DESIGN AND DEVELOPMENT OF MALWARE DETECTION MODELS FOR ANDROID SMARTPHONES

Abstract

This thesis addresses significant challenges in Android malware detection by proposing inno- vative solutions that enhance detection accuracy, optimize feature selection, and address the limitations of the existing approaches. The research begins with a thorough review of the current state of Android malware detection, highlighting the critical need for effective feature- ranking mechanisms to overcome the problem of overlapping features, such as permissions and intents, between benign and malicious applications. This review identified a major gap in the existing literature—while many studies applied feature ranking algorithms, few achieved both optimal feature selection and high detection accuracy. To fill this gap, we developed two static analysis-based models: PHIGrader and PHIAnalyzer. PHIGrader utilizes a frequency- based Multi-Criteria Decision-Making (MCDM) approach to rank the most commonly used static features, namely permissions, intents, and hardware components. In contrast, PHIAnalyzer em- ploys a frequency-based Chi-Square statistical test to evaluate the effectiveness of combining the above-mentioned three features. Both models demonstrated improved accuracy in detect- ing malware and provided a more refined selection of features. However, static analysis alone often proves to be insufficient in detecting more sophisticated, runtime-dependent malware. Building on the limitations identified in static analysis, the thesis transitions to dynamic anal- ysis, specifically focusing on CorrNetDroid, a novel dynamic analysis-based malware detection system. This model ranks network traffic features using two key statistical measures, crRele- vance and Normalized Mean Residue Similarity (NMRS), to assess feature-class and feature-feature correlations, respectively. By applying these rankings, CorrNetDroid efficiently reduces the feature set while maintaining high detection accuracy. The model successfully addresses the challenge of detecting runtime malware. However, certain malware types, such as SMS-based malware, operate silently in the background without generating network traffic, underscoring the need for a comprehensive solution that combines static and dynamic analysis. To address these limitations, the thesis introduces AndroV-Rank, a hybrid analysis frame- ix work that combines static permissions with dynamic system calls for more robust malware detection. The VIKOR ranking method is employed to rank and select the most discriminative features, leading to a refined set of just 65 features, which improves both classification accu- racy and efficiency compared to traditional static or dynamic analysis models. This hybrid approach effectively overcomes the challenges posed by standalone methods, as it can detect malware that relies on both static and dynamic behavior. Building on this concept, we then propose PattMatch, an instance-based pattern-matching classifier that utilizes Average Weighted Pattern Scoring (AWPS) and Attribute Score-based Ranking (ASR) to predict malware class labels with exceptional accuracy. This model further improves upon hybrid analysis by addressing the complexities of machine learning algorithms and achieving superior performance in both balanced and imbalanced datasets, with a remarkably high accuracy of 99.93% using only 10 attributes. Finally, the thesis extends its scope to malware multicategory classification, where two mod- els are developed to classify Android malware into four distinct categories: Adware, Fraudware Trojans, Ransomware, and Spyware. The first model relies on dynamic analysis, utilizing sys- tem calls for classification, while the second, AndroMultiCat, adopts a hybrid approach that combines static and dynamic features to improve classification performance. Both models demonstrate significant improvements in classification accuracy and efficiency, with the hybrid approach yielding superior results. The research concludes with a summary of the findings, highlighting the contributions of the proposed models in advancing Android malware detec- tion, while also discussing potential future directions for the field, including the exploration of more sophisticated ranking algorithms and the integration of additional behavioral features to further enhance detection capabilities.