A general practitioner or a specialist for your infected smartphone?

TL;DR

This paper proposes a malware detection system inspired by medical diagnosis, using symptom-based detection and specialized detectors for different malware families to improve accuracy and efficiency.

Contribution

It introduces a novel symptom-based malware detection approach that combines a general monitoring system with specialized detectors for different malware families.

Findings

Initial results show promising detection accuracy.

The approach effectively distinguishes among malware symptoms.

Discussion on defining representative malware symptoms.

Abstract

With explosive growth in the number of mobile devices, the mobile malware is rapidly spreading as well, and the number of encountered malware families is increasing. Existing solutions, which are mainly based on one malware detector running on the phone or in the cloud, are no longer effective. Main problem lies in the fact that it might be impossible to create a unique mobile malware detector that would be able to detect different malware families with high accuracy, being at the same time lightweight enough not to drain battery quickly and fast enough to give results of detection promptly. The proposed approach to mobile malware detection is analogous to general practitioner versus specialist approach to dealing with a medical problem. Similarly to a general practitioner that, based on indicative symptoms identifies potential illnesses and sends the patient to an appropriate specialist, our detection system distinguishes among symptoms representing different malware families and, once the symptoms are detected, it triggers specific analyses. A system monitoring application operates in the same way as a general practitioner. It is able to distinguish between different symptoms and trigger appropriate detection mechanisms. As an analogy to different specialists, an ensemble of detectors, each of which specifically trained for a particular malware family, is used. The main challenge of the approach is to define representative symptoms of different malware families and train detectors accordingly to them. The main goal of the poster is to foster discussion on the most representative symptoms of different malware families and to discuss initial results in this area obtained by using Malware Genome project dataset.