT
2017 Qualcomm â Not Available
Ours IntelliAV PER,INT,API,STAT
Table : The systems that are mostly based on API, API-F, and API SEQ would
fail against reïŹection. IntelliAV is the only on-device system that is available in
the market.
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 5 / 16
10. Why On-Device Learning-based system?
Why On-Device?
1 Google Play store is not totally free of malware.
2 Third-party app stores are popular among mobile users.
3 Malware might be added to Android devices during supply chain.
4 Droppers can simply evade oïŹine detection systems.
Why Machine-Learning?
1 Detecting zero-day malware.
2 Almost all of major AVs do not still use Machine Learning.
3 Being robust against simple evasion techniques.
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 6 / 16
11. Overview of IntelliAV
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 7 / 16
12. Feature Extraction
Features
- Rely on our previous works
- 3955 features from Permissions, Intents, Statistical, APIs
- To avoid over-ïŹtting, select top 1000 meaningful features
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 8 / 16
13. Model Construction
ClassiïŹer
- Algorithm: Random Forest
- Library: TensorFlow (Multi-platform)
- Train on 9,664 Malicious and 10,058 Benign applications
Testing on-Device
- The model can be transferred to the mobile device
- Size of model is 3.3 MB
- We donât need root permission to read APKs
- Give a probability to each application (Between 0 and 1)
- Safe (0 P 0.4) , Suspicious ( 0.4 P 0.6) , Risky ( 0.6 P 1)
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 9 / 16
14. Capabilities of IntelliAV
Scan Installed applications Single APK
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 10 / 16
15. Evaluation - Detecting new malware
Results
- Testing on 2,311 malware, ïŹrst seen in 2017
- 72% Detection Rate
- 7.5% False Positive on 2,898 Benign
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 11 / 16
16. Independant Test by 3rd party
Results
- Test on 500 common and recent Android malware in 2017
- IntelliAV achieved 96% Detection Rate
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 12 / 16
17. Detecting Droppers on Device
Droppers do not carry any malicious activities by themselves
- OïŹine analysis systems would fail to detect the dropped
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 13 / 16
18. IntelliAV Overhead
API Extraction is the slowest part
- AirBnB has 15 Dex ïŹles ( Make the feature extraction process slow)
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 14 / 16
19. Summary
1 First practical Intelligent AV for Android (Available with details)
2 Careful selection of a set of lightweight features
3 A robust classiïŹcation model,
and a representative set of training samples
4 Intelliav can help the end user to provide easy protection on the device
5 IntelliAV allows researchers to better explore the idea of
having intelligent security systems on mobile devices
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 15 / 16
20. Make it a Try
Follow us
Http://www.IntelliAV.com
Twitter Facebook: @IntelliAV
Mansour Ahmadi (pralab.diee.unica.it) IntelliAV: Android Malware Detection CD-MAKEâ17, 31th
August 16 / 16