Similarity-based Android Malware Detection Using Hamming Distance of Static Binary Features
Rahim Taheri, Meysam Ghahramani, Reza Javidan, Mohammad Shojafar,, Zahra Pooranian, Mauro Conti

TL;DR
This paper introduces four similarity-based Android malware detection methods utilizing Hamming distance on static binary features, demonstrating high accuracy and effectiveness across multiple datasets and features.
Contribution
The paper proposes four novel Hamming distance-based malware detection algorithms and evaluates their performance against state-of-the-art methods using diverse datasets and features.
Findings
Accuracy exceeds 90% in most cases.
API features yield over 99% accuracy.
Methods are comparable to existing solutions.
Abstract
In this paper, we develop four malware detection methods using Hamming distance to find similarity between samples which are first nearest neighbors (FNN), all nearest neighbors (ANN), weighted all nearest neighbors (WANN), and k-medoid based nearest neighbors (KMNN). In our proposed methods, we can trigger the alarm if we detect an Android app is malicious. Hence, our solutions help us to avoid the spread of detected malware on a broader scale. We provide a detailed description of the proposed detection methods and related algorithms. We include an extensive analysis to asses the suitability of our proposed similarity-based detection methods. In this way, we perform our experiments on three datasets, including benign and malware Android apps like Drebin, Contagio, and Genome. Thus, to corroborate the actual effectiveness of our classifier, we carry out performance comparisons with some…
| Notations | Description |
|---|---|
| Number of Samples in Input Dataset | |
| Number of Features in Each Sample | |
| Input data , | |
| A Sample from Input data , | |
| Label of class in the classification problem, | |
| ML model, |
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Similarity-based Android Malware Detection Using Hamming Distance of Static Binary Features
Rahim Taheri
Department of Computer Engineering and Information Technology, Shiraz University of Technology, Shiraz, Iran
Meysam Ghahramani
Reza Javidan
Mohammad Shojafar
Department of Mathematics,University of Padua, Via Trieste 63, 35131, Padua, Italy
Zahra Pooranian
Mauro Conti
Abstract
In this paper, we develop four malware detection methods using Hamming distance to find similarity between samples which are first nearest neighbors (FNN), all nearest neighbors (ANN), weighted all nearest neighbors (WANN), and k-medoid based nearest neighbors (KMNN). In our proposed methods, we can trigger the alarm if we detect an Android app is malicious. Hence, our solutions help us to avoid the spread of detected malware on a broader scale. We provide a detailed description of the proposed detection methods and related algorithms. We include an extensive analysis to asses the suitability of our proposed similarity-based detection methods. In this way, we perform our experiments on three datasets, including benign and malware Android apps like Drebin, Contagio, and Genome. Thus, to corroborate the actual effectiveness of our classifier, we carry out performance comparisons with some state-of-the-art classification and malware detection algorithms, namely Mixed and Separated solutions, the program dissimilarity measure based on entropy (PDME) and the FalDroid algorithms. We test our experiments in a different type of features: API, intent, and permission features on these three datasets. The results confirm that accuracy rates of proposed algorithms are more than 90% and in some cases (i.e., considering API features) are more than 99%, and are comparable with existing state-of-the-art solutions.
keywords:
Android, malware detection, clustering, K-nearest neighbor (KNN), static analysis, hamming distance.
††journal: Future Generation Computer Systems
1 Introduction
Nowadays, the widespread use of mobile devices in comparison with personal computers has begun a new era of information exchange. Besides, the increased power of mobile devices, coupled with the portability of user attention has attracted. Smartphones and tablets are prevalent in recent years. By the end of 2014, the number of active mobile devices around the world was about 7 billion, and in developed countries, the proportion of mobile devices and people are estimated to be 120.8%, respectively. Due to their widespread distribution and their abilities, mobile devices have become the main target of the attackers in recent years [1]. Android is currently the most widely used mobile smartphone platform in the world, which occupies 85% of the market share. Recent reports indicate an increase in the number of Android programs in recent years. As the number of Android applications on Google Play in December 2009 was 16,000, in July 2013 one million, in February 2016 it was about 2 million and in December 2017 it was five million. [2, 3].
1.1 General Definition
Android app is in two categories: Benign and Malware. Samples that are safe and do not show malicious behaviors are called benign samples. In contrast, examples of software that create a security threat are named malware samples. In recent years, the variety of malware in Android mobile networks is continuously increasing and thus causes a risk to users’ privacy. Furthermore, the popularity of Android with cyber-criminals is also high and creates a lot of malicious programs to steal sensitive information and compromise mobile systems, and these conditions represent the need for security in the mobile app. Unlike other smartphone platforms like iOS, Android users can install their apps from unverified sources, such as file sharing websites. In Android apps, the issue of malware infection is very serious, and recent reports show that 97% of the attacks on mobile malware came from Android devices. In 2016 alone, more than 3.25 million Android malicious apps were detected. That means almost every 10 seconds a new malicious Android application is created [4, 5, razaque2018naive]. Malware term is created by combining the words “malicious” and “software”. Malware is a serious threat to the computer world, and this threat is increasing and complicated. When malicious software finds its way into the system, it scans the OS’s vulnerabilities, performs unwanted actions on the system, and ultimately reduces system performance [6]. Hence, an important problem with cyber-security is malware analysis [7, al2018live].
In addition to accurate precision and the precision recognition rates, a malware detection system could generalize to new malicious families. For Android malware detection, two types of solutions, namely Static and Dynamic, have been proposed. Features like APIs, permissions, intent, URLs are analyzed in static solutions. In another category of malware, malicious components are downloaded at run-time, which requires dynamic analysis to detect these malwares [8]. For instance, the authors [9] have provided a method for detecting malware concerning the correlation between static and dynamic features. Also, the authors [10] have come up with a way to detect malware in Android applications, by combining static analysis and outlier detection.
Another important point is that the system does not need to compute too much to deploy on mobile devices. Hence, the system should adopt models (e.g., machine learning models) to estimate the malicious behavior in a short time [11]. Machine learning (ML) methods are part of the artificial intelligence-based system in which solutions are provided to improve the decision-making process [12]. An ML method is widely used for specific decision-making tasks such as detecting malware, network penetration detection, and general pattern recognition issues. This method is very effective in identifying well-known and unknown malware families with high accuracy. In various studies, they design ML-based classification methods to categorize different types of samples (for example, static-based, logic-based, perception-based and sample-based types samples) and detect traffic networks on Android mobile devices [13].
An advantage of using the ML method is its ability to identify different types of malware [14]. In ML methods, complex pattern recognition and optimization of parameters are well investigated [15]. The current study indicates that the damage caused by malware programs, hidden among millions of mobile applications, is increasing, and this has been a visible motivation for researchers to deal with more complex applications.
Some Android software analyzes the malware behaviors at the API level. For example, the authors [16] give a precise analysis of an opcode-based Android software based on finding the similarity measurements inspired by simple substitution distance of the features. They indicate that their technique provides a useful means of classifying metamorphic malware.
Some ML solutions adopt several distance calculation mechanisms to find similar samples to a specific sample. For example, the authors in [17] add new distance measure using entropy for two computer programs which are called program dissimilarity measure or PDME. PDME introduces a measure for the degree of metamorphism for samples. Also, the authors in [18] elicit several types of behavior static features from Android apps and apply Support Vector Machine (SVM), Nearest Neighbor (KNN), Naive Bayes (NB), Classification and Regression Tree (CART) and Random Forest (RF) classifiers to detect malware from benign apps. KNN algorithm is classified as a supervised ML algorithm that could solve the classification and regression problems. KNN is easy to implement, no need to build a model, tune several parameters, or make additional assumptions. However, it is a slow method for large datasets. KNN algorithm can find the nearest samples to a specific query which have distances between a query and all the samples in the dataset. Then, it votes for the most frequent label or averages the labels.
Among different methods to calculate the distance, the Hamming distance applies between two vectors with the same length and indicates the number of entries where injected elements are different. In other words, the Hamming distance achieves the minimum number of errors while converting one vector to another one. Suppose is a sample vector and is a corresponding label of vector on dimensional space, the Manhattan distance is the sum of the peer to peer distances between same indexes (see equation (1)).
[TABLE]
And Minkowski distance presents by equation (2):
[TABLE]
where .
In this paper, using replacement method we prove that with the binary representation of the data, we calculate the Hamming distance, and the distance calculated by this method is the same as the distance used by other methods like Euclidean distance and Manhattan distance.
1.2 Motivation and open issues
As we described earlier, ML has been widely used in the classification of various types of Android OS like API, permission, intent and Android malware detection. For example, the paper [19] applies API system call and shapes the API graph, the reference [20] utilizes a score function to the extracted permission feature set, and finally, the paper [21] adopts weighted mutual information to select prominent features. All of these research papers used the KNN algorithm to detect malware; however, due to the lack of binary representation of data, they need several calculations to extract malware vectors from benign samples.
Finding a threshold for in the KNN algorithm has been considered in many studies which are important in the malware detection methods [22]. Another category of studies has suggested methods using ensemble learning that employ other algorithms such as decision tree, SVM and RF for malware detection. However, due to the simultaneous using of multiple algorithms, these methods have a high time complexity [11]. In some studies, a framework for detecting malware has been presented, which different classification methods such as SVM are applied in them [23]. In [23], the authors propose a structure that uses the KNN algorithm based on Hamming distance for malware detection system. It used a fixed value for KNN which limits their structure.
The purpose of this paper is to investigate the effect of the distance between samples to classify into malware and benign. Due to the sparse feature vectors, the Hamming distance is an appropriate measure for the discrimination of samples. We propose a modified supervised KNN Algorithm using the Hamming distance to classify the samples. Then, we combine it with an unsupervised K-Medoids algorithm to detect malware based on static features. In the proposed framework of this paper, we use the Hamming distance to apply proposed classification methods which are the modified form of the KNN method.
1.3 Problem Definition
Due to the widespread use of Android apps, finding a way of identifying malicious files is a critical problem that needs to be solved instantly. This paper use static analysis technology and propose four detection methods based on similarity for Android malware by calculating distance of samples using a Hamming distance measure. The proposed methods are flexible solutions for the problem. It means, the generated model by each scenario learns the patterns in the features and can be used to classify the samples into malware and benign. Our proposed methods well generalize the patterns even for new samples. To do so, first, we find the related set of features from the manifest part of apk file. Then, we use the RF regressor as a feature selection algorithm and rank the features. The main reason behind selecting the RF as a feature selection algorithm is that we could have better control over the results using RF when we consider different random subsamples of the original dataset [24]. Finally, we use the proposed methods based on the nearest neighbors of each sample and classify them.
1.4 Contribution
In this research, we deploy several methods that applied on APIs, Permissions, and Intents used by Android applications to identify malware samples or apps. We carry out extensive experiments to compare proposed solutions with existing solutions and examine the validity of the proposed detection model. To sum up, we make the following contributions:
- •
We prove that the result of using the Hamming distance with other methods is the same for the binary vectors and apply the Hamming distance in the distance-based malware detection methods.
- •
We propose four scenarios for malware detection based on the nearest neighbor approach in which we use Hamming distance to find neighbors.
- •
We obtain the maximum achievable accuracy with the Hamming distance method as a threshold. We present the accuracy threshold calculation strategy in Section 5.2.
- •
We evaluate the proposed malware detection methods using three standard datasets: Drebin, Contagio, and Genome. Besides, by analyzing the time and space complexity, we performed a theoretical analysis to realize the scalability of our approach.
- •
We compare the proposed malware detection methods against the state-of-the-art methods applied for malware detection. At first, the proposed methods are compared to [22], which is Android malware detection based on a combination of clustering and classification. The next comparison solution in literature uses an entropy-based distance measure to detect malware [17]. In the third comparison method [19], malware samples classify into different families, making it possible for each family to share the features of the samples in a better way. The main reason behind selecting such schemes for comparison is that our proposed methods and these cutting-edge solutions using similarity-based metrics for detecting malware. Moreover, the papers [19] and [22] carry out their numerical validations in Drebin dataset in which we adapt our results on the same dataset.
1.5 Roadmap
The remainder of the paper organizes as follows: We discuss related work in Section 2. In Section 3 we study the preliminary essential malware analysis. Section 4 describes the distance calculation measures in binary representation, explore the detection strategies, our defined scenarios, designs our proposed architecture for malware detection systems and provides a toy scenario and delineates the proposed algorithms, while Section 5 presents the experimental results of our proposed scenarios. Section Section 6 reports the achievement of the experiment and provide some discussions regarding our method. Finally, in Section 7 we summarize our research and provides future directions.
2 Related Work
Machine learning techniques use static, dynamic, and hybrid analysis methods to classify Android applications. In the following subsections, we introduce them. Also, we study some important researches in malware analysis and malware detection.
2.1 Static analysis
Some techniques using static permission features, such as Drebin [25], StormDroid [26], and DroidSIFT [27] which are applied on Android apps [28].
The authors in [29] propose a new detection system called ANASTASIA to identify malicious samples using intents, permissions, system commands, and API calls features. ANASTASIA uses several classifiers by applying deep learning method and can extract several feature types from Android applications using the conditions of the app. Additionally, The authors in [30] investigate Android apps to describe their resource usage and leverage the profiles to detect Android malware.
The authors in [31] present an automatic signature generation approach called AndroSimilar in which to detect malware for the static syntactic features in Android apps. Also, AndroSimilar can detect unintelligible malware with techniques such as junk method insertion, renaming method, string encryption, and changing control flow that can be used to evade fixed signatures working against malware. Besides, AndroSimilar can detect unknown types of existing malware. Also, the authors build an AndroSimilar generation approach based on digital forensics Similarity Digest Hash (SDHash) to distinguish similar documents. In SDHash, unrelated apps receive a lower probability of having standard features. Also, it helps to control false positive rates for two separate apps that share some features. Another method [32] applies the same strategy to extract fixed-size byte-sequence features using their entropy values and searches for popular features and selects some of them using KNN strategy.
2.2 Dynamic analysis
Dynamic solutions could run an Android app in a protected environment and provide all the required emulated resources to identify malicious activities. In literature, we find some implemented dynamic analysis methods – however, they suffer from resource constraints of a smartphone. In another group, some papers concentrate on the behavioral class of the malware detection solutions. For example, in [23], the authors define the malware types based on their behavioral class. They propose a new scheme which identifies the misbehavior classes modified by each malware type by correlating the features extracted at four different levels: kernel level, application level, user level, and package level. At the kernel level, their solution could monitor the system calls and hijacks them if any app triggers them. At the application level, it controls the critical APIs to detect the malicious behaviors posed by the apps such as the installation of new applications, requests for administrative privileges, generating too many processes, constant app monitoring on the active application. At the user level, they monitor user activities and detect malicious events when the user is idle or not interacting with the device. At the package level, they propose a new system to identify the risky applications under observation based on permissions requested by the app and market information.
The fatal limitation of dynamic approaches is if they trigger with some non-trivial events, then they can miss some malicious execution path. For example, anti-emulation techniques such as Sandbox [33] and reference [34] detection mechanism are unable to timely analyze the environment and lead to delaying the identifying malware and raise the evasion of the dynamic analysis methods.
2.3 Hybrid analysis
We can generate hybrid solutions when we apply static and dynamic approaches in the same time. Hybrid solutions can borrow the characteristics of static and dynamic solutions to improve malware detection strategies like DroidDetector [35]. DroidDetector could apply static and dynamic analysis usign deep learning to distinguish malicious software from normal applications. It uses permissions and sensitive API for static analysis. These static behaviors extract the features using TinyXml [36], 7-zip [37], and Baksmali tools [38]. After that DroidDetector dynamic features analysis using DroidBox tool.
Furthermore, Shanmugam [16] propose an alternative distance for metamorphic malware. Their distance measurement solution is based on the opcode-based similarity method and simple encryption reported in [39]. They use this distance measurement to classify malicious programs. The application, which is sufficiently similar to the metamorphic malware is classified as malicious. Some malware detection methods use Euclidean histogram distance metrics to compare two program files – for example, Rad et al. [40] suggest that a histogram of opcodes can be used to detect metamorphic viruses. Some studies apply statistical methods to detect malware. For example, Toderici [41] use an analytical approach based on a chi-squared test to improve the hidden markov models Based malware detection. In another work, Ambra Demontis et al. [42] elaborate a solution to mitigate evasion attacks like malware data manipulation. In that paper, their method utilizes a secure SVM algorithm that can enforce its features to have evenly-distributed weight.
3 Preliminaries
In this section, we review some of the essentials for malware analysis and how to model malware. In applied mathematics and computer science, a sparse matrix is a matrix in which most of the elements are zero. In Fig. 1, we use sparse matrix representation which contains important information related to Android app features such as APIs, permissions and intents.
In this study, we follow the general setting for designing a malware detection system that contains the benign and malware samples . To do so, we select the performance evaluation settings and store a dataset that includes the labeled examples (i.e., with samples) and the elements for each sample. Hence, in equation (3) we have
[TABLE]
where is the -th malware sample vector of each component presents the selected feature; is the corresponding label of the features; is the binary value of the -th feature in -th sample where . Also, we can set if has the -th component and otherwise; is the total number of samples, and is an -dimensional feature space.
4 Proposed Approaches for Malware Detection System
In this section, we first apply replacement method and prove that in the binary representation, Manhattan distance, Minkowski distance, and Hamming distance are the same. Then, due to the simplicity of computation, we use the Hamming distance method in the proposed detection algorithms. After that, we present our proposed architecture. The main notations and symbols used in this paper are listed in Table 1.
4.1 Equivalence of distance calculation measures in binary representation
In our paper, we introduce methods to identify malware samples from benign samples using the distance measure. Given the fact that the samples are binary vectors, the existence of a feature means a value of 1 and the absence of a feature means zero. The proposed method for computing the distance between the samples is to use the Hamming distance of the two vectors. On the other hand, it can easily be shown that in the binary mode of vectors, the result of using different criteria is to calculate the same distance. Suppose the binary vector is the most similar vector to . It means, , . Several distance formulas apply to find the most similar vector to vector . We list some of them as follows.
- •
Taxicab distance which is also called the Manhattan distance presents in the equation (1):
- •
Minkowski distance presents as equation (2).
Since we need the most similar vector so we have equation (4):
[TABLE]
which is equivalent to:
[TABLE]
On the other hand, since our vectors are binary, so we have:
[TABLE]
Different values of determine the application of this equation. For , the Minkowski distance is a metric as a result of the Minkowski inequality. Minkowski distance is typically used with p being 1 or 2, which corresponds to the Manhattan distance and the Euclidean distance, respectively.
We can rewrite equation (4) using equation (6) as
[TABLE]
Then, we have:
[TABLE]
and we can conclude
[TABLE]
The last equation imposes that the and vectors result from each other. Formally speaking, we show that using the measure, vector is the most similar vector to the binary vector .
4.2 Proposed architecture
In Fig. 2, we introduce our proposed architecture. In this figure, we select the static features of data samples (out of samples) in the dataset (see the rectangular feature selection component in Fig. 2). Then, using the Random Forest feature selection algorithm, we select the percentage of features– . The value will be in the following set.
[TABLE]
For example, if , it means we select 10% of features from feature selection component. After that, we convert the selected features of the samples to a vector. Then, we generate a binary vector for each sample by placing the value of 1 for each feature that exists in the sample and the value of 0 for each non-existent feature (see the Binary Vectors component in Fig. 2). Then, we generate our ML model using each of our proposed detection algorithms as classification algorithms based on Hamming distance similarities between the samples and use the ML model to detect malware among benign samples.
4.3 Detection strategy and scenarios
Measuring the similarity between samples is a significant operation in the classification algorithms. Classifiers which use similarity strategy can estimate the label of a sample in test set based on the similarities between that sample and label of samples in a training set, and the pairwise similarities between the training samples. In the following, there are several ways to detect malware, which, despite the simplicity, represents a good result. Suppose that we want to find the most similar members (i.e., find the most similar vectors) of the train set to the vector which belongs to the test set. From the mathematical point of view, the element is the most similar to if we have equation (11):
[TABLE]
In which, represents the difference between and , which is also called distance. There are several methods to calculate the distance such as the Hamming distance, Minkowski distance and so on, which discussed earlier. Due to the binary nature of the elements (samples), we will show that the distance results of all these methods are similar, and therefore there is no ambiguity in selecting the specific method. For malware detection, we introduce several scenarios and present the results. To this end, we summarize each proposed malware detection method as follows:
FNN : First Nearest Neighbors– In FNN, the first member of the training dataset is considered as the most similar member of the input data, and if a member is found to be more similar, the new member is considered as the most similar. The pseudocode of this method is shown Alg. 4.3.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] Global mobile statistics 2014 , [Online; accessed 10-June-2019] (2019). URL https://mobiforge.com/research-analysis/global-mobile-statistics-2014-part-a-mobile-subscribers-handset-market-share-mobile-operators
- 2[2] Sophos mobile security threat reports , [Online; accessed 10-June-2019] (2019). URL https://news.sophos.com/en-us/2014/02/24/sophoslabs-report-explores-mobile-security-threat-trends-reveals-explosive-growth-in-android-malware
- 3[3] D. Vicente, Kaspersky security bulletin 2018 , [Online; accessed 10-June-2019] (2018). URL https://securelist.com/kaspersky-security-bulletin-threat-predictions-for-2019/88878
- 4[4] Google play store statistics 2009 , [Online; accessed 10-June-2019] (2009). URL https://www.statista.com/statistics/266210/number-of-available-applications-in-the-google-play-store
- 5[5] Gdata , [Online; accessed 10-June-2019] (2017). URL https://www.gdatasoftware.com/blog/2017/04/29712-8-400-new-android-malware-samples-every-day
- 6[6] P. Vinod, R. Jaipur, V. Laxmi, M. Gaur, Survey on malware detection methods, in: Proceedings of the 3rd Hackers’ Workshop on computer and internet security (IITKHACK’09), 2009, pp. 74–79.
- 7[7] W. Wang, Y. Li, X. Wang, J. Liu, X. Zhang, Detecting android malicious apps and categorizing benign apps with ensemble of classifiers, Future Generation Computer Systems 78 (2018) 987–994.
- 8[8] H. Cai, N. Meng, B. Ryder, D. Yao, Droidcat: Effective android malware detection and categorization via app-level profiling, IEEE Transactions on Information Forensics and Security 14 (6) (2019) 1455–1470.
