SecDroid: A Robust And Efficient Essay On Malware Detection In Android Ecosystem.

Detection of malware in android using dynamic, static and hybrid. Find problems from recent journal articles and choose one problem. then using experiments see what lies in the problem. show your findings. and prepare report on it.

Traditional Methods of Malware Detection in Android Ecosystem

Mobile phone usage has been increasingly on the rise. According to, the penetration of mobile phones has reached 1.84 billion devices as of 2016 statistics (Butt and Phillips, 2008). More specifically, about 80% of the devices run the Android OS, an application of open source technologies using the Linux Kernel. The open nature of the Android platform makes it a great target for most malware providers with about 750,000 new malware projected to be in the Android environment by 2028 (Bosomworth, 2015).

Google provided an app repository, the google play store to scan all the app submitted into the repository to increase security. Although this approach is a great framework to deal with the malware, it is rather less effective as more malware find themselves in the marketplace with the apps. Third parties have also designed a mechanism to provide solutions to the problem but lack of close supervision and coordination makes the methods not achieve much (Sanz et al., 2013).

Most androids are either shared or downloaded by the cloud-based service providers. These providers enforce cloud malware detection which runs on their server to improve security(Martínez, Echeverri and Sanz, 2010). A typical cloud-based malware detection scheme is shown in the figure 1 below,

Figure 1 Cloud-Based Malware Detection (Assured Cloud Computing for Assured Information Sharing - ppt download, 2018)

The cloud in this framework act as a file sharing service provider which uses artificial intelligent and other tools to detect malware, the only challenge is achieving an accurate result with high efficiency. This paper seeks to provide a better framework that shall be not only accurate in its analysis but also robust, efficient and highly scalable. New techniques such a clustered function call is introduced to replace the traditional graph-based method (Robiah et al., 2009). Our proposed analyzing framework dubbed SecDroid can be easily integrated into the existing security frameworks hence more interoperable, which are shown in figure 2 below,

Figure 2 Malware Detection Tools

Security is a very sensitive topic in the current ICT landscape, several research has been done on the malware situation in the Android ecosystem, Although the majority of the research concentrated on the evolving nature of the malware in the Android ecosystem, some focused on the proposing a solution to the problem (Jiang and Zhou, 2012a). In their research (Noreen et al., 2009), made a detailed list of the malware situation in the smartphone ecosystem and inferred that they exist bugs especially in the system used for counting in the three main smartphone OS namely android, ios and Symbian.

Proposed Solution: SecDroid

(Liu, 2013) broadly classified malware into four types namely virus, Trojan horses, worms and botnets, the research further classified malware behavior with regard to their payload as stealing information about users, sending and/or interception of SMSs.

Some research focused on techniques for detection of malware to salvage the sorrow state of affairs (Bazrafshan et al., 2013). The analysis could be broadly classified as either static or dynamic. Static involves the deconstruction of the app with intention of extracting some features from the app without actually executing it proposed the method of using the permission granted by the app and ranked the various requests for permission risks based on malware database (Islam et al., 2013). Moreover, API calls can also be used for static analysis. This method was used by inserting a log.v procedure in the API calls.  used the same concept of API call and was able to achieve a good detection rate for malware.

The use of dynamic analysis methods usually involves the execution of the app (Amos, Turner and White, 2013) in a sandbox which is a more controlled environment so as to enhance app operation traceability.  suggested a framework to use the strace tool to capture call logs and share them with the cloud server for analysis.  suggested a pattern matching library for app system calls and created signatures of some benign malware (Egele et al., 2012).

The aforementioned schemes can be termed as traditional methods as they focus on the app data. Recent tools which rely on subjective information provided by the users comments and ranking was deployed (Perdisci, Lee and Feamster, 2010). Although the methods work for some app, their still room for new innovation as the malware continues to grow more sophisticated, the approach to detection must also change (Suarez-Tangil et al., 2014).

A more robust method is suggested in this paper. The SecDroid improves on the graph-based processing of traditional methods by the introduction of cluster-based processing (Anderson et al., 2011). This makes it robust for analyzing an array of the app from the sophisticated and simple app with great efficiency (Canali et al., 2012). The remaining parts of the paper consist of section 3 which makes a formal introduction of the SecDroid proposed solution, section 4 provides the methodology and methods used by SecDroid in malware detection. Section 5 focus on malware datasets used and the experimental results and analysis. Section 6 provides limitation and future enhancements that can be done to improve the framework and last but not least, chapter 7 marks the conclusion of the paper.

Methodology and Methods used by SecDroid in Malware Detection

We have already distinguished between the static and dynamic malware detection as the former doesn’t require executing the app while the later requires executing the app in some controlled environment(Santos et al., 2013a). This paper suggests a more hybrid approach dubbed SecDroid that takes the advantages of the two approaches of malware detection and provide a solution that is scalable and can be used by the malware service providers. The proposed framework shall be able to pick different method depending on the characteristics of the app thereby setting a balance between accuracy and complexity (Elhadi, Maarof and Osman, 2012). The figure 3 below shows an architectural overview of the various processes that the proposed solution seeks to provide.

Figure 3 Processes in our proposes solution

The table 1 below describes the summary description and scope of the SecDroid, and as shown it has four possible paths two for static and two for dynamic detection

Table 1 SecDroid Characteristics and Scope

As shown in the figure below, the proposed framework extracts some fundamental features of the classification of malware using the four path matrix explained above. The classification gotten is used to categories if the app is malware or not.

If we use path A and B, the correct methodology of malware detection is via the use of decompilation and gets analyzed using low complexity mechanism. This method, however, doesn’t work for apps that encrypted which prevents decompilation. When such a scenario arises, the dynamic (Path B and C) is the most valid path by analyzing the app behavior using tools such as DroidBox which can easily extract the running features.

Usage of the four path matrix makes our tool ideal for almost all app hence more scalable and adaptable to future changes in app development (Santos et al., 2013b). It provides a comprehensive approach to then (Zhao et al., 2011). The SecDroid can dynamically choose the detection path based on the current property of the application hence should be easily adopted.

The SecDroid solution seeks provides encompasses four paths namely Com+ (Path A), functional call method (Path B), System calls (Path C) and lastly the application usage of privacy (Path D) which it uses to extracts the fundamental feature of the app for analysis and detection of malware. Classification uses the SVN, K-NN and Naïve Bayes. The fundamental details of the classification are described below,

The feature extraction sections detail the various methods and techniques the proposed framework shall extract a feature from the app. The various methods are explained below,

Experimental Results and Analysis

The Android platform has inbuilt security permission feature, as from android 4.1, the feature has outgrown to 151 permission level on software and hardware. An app can be granted READ_SMS permission (Elhadi, Maarof and Osman, 2012). This same permission can be misused by a malware to perform its own malicious actions. The proposed solution, therefore, uses some permission features to detect malware. A database of permission feature can be extracted from the apk file manifest which all android apps have. The manifest.xml contains all the permission granted to the app (Fang, Han, and Li, 2014).

The only drawback of using this approach is the issue with the fake permission declared which don’t really get executed when the app is fired, This in effect makes the approach to be error-prone.

The figure 4 below shows the algorithm of the COM+ feature approach,

Figure 4 COM + feature algorithm

The function call method can further be analyzed based on the method of the function call. The different methods are the function call with graph feature (Gascon et al., 2013), Extraction of feature with dynamic analysis, Privacy usage extraction using droid and API system calls extraction using Strace (Isohara, Takemori and Kubota, 2011).

The above is explained below,

The proposed solution has adopted the Laplacian feature scoring methodology that seeks to 100 fundamental features which act as the center of k-mean clusters. The mean group features based on their individual intrinsic features. This means calculation has the potential to convert n x F features into a more reduce 100 fixed dimensions feature which is easier to classify, analyze and detect malware detection (Shang et al., 2010).

In situations where the app is having some form of encryption hence cannot be decompiled, the only viable methods of detection are the use of dynamic methods. The proposed solution has come up with an app called the investigator that shall be installed on the phone who primary role shall be to monitor installed apps and apps to be tested for malware. The data gets logged and sent to the intelligent machine learning module which analyses the logs (Firdausi, Erwin, and Nugroho, 2010). The flow of processes in the investigator tool is as shown in Figure 5 below,

Figure 5 The Investigator Tool Process Flow

The Investigator works hand in hand with the Droid tool which is used in dynamic malware detection. Droid is a shell program which runs python programs to logs privacy permission that app request. These logs get synched with the Investigator. The investigator then sends the logged data to our app machine learning module (Yuan et al., 2014). The working flow of Droid is as shown in Figure 6 below,

Limitations and Future Enhancements

Figure 6 The Droid Tool Working flow (Chong-Kuan Chen, 00:40:56 UTC)

The Droid tool is handy in the detection of malware in android phones as it can capture important parameter such as the privacy usage of the app, the various network connection parameters, read and write operation conducted on the app. The Droid was so powerful that it could detect information leaks, SMS and call made. All app that makes execution of tasks related to privacy issues can be successfully be traced using the Droid. Integration of the Droid and the Investigator provides a more robust method to detect, report and analyze issues based on malware attempt to breach security and privacy (Arp et al., 2014).

The Droid tool has the limitation of not supporting those android versions released after 4.1. This makes those devices be vulnerable to malware attacks. The proposed solutions seek the services of Strace tool which has the ability to log the app behavior once it is installed in the phone or uploaded for detection of malware. Once the apps are uploaded to the server, the frameworks seek to run the apps in a Linux based emulations environment. The Strace is then used to trace all the calls made to the system functions or the kernel libraries. At the end of the trace, the trace shall log all the features into the investigator module of the SecDroid for analysis using machine learning and detection of malware promptly (Desfossez, Dieppedale, and Girard, 2011). The working configuration of the Strace is once shown Figure 7 below,

Figure 7 The Strace Working Flow (Chapter 6: Malware Analysis Basics, 2018)

From the above methods, it is clear that our approach can achieve both the path A-D for malware detection since the proposed solution can potentially get features from most Android phones. It is noted that the various features of the phones make sense for the varied approach to malware detection scheme. This makes it ideal for scalable as a service for the malware service providers.

The paths analysis shows that those apps in path A generally requires less computational power as compared to their counterparts in part D. The biggest advantage of our solution is its ability to reduce complexity in detecting the malware. Compared to other schemes, it is clear the proposed scheme shall deliver the services with less complexity in a more efficient and effective way.

The proposed solution suggested solution has adopted three approaches to classification and analysis namely SVM, Naïve Bayes, and K-nn. The multi-approach to different methods can get a better classification of features hence more accuracy in result since the parameter shall be interpreted by different classifiers (Ren et al., 2009). The proposed solution has implemented the three commonly used machine learning techniques. They include the K-nearest neighbor algorithm denoted by k-nn which is non parameterized approach to classification, the given output of the classification is a member of the class. An object gets votes from the neighbors.

Conclusion

The second method of SVM involves dividing the n-dimensional representation of data in space. This is done with the help of hyperplanes which seek to maximize the margin between classes, which get computed by the distance between two closest instances of both classes, this is referred in machine learning as support vector (Niu and Suen, 2012). Our proposed solution uses SVM in the classification of malware in the entire detection process.

Last but not the least, the Naïve Bayes method of classification uses the concept of simple probabilistic classification which is based on the principles of Bayes theorem with the option of strong (naïve) independence between features (Nickel, Wirtl and Busch, 2012).

By having three mature classification methods that are put together to enhance the malware detection, it is evident that the proposed approach will be more accurate and have a broader perceptive in malware detection. Contrary to the current approach which dwelled with either one method of classification hence could not penetrate a broader usability.

The experiment result and analysis encompassed testing of the malware datasets, defining the evaluation matrix to ensure the all the detection methods outlined above are followed and that the result is valid and verifiable. The methodology used in the result and analysis is outlined below,

In this proposed solution, multiple approaches were used in the analysis of the suspicious files and application in android. This provided a more hybrid approach as the first, the static method was used to capture the app static property and use such properties in analyzing potential malware posing as an app. The second phase involved analyzing the behavior of he app to especially checking on the app permission access and system properties it calls. The two methods provided a hybrid approach to malware analysis using our proposed solution

Two data sets were used to test the performance level of the proposed solution. The first data set was compiled by Jiang and in the set, a total of 1260 applications was kept in the dataset between the dates of August 2010 to October 2011. The sampled apps were grouped into 46 apps malware families. This open source library has help researcher carry out an evaluation of their solutions hence it was vital for the successful testing of the SecDroid

The changing landscape in the Android ecosystem makes the old methods of detecting malware seems unpractical to use anymore. The new threats are very serious that the old methods cannot even detect any malicious code. It was therefore vital for the proposed solution to establish very much up to date datasets which we provided in openly and the various malicious actions were also provided via the Excel platform for public usage. We used the VirsuShare, the global platform for sharing malicious app to form the most part of the new dataset. The virus shares sometimes have ineffective apps which are no longer malicious hence, we sampled the topmost ranked malicious apps from the ratings and reviews and eventually, a set of 1000 apps were selected for testing using our framework. Some apps which were not so very much destructive that were too benign was collected from the app store called Wandoujia which houses benign app for testing new detection schemes.

We sampled 1000 more apps from the benign apps to form a better sample set which is more representative of the majority of Android apps. The main motivation for going for the benign apps was because most of the top-ranked apps would probably be non-malicious going by their ratings and the developers of the top-ranked apps would probably fix any malicious codes in their apps, The benign apps provides diversity for our data set which could ensure comprehensive testing and detection. The new data set formed is as shown in the table 2 below,

Table 2 New Data Set

To ensure effective evaluation of the proposed framework, the following criteria were used; the accuracy of the framework, the true positive and the false positive ratings. The matrix is defined as shown in equation 1 below,

Equation 1 Evaluation Matrix

From the formulae. The TP denotes the true positive is a representation of that correctly identified malware, the FN denotes  false negative which  is a representation of those potentially malicious Android apps that the framework did not detect, the TN denotes true negative is a representation of those benign apps that the framework has correctly detected and classified as being while FP i.e false positive is a representation of the benign apps that the framework detected and classified as malicious apps.

The TPR ratio is a percentage of all malware detected by the scheme as categorized as a benign app. The FPR ratio is a percentage of the benign app in the dataset classified as malicious apps and lastly, the ACC is the performance rating of the scheme in detecting malicious apps.

To enhance the reliability of the experiment, each classification was sampled at the ration of 7:3 whereas the malicious app was coded as 1 while benign apps were coded a 0 and run the classification algorithm 100 times to ensure reliability. The result from the experiment is subsequently discussed in the next sections.

To authoritatively provide the results, the scheme was analyzed in its ability to detect malware both using the older data set comprising of old android apps and the newer dataset comprising of the new apps. This section describes the results as from the two categories. The final discussion of the results from the two results formed the discussion explained subsequently.

The older dataset was analyzed using the path A i.e the com+ feature analysis and the path C, the dynamic analysis. This ensured all the different types of apps were used in the analysis to enhance experiment reliability. The table below summarizes the results from the classification categories based on the different static features. This category saw the com+ feature approach perfume best comparative to the dynamic features(path C). The SVM achieved a whopping 99% performance rating using the com+ feature approach. Our algorithm achieved 98% in TPR and 0.12% in FPR. It is therefore inferred that SVM is most suitable for detection of malware in apps using the static approach.

Strace was suitable for application that could not be decompiled especially those were encrypted hence static method could not be ideal. The Strace tools were used to extract API and system function call features dynamically. From the summary in the table below, it is clear all the classification schemes achieved a good detection percentage of over 85%, Naive Bayes algorithm achieving the highest performance rating of 90% with a TPR of  90.9% and an FPR of 10.9%. It can, therefore, be inferred that the Naïve Bayes approach is most suitable for detection of malware using the dynamic approach using API and system call features.

With rapid changes made to the Android platform, the new apps are difficult to analyze using the com+ feature since most of the source code is obscure making it difficult to detect malicious codes. System call features could not be used system their usage has greatly decreased in the newer Android platforms (Jiang and Zhou, 2012b). This left us with the new method using path B and D with the former path using the function call graph while the latter used the Droid tool.

The newer dataset which is static was analyzed using the function call graph. The table 3 below shows the various classification under the function call graph.

Table 3 function Call Classification

From the analysis, the function call graph had a better performance rating with over 85% for different classification matrixes. It can, therefore, be inferred that the functional call graph is best suitable for the analysis and detection using the static approach for the new datasets.

Droid tool was chosen for the dynamic analysis of the newer dataset, in contrast, to trace since the latter has the limitation of being nonpertinence in the new android versions. This left us with the Droid tool which can analyses android version 4.1 and/or later. Its core focus areas are the detection of private information leakages.

The table 4 below shows the Droid analysis result in the various classification vectors,

Table 4 Droid Tool Analysis

From the table, it is evident that the k-NN approach had the best performance rating with an accuracy of 75%. In addition to that, the k-NN approach produced the best TPR and lowest FPR. It can be concluded that the k-NN approach is best suitable for detection and analysis of an app that leaks private information to the malicious users. The main limitation of the Droid tool is its use of an emulator contrary to actual human actions making it not able to mimic all the possible scenarios of human activities

The discussion of the above results is discussed in the subsequent section.

From the experiments and results, it is evident that our framework has provided four approachable methods to fully detect malware in the app. This approach includes the Com+ feature, the function call graph, the system and API call and lastly the privacy usage. The biggest advantage of this multifaceted approach is that the proposed solution can dynamically select the best path to use in conducting the detection and analysis.

The existing detection scheme, although completed their testing and published their result, they did not share the dataset they used in carrying the testing. Our approach however used open source datasets for our testing hence can easily be verified.

Most of the game apps provided the most error rating as they gave a higher FPR compared to their counterparts. Privacy leakage was an issue in this type of apps. It is our belief that the high error rate of this apps could be due to the very complex computational done in processing the game apps

As shown previously, our proposed approach has outperformed the existing industry detection schemes due to its accuracy in detection of, malware using a four path approach hence more hybrid. The solution again achieved a high balance between detection and complexity hence making it suitable to be scaled and used in cloud providers to provide malware detection services for clients and new apps.

Basically, the proposed solution is ideal for basic malware detection and analysis as from the experiments and result, it is clear it can do the job. However certain limitations exist which make is not so much comprehensive in detecting malware. The limitations are discussed below,

• The approach proposed is more objective than subjective. It focuses on the app more than the user feedback and ratings, just like its traditional counterparts. Deep learning mechanism can be used to effectively analyses the user feedbacks and these are of great importance in malware detection. Therefore, future enhancement shall include deep learning and analysis of user feedback integrated into our scheme of work.
• The proposed solution conducts some of the processing in a more manual way hence not suitable for real-time malware detection. The app store markets receive application daily hence it would be more appealing to include a real-time and automated processing of a large number of apps making it more practical in its approach (Grace et al., 2012).
• The proposed solution doesn’t have the ability to self-update its datasets as currently, the datasets in the framework are those used in the testing stage. This is indirectly proportional to the ever-updating android platform and the emergence of more sophisticated malware every day. It is therefore important to include the auto-updating feature in out framework that will not only update the dataset automatically but also train our classifiers automatically (McDougal et al., 2014).

Conclusion

Detection of malware is critical in the detection and analysis of malware. In this paper, a proposal is made to use a hybrid approach which comprises both the static and dynamic approached to malware detection such as the usage of app permission, API and system calls, function call graph and privacy usages detection. This proposal provides a more integrated approach in extracting app features with the introduction of the detector which integrates with the com+ feature in extracting and analysis of app permissions and function calls. The great advantage of using this proposal is the ability to detect malware even in encrypted application making it highly scalable. The proposed solution is not only accurate but also computationally noncomplex hence can be scaled up to the cloud and offered as a service by the malware service providers

References

Amos, B., Turner, H. and White, J., 2013. Applying machine learning classifiers to dynamic android malware detection at scale. In: Wireless communications and mobile computing conference (iwcmc), 2013 9th international. IEEE, pp.1666–1671.

Anderson, B., Quist, D., Neil, J., Storlie, C. and Lane, T., 2011. Graph-based malware detection using dynamic analysis. Journal in computer Virology, 7(4), pp.247–258.

Anon 2018. Assured Cloud Computing for Assured Information Sharing - ppt download. [online] Available at: <https://slideplayer.com/slide/9267943/> [Accessed 20 Sep. 2018].

Anon 2018. Chapter 6: Malware Analysis Basics. [online] Available at: <https://www.porcupine.org/forensics/chapter6.html> [Accessed 20 Sep. 2018].

Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K. and Siemens, C., 2014. DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In: Ndss. pp.23–26.

Bazrafshan, Z., Hashemi, H., Fard, S.M.H. and Hamzeh, A., 2013. A survey on heuristic malware detection techniques. In: Information and Knowledge Technology (IKT), 2013 5th Conference on. IEEE, pp.113–120.

Bosomworth, D., 2015. Mobile marketing statistics 2015. Leeds: Smart Insights (Marketing Intelligence) Ltd.

Butt, S. and Phillips, J.G., 2008. Personality and self reported mobile phone use. Computers in Human Behavior, 24(2), pp.346–360.

Canali, D., Lanzi, A., Balzarotti, D., Kruegel, C., Christodorescu, M. and Kirda, E., 2012. A quantitative study of accuracy in system call-based malware detection. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis. ACM, pp.122–132.

Chong-Kuan Chen, 00:40:56 UTC. Malware classification and detection. [Engineering] Available at: <https://www.slideshare.net/Bletchley131/malware-classificationanddetection> [Accessed 20 Sep. 2018].

Desfossez, J., Dieppedale, J. and Girard, G., 2011. Stealth malware analysis from kernel space with Kolumbo. Journal in computer virology, 7(1), pp.83–93.

Egele, M., Scholte, T., Kirda, E. and Kruegel, C., 2012. A survey on automated dynamic malware-analysis techniques and tools. ACM computing surveys (CSUR), 44(2), p.6.

Elhadi, A.A., Maarof, M.A. and Osman, A.H., 2012. Malware detection based on hybrid signature behaviour application programming interface call graph. American Journal of Applied Sciences, 9(3), p.283.

Fang, Z., Han, W. and Li, Y., 2014. Permission based Android security: Issues and countermeasures. computers & security, 43, pp.205–218.

Firdausi, I., Erwin, A. and Nugroho, A.S., 2010. Analysis of machine learning techniques used in behavior-based malware detection. In: Advances in Computing, Control and Telecommunication Technologies (ACT), 2010 Second International Conference on. IEEE, pp.201–203.

Gascon, H., Yamaguchi, F., Arp, D. and Rieck, K., 2013. Structural detection of android malware using embedded call graphs. In: Proceedings of the 2013 ACM workshop on Artificial intelligence and security. ACM, pp.45–54.

Grace, M., Zhou, Y., Zhang, Q., Zou, S. and Jiang, X., 2012. Riskranker: scalable and accurate zero-day android malware detection. In: Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, pp.281–294.

Islam, R., Tian, R., Batten, L.M. and Versteeg, S., 2013. Classification of malware based on integrated static and dynamic features. Journal of Network and Computer Applications, 36(2), pp.646–656.

Isohara, T., Takemori, K. and Kubota, A., 2011. Kernel-based behavior analysis for android malware detection. In: Computational Intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, pp.1011–1015.

Jiang, X. and Zhou, Y., 2012a. Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy. IEEE, pp.95–109.

Jiang, X. and Zhou, Y., 2012b. Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy. IEEE, pp.95–109.

Liu, W., 2013. Mutiple classifier system based android malware detection. In: Machine Learning and Cybernetics (ICMLC), 2013 International Conference on. IEEE, pp.57–62.

Martínez, C.A., Echeverri, G.I. and Sanz, A.G.C., 2010. Malware detection based on cloud computing integrating intrusion ontology representation. In: Communications (LATINCOM), 2010 IEEE Latin-American Conference on. IEEE, pp.1–6.

McDougal, M.D., Jennings, R.S., Brown, J.C., Lee, J.J., Smith, B.N., De Rita, D.J., Cariker, K.L., Sterns, W.E. and Daly, M.K., 2014. System and method for malware detection. Google Patents.

Nickel, C., Wirtl, T. and Busch, C., 2012. Authentication of smartphone users based on the way they walk using k-nn algorithm. In: Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2012 Eighth International Conference on. IEEE, pp.16–20.

Niu, X.-X. and Suen, C.Y., 2012. A novel hybrid CNN–SVM classifier for recognizing handwritten digits. Pattern Recognition, 45(4), pp.1318–1325.

Noreen, S., Murtaza, S., Shafiq, M.Z. and Farooq, M., 2009. Evolvable malware. In: Proceedings of the 11th Annual conference on Genetic and evolutionary computation. ACM, pp.1569–1576.

Perdisci, R., Lee, W. and Feamster, N., 2010. Behavioral Clustering of HTTP-Based Malware and Signature Generation Using Malicious Network Traces. In: NSDI. p.14.

Ren, J., Lee, S.D., Chen, X., Kao, B., Cheng, R. and Cheung, D., 2009. Naive bayes classification of uncertain data. In: Data Mining, 2009. ICDM’09. Ninth IEEE International Conference on. IEEE, pp.944–949.

Robiah, Y., Rahayu, S.S., Zaki, M.M., Shahrin, S., Faizal, M.A. and Marliza, R., 2009. A new generic taxonomy on hybrid malware detection technique. arXiv preprint arXiv:0909.4860.

Santos, I., Devesa, J., Brezo, F., Nieves, J. and Bringas, P.G., 2013a. Opem: A static-dynamic approach for machine-learning-based malware detection. In: International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions. Springer, pp.271–280.

Santos, I., Devesa, J., Brezo, F., Nieves, J. and Bringas, P.G., 2013b. Opem: A static-dynamic approach for machine-learning-based malware detection. In: International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions. Springer, pp.271–280.

Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.G. and Álvarez, G., 2013. Puma: Permission usage to detect malware in android. In: International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions. Springer, pp.289–298.

Shang, S., Zheng, N., Xu, J., Xu, M. and Zhang, H., 2010. Detecting malware variants via function-call graph similarity. In: Malicious and Unwanted Software (MALWARE), 2010 5th International Conference on. IEEE, pp.113–120.

Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P. and Blasco, J., 2014. Dendroid: A text mining approach to analyzing and classifying code structures in android malware families. Expert Systems with Applications, 41(4), pp.1104–1117.

Yuan, Z., Lu, Y., Wang, Z. and Xue, Y., 2014. Droid-sec: deep learning in android malware detection. In: ACM SIGCOMM Computer Communication Review. ACM, pp.371–372.

Zhao, M., Ge, F., Zhang, T. and Yuan, Z., 2011. AntiMalDroid: An efficient SVM-based malware detection framework for android. In: International Conference on Information Computing and Applications. Springer, pp.158–166.