A Research Of Android Malware Detection Based On Ensemble Learning

Android's open source nature caused 98% of malicious applications grow in the Android platform.To effectively identify malware,many researchers have studied machine learning based detection methods.However,these works generally use a single selection algorithm in the feature selection phase,which has the risk of losing certain category features;One single machine learning algorithm is used for classification,which makes it hard to determine which algorithm is most suitable for current model.Some detection methods based on ensemble learning extract only a few features,which are not enough to describe applications(APPs)comprehensively.At the same time,in the network-level detection,the flow data is large,there are few works applying machine learning algorithms,and the methods detect APPs asynchronously.To address the above limitations,we propose Android malware detection based on the local behavior and ensemble learning(Mlifdect).The method refines the local behavior features into “App Special features” and “platform defined features”,and introduces two feature selection algorithms to select them separately.Then,Mlifdect uses three different machine learning algorithms to carry out the two types of feature datasets generated,builds six base classifiers,and executes classification tasks in a multi-threaded manner.Finally,we investigate two ensemble strategies based on Dempster-Shafer(DS)theory and probability analysis.In the experiments,the accuracy rate and recall rate of Mlifdect are all close to99.7%,and a small amount of hardware overhead is cost for time optimization.Secondly,we propose a detection model that uses the network behavior and ensemble learning.The model is a multi-label classification problem.It extracts 16 features in terms of quantity,time,and semantics from the traffic data,and maintains the attribute of the APP which generates this traffic.Eigenvectors are constructed using “features + attribute+ APP tag + traffic tag”.Then,we employ the same three machine learning algorithms in Mlifdect and the DS theory to complete classification of traffic and the corresponding APPs synchronously.Experiments have proved that the accuracy of the model reaches97%,the asynchronous operation is transformed into synchronous behavior and it saves the computational overhead.Finally,we conduct a fine-grained analysis of the local behavior and network behavior,aiming to discover the differences between the behavior characteristics of malware and benign applications.Further more,we propose the concept of feature persistence.Experiments based on time series and data analysis show that the local behavior of Android malware have changed significantly over time,and their persistence is deficient.