UCL Discovery
UCL home » Library Services » Electronic resources » UCL Discovery

Picking on the family: Disrupting android malware triage by forcing misclassification

Calleja, A; Martín, A; Menéndez, HD; Tapiador, J; Clark, D; (2018) Picking on the family: Disrupting android malware triage by forcing misclassification. Expert Systems with Applications , 95 pp. 113-126. 10.1016/j.eswa.2017.11.032. Green open access

[thumbnail of 1-s2.0-S0957417417307881-main.pdf]
Preview
 Text
1-s2.0-S0957417417307881-main.pdf - Published Version
Download (1MB) | Preview

Abstract

Machine learning classification algorithms are widely applied to different malware analysis problems because of their proven abilities to learn from examples and perform relatively well with little human input. Use cases include the labelling of malicious samples according to families during triage of suspected malware. However, automated algorithms are vulnerable to attacks. An attacker could carefully manipulate the sample to force the algorithm to produce a particular output. In this paper we discuss one such attack on Android malware classifiers. We design and implement a prototype tool, called IagoDroid, that takes as input a malware sample and a target family, and modifies the sample to cause it to be classified as belonging to this family while preserving its original semantics. Our technique relies on a search process that generates variants of the original sample without modifying their semantics. We tested IagoDroid against RevealDroid, a recent, open source, Android malware classifier based on a variety of static features. IagoDroid successfully forces misclassification for 28 of the 29 representative malware families present in the DREBIN dataset. Remarkably, it does so by modifying just a single feature of the original malware. On average, it finds the first evasive sample in the first search iteration, and converges to a 100% evasive population within 4 iterations. Finally, we introduce RevealDroid*, a more robust classifier that implements several techniques proposed in other adversarial learning domains. Our experiments suggest that RevealDroid* can correctly detect up to 99% of the variants generated by IagoDroid.

Type: Article
Title: Picking on the family: Disrupting android malware triage by forcing misclassification
Open access status: An open access version is available from UCL Discovery
DOI: 10.1016/j.eswa.2017.11.032
Publisher version: http://doi.org/10.1016/j.eswa.2017.11.032
Language: English
Additional information: Copyright © 2017 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY license. (http://creativecommons.org/licenses/by/4.0/)
UCL classification: UCL
UCL > Provost and Vice Provost Offices > UCL BEAMS
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science
UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science
URI: https://discovery.ucl.ac.uk/id/eprint/10040514
Downloads since deposit
115Downloads
Download activity - last month
Download activity - last 12 months
Downloads by country - last 12 months

Archive Staff Only

View Item View Item