Android Malware Classifier Combining Permissions and API Features to Face Model Drifting

Abstract

Machine learning is widely used in Android malware detection research, and it has been proven that machine learning models can achieve good results. However, detection models trained by old samples are hard to identify new malware with the changes in the Android development environment and the evolution of Android applications. That is, the models’ detection ability is not sustainable. This phenomenon is called model aging. A common solution to this problem is to retrain models. But if the model ages quickly, it will make retraining more difficult. More importantly, the detection system has low protection against new malware before the retrained model is released. Using AUT and F1-Score at each time slot to evaluate the degree of aging. This research establishes asn Android malware detection system with higher sustainability. Specifically, this research combines APKs’ permissions and APIs by the weights learned by linear models and will build two detection models using soft voting to decide whether the application is malware or not. Evaluating the detection system on the same period and overtime performance on the dataset of years 2012 to 2019. Compared to other Android malware detection research, the AUT increased by 3% –23%.