Abstract
Android is becoming ubiquitous and currently has the largest share of the mobile OS market with billions of application downloads from the official app market. It has also become the platform most targeted by mobile malware, which are increasingly becoming evasive of the state-of-the-art malware detection tools. The market dominance of the Android platform highlights the growing need for effective solutions to address the spread of mobile malware. Many Android malware families are now deploying various forms of obfuscation techniques for evading detection by static analysis. For this reason, malware detection techniques based on dynamic analysis are needed in order to complement static analysis and compensate for its well- understood shortcomings. This trend has motivated the research in this thesis to design a new framework for detecting Android malware, based on dynamic analysis. The framework has been further leveraged to develop more effective device-based detection and solutions with improved code coverage, based on machine learning.Hence, the preliminary research outlined in this thesis has explored the challenges of large scale dynamic analysis of Android applications and the specification and prototyping of a framework for automated dynamic analysis of Android applications, called ‘Dynalog’.
The framework provides the capability to analyse the behaviour of applications based on an extensive number of dynamic features. It is a fully automated platform for mass analysis, characterisation and detection of malicious applications.
Secondly, the use of detection evasion, through obfuscation, is now a key attribute of most recent Android malware families. Investigations of automated use of real mobile devices to counter anti-emulation techniques deployed by malware during dynamic analysis has been a significant part of this research. This is previously unexplored, as existing works have so far only employed emulators for machine learning based detection.
Finally, the impact of code coverage on machine learning based on dynamic analysis of Android malware has been explored. In order to maximise code coverage, dynamic analysis on Android typically requires the generation of events to trigger the user interface and maximise the discovery of run-time behavioural features. Considering the significance of code coverage for malware detection, a novel hybrid approach, that amalgamates the advantages of random and stateful event generation, has been proposed, prototyped and benchmarked against existing state-of-the-art approaches.
Date of Award | Dec 2019 |
---|---|
Original language | English |
Awarding Institution |
|
Sponsors | Royal Embassy of Saudi Arabia |
Supervisor | Sakir Sezer (Supervisor) & Suleiman Yerima (Supervisor) |