Malware detection by learning and retrieving information for Android
Overview
MADLIRA is a tool for Android malware detection. According to cyber security professionals, this tool consists of two components: the TFIDF component and the SVM learning component. In general, a set of malwares and benwares is needed to then extract the malicious behaviors (TFIDF component) or computes training model (SVM classifier). Then, it uses this knowledge to detect malicious behaviors in the Android application.
Installing
Download file MADLIRA.7z and decompress it.
Installed Data:
MADLIRA.jar is the main application.
noAPI.txt declares the prefix of APIs.
family.txt lists malwares by family.
Folder TrainData contains the training configuration and training model.
Folder Samples contains sample data.
Folder TempData contains data for kernel computation.
TFIDF
Command: MADLIRA TFIDF
For this component, the data security expert comments that there are two functions: the training function (Malicious behavior extraction) and the test function (Malicious behavior detection)
Malicious behavior extraction
Collect benign applications and malicious applications and choose them in folders named benginAPKFolder and maliciousApkFolder, respectively.
Prepare training data and pack them in two files named benignPack and maliciousPack by using the command:
MADLIRA TFIDF packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPack
Extracting malicious behaviors from two packed files (benignPack and maliciousPack) by using the command:
MADLIRA TFIDF train -B benignPack -M maliciousPack
Malicious behavior detection
Collect new applications and put them in a folder named checkApk.
Detect malicious behaviors of applications in the folder checkApk by using the command:
MADLIRA TFIDF check -S checkApk
SMV
Command: MADLIRA SVM
According to the data security expert, for this component there are also two functions: the training function and the test function.
Training phase
Collect benign applications in a folder named benignApkFolder and malicious applications in a folder named maliciousApkFolder.
Prepare training data by using the commands:
MADLIRA SVM packAPK -PB benignApkFolder -B benignPack -PM maliciousApkFolder -M maliciousPack
Compute the training model by this command:
MADLIRA SVM train -B benignPack -M maliciousPack
Malicious behavior detection
Collect new applications and put them in a folder named checkApk
Detect malicious behaviors of applications in the folder checkApk by using the command:
MADLIRA SVM check -S checkApk
Packages:
This tool uses the following packages:
apktool-2.2.1 (https://ibotpeaches.github.io/Apktool/)
ojalgo-41.0.0 (https://github.com/optimatika/ojAlgo)
libsvm (https://www.csie.ntu.edu.tw/~cjlin/libsvm/)
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.
