An effective feature selection scheme for android ICC-based malware detection using the gap of the appearance ratio

Kyohei Osuge, Hiroya Kato, Shuichiro Haruta, Iwao Sasase

Research output: Contribution to journalArticle

Abstract

Android malwares are rapidly becoming a potential threat to users. Among several Android malware detection schemes, the scheme using Inter-Component Communication (ICC) is gathering attention. That scheme extracts numerous ICC-related features to detect malwares by machine learning. In order to mitigate the degradation of detection performance caused by redundant features, Correlation-based Feature Selection (CFS) is applied to feature before machine learning. CFS selects useful features for detection in accordance with the theory that a good feature subset has little correlation with mutual features. However, CFS may remove useful ICC-related features because of strong correlation between them. In this paper, we propose an effective feature selection scheme for Android ICC-based malware detection using the gap of the appearance ratio. We argue that the features frequently appearing in either benign apps or malwares are useful for malware detection, even if they are strongly correlated with each other. To select useful features based on our argument, we introduce the proportion of the appearance ratio of a feature between benign apps and malwares. Since the proportion can represent whether a feature frequently appears in either benign apps or malwares, this metric is useful for feature selection based on our argument. Unfortunately, the proportion is ineffective when a feature appears only once in all apps. Thus, we also introduce the difference of the appearance ratio of a feature between benign apps and malwares. Since the difference simply represents the gap of the appearance ratio, we can select useful features by using this metric when such a situation occurs. By computer simulation with real dataset, we demonstrate our scheme improves detection accuracy by selecting the useful features discarded in the previous scheme.

Original languageEnglish
Pages (from-to)1136-1144
Number of pages9
JournalIEICE Transactions on Information and Systems
VolumeE102D
Issue number6
DOIs
Publication statusPublished - 2019 Jan 1

Fingerprint

Feature extraction
Communication
Application programs
Learning systems
Malware
Degradation
Computer simulation

Keywords

  • Android
  • Feature selection
  • ICC
  • Malware detection

ASJC Scopus subject areas

  • Software
  • Hardware and Architecture
  • Computer Vision and Pattern Recognition
  • Electrical and Electronic Engineering
  • Artificial Intelligence

Cite this

An effective feature selection scheme for android ICC-based malware detection using the gap of the appearance ratio. / Osuge, Kyohei; Kato, Hiroya; Haruta, Shuichiro; Sasase, Iwao.

In: IEICE Transactions on Information and Systems, Vol. E102D, No. 6, 01.01.2019, p. 1136-1144.

Research output: Contribution to journalArticle

@article{f685e73745ca4b6fa99b21ff336a87e8,
title = "An effective feature selection scheme for android ICC-based malware detection using the gap of the appearance ratio",
abstract = "Android malwares are rapidly becoming a potential threat to users. Among several Android malware detection schemes, the scheme using Inter-Component Communication (ICC) is gathering attention. That scheme extracts numerous ICC-related features to detect malwares by machine learning. In order to mitigate the degradation of detection performance caused by redundant features, Correlation-based Feature Selection (CFS) is applied to feature before machine learning. CFS selects useful features for detection in accordance with the theory that a good feature subset has little correlation with mutual features. However, CFS may remove useful ICC-related features because of strong correlation between them. In this paper, we propose an effective feature selection scheme for Android ICC-based malware detection using the gap of the appearance ratio. We argue that the features frequently appearing in either benign apps or malwares are useful for malware detection, even if they are strongly correlated with each other. To select useful features based on our argument, we introduce the proportion of the appearance ratio of a feature between benign apps and malwares. Since the proportion can represent whether a feature frequently appears in either benign apps or malwares, this metric is useful for feature selection based on our argument. Unfortunately, the proportion is ineffective when a feature appears only once in all apps. Thus, we also introduce the difference of the appearance ratio of a feature between benign apps and malwares. Since the difference simply represents the gap of the appearance ratio, we can select useful features by using this metric when such a situation occurs. By computer simulation with real dataset, we demonstrate our scheme improves detection accuracy by selecting the useful features discarded in the previous scheme.",
keywords = "Android, Feature selection, ICC, Malware detection",
author = "Kyohei Osuge and Hiroya Kato and Shuichiro Haruta and Iwao Sasase",
year = "2019",
month = "1",
day = "1",
doi = "10.1587/transinf.2018EDP7301",
language = "English",
volume = "E102D",
pages = "1136--1144",
journal = "IEICE Transactions on Information and Systems",
issn = "0916-8532",
publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
number = "6",

}

TY - JOUR

T1 - An effective feature selection scheme for android ICC-based malware detection using the gap of the appearance ratio

AU - Osuge, Kyohei

AU - Kato, Hiroya

AU - Haruta, Shuichiro

AU - Sasase, Iwao

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Android malwares are rapidly becoming a potential threat to users. Among several Android malware detection schemes, the scheme using Inter-Component Communication (ICC) is gathering attention. That scheme extracts numerous ICC-related features to detect malwares by machine learning. In order to mitigate the degradation of detection performance caused by redundant features, Correlation-based Feature Selection (CFS) is applied to feature before machine learning. CFS selects useful features for detection in accordance with the theory that a good feature subset has little correlation with mutual features. However, CFS may remove useful ICC-related features because of strong correlation between them. In this paper, we propose an effective feature selection scheme for Android ICC-based malware detection using the gap of the appearance ratio. We argue that the features frequently appearing in either benign apps or malwares are useful for malware detection, even if they are strongly correlated with each other. To select useful features based on our argument, we introduce the proportion of the appearance ratio of a feature between benign apps and malwares. Since the proportion can represent whether a feature frequently appears in either benign apps or malwares, this metric is useful for feature selection based on our argument. Unfortunately, the proportion is ineffective when a feature appears only once in all apps. Thus, we also introduce the difference of the appearance ratio of a feature between benign apps and malwares. Since the difference simply represents the gap of the appearance ratio, we can select useful features by using this metric when such a situation occurs. By computer simulation with real dataset, we demonstrate our scheme improves detection accuracy by selecting the useful features discarded in the previous scheme.

AB - Android malwares are rapidly becoming a potential threat to users. Among several Android malware detection schemes, the scheme using Inter-Component Communication (ICC) is gathering attention. That scheme extracts numerous ICC-related features to detect malwares by machine learning. In order to mitigate the degradation of detection performance caused by redundant features, Correlation-based Feature Selection (CFS) is applied to feature before machine learning. CFS selects useful features for detection in accordance with the theory that a good feature subset has little correlation with mutual features. However, CFS may remove useful ICC-related features because of strong correlation between them. In this paper, we propose an effective feature selection scheme for Android ICC-based malware detection using the gap of the appearance ratio. We argue that the features frequently appearing in either benign apps or malwares are useful for malware detection, even if they are strongly correlated with each other. To select useful features based on our argument, we introduce the proportion of the appearance ratio of a feature between benign apps and malwares. Since the proportion can represent whether a feature frequently appears in either benign apps or malwares, this metric is useful for feature selection based on our argument. Unfortunately, the proportion is ineffective when a feature appears only once in all apps. Thus, we also introduce the difference of the appearance ratio of a feature between benign apps and malwares. Since the difference simply represents the gap of the appearance ratio, we can select useful features by using this metric when such a situation occurs. By computer simulation with real dataset, we demonstrate our scheme improves detection accuracy by selecting the useful features discarded in the previous scheme.

KW - Android

KW - Feature selection

KW - ICC

KW - Malware detection

UR - http://www.scopus.com/inward/record.url?scp=85069745420&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85069745420&partnerID=8YFLogxK

U2 - 10.1587/transinf.2018EDP7301

DO - 10.1587/transinf.2018EDP7301

M3 - Article

AN - SCOPUS:85069745420

VL - E102D

SP - 1136

EP - 1144

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 6

ER -