DroidClone: Attack of the android malware clones - a step towards stopping them

Computer Science and Information Systems ◽

10.2298/csis200330035a ◽

2020 ◽

pp. 35-35

Author(s):

Shahid Alam ◽

Ibrahim Sogukpinar

Keyword(s):

False Positive Rate ◽

Control Flow ◽

Code Clones ◽

Android Malware ◽

Call Graph ◽

Mobile Malware ◽

Positive Rate ◽

Android Applications ◽

And Function ◽

Specific Control

Code clones are frequent in use because they can be created fast with little effort and expense. Especially for malware writers, it is easier to create a clone of the original than writing a new malware. According to the recent Symantec threat reports, Android continues to be the most targeted mobile platform, and the number of new mobile malware clones grew by 54%. There is a need to develop techniques and tools to stop this attack of Android malware clones. To stop this attack, we propose DroidClone that exposes code clones (segments of code that are similar) in Android applications to help detect malware. DroidClone is the first such effort uses specific control flow patterns for reducing the effect of obfuscations and detect clones that are syntactically different but semantically similar up to a threshold. DroidClone is independent of the programming language of the code clones. When evaluated with real malware and benign Android applications, DroidClone obtained a detection rate of 94.2% and false positive rate of 5.6%. DroidClone, when tested against various obfuscations, was able to successfully provide resistance against all the trivial (Renaming methods, parameters, and nop insertion, etc) and some non-trivial (Call graph manipulation and function indirection, etc.) obfuscations.

Download Full-text

RoughDroid: Operative Scheme for Functional Android Malware Detection

Security and Communication Networks ◽

10.1155/2018/8087303 ◽

2018 ◽

Vol 2018 ◽

pp. 1-10 ◽

Cited By ~ 12

Author(s):

Khaled Riad ◽

Lishan Ke

Keyword(s):

False Positive Rate ◽

Experimental Results ◽

Android Application ◽

Android Malware ◽

Feature Sets ◽

Android Malware Detection ◽

Analysis Technique ◽

Positive Rate ◽

Pass Through ◽

Google Play

There are thousands of malicious applications that invade Google Play Store every day and seem to be legal applications. These malicious applications have the ability to link the malware referred to as Dresscode created for network hacking as well as scrolling information. Since Android smartphones are indispensable, there should be an efficient and also unusual protection. Therefore, Android smartphones usually continue to be safeguarded from novel malware. In this paper, we propose RoughDroid, a floppy analysis technique that can discover Android malware applications directly on the smartphone. RoughDroid is based on seven feature sets (FS1,FS2,…,FS7) from the XML manifest file of an Android application, plus three feature sets (FS8,FS9, and FS10) from the Dex file. Those feature sets pass through the Rough Set algorithm to elastically classify the Android application as either benign or malicious. The experimental results mainly consider 20 most common malware families, plus three new malware families (Grabos, TrojanDropper.Agent.BKY, and AsiaHitGroup) that invade Google Play Store at 2017. According to the experimental results, RoughDroid has 95.6% detection performance for the malware families at 1% false-positive rate. Finally, RoughDroid is a lightweight approach for straightly examining downloaded applications on the smartphone.

Download Full-text

Optimizing Android Malware Detection Via Ensemble Learning

International Journal of Interactive Mobile Technologies (iJIM) ◽

10.3991/ijim.v14i09.11548 ◽

2020 ◽

Vol 14 (09) ◽

pp. 61

Author(s):

Abikoye Oluwakemi Christianah ◽

Benjamin Aruwa Gyunka ◽

Akande Noah Oluwatobi

Keyword(s):

Random Forest ◽

False Positive ◽

False Positive Rate ◽

True Positive Rate ◽

Ensemble Model ◽

True Positive ◽

Android Malware ◽

Detection Model ◽

Android Malware Detection ◽

Positive Rate

<p>Android operating system has become very popular, with the highest market share, amongst all other mobile operating systems due to its open source nature and users friendliness. This has brought about an uncontrolled rise in malicious applications targeting the Android platform. Emerging trends of Android malware are employing highly sophisticated detection and analysis avoidance techniques such that the traditional signature-based detection methods have become less potent in their ability to detect new and unknown malware. Alternative approaches, such as the Machine learning techniques have taken the lead for timely zero-day anomaly detections. The study aimed at developing an optimized Android malware detection model using ensemble learning technique. Random Forest, Support Vector Machine, and k-Nearest Neighbours were used to develop three distinct base models and their predictive results were further combined using Majority Vote combination function to produce an ensemble model. Reverse engineering procedure was employed to extract static features from large repository of malware samples and benign applications. WEKA 3.8.2 data mining suite was used to perform all the learning experiments. The results showed that Random Forest had a true positive rate of 97.9%, a false positive rate of 1.9% and was able to correctly classify instances with 98%, making it a strong base model. The ensemble model had a true positive rate of 98.1%, false positive rate of 1.8% and was able to correctly classify instances with 98.16%. The finding shows that, although the base learners had good detection results, the ensemble learner produced a better optimized detection model compared with the performances of those of the base learners.</p>

Download Full-text

Call Graph and Model Checking for Fine-Grained Android Malicious Behaviour Detection

Applied Sciences ◽

10.3390/app10227975 ◽

2020 ◽

Vol 10 (22) ◽

pp. 7975

Author(s):

Giacomo Iadarola ◽

Fabio Martinelli ◽

Francesco Mercaldo ◽

Antonella Santone

Keyword(s):

Data Structure ◽

Model Checking ◽

Private Information ◽

Control Flow ◽

Graph Data ◽

Call Graph ◽

Fine Grained ◽

Call Graphs ◽

Android Applications ◽

Flow Graphs

The increasing diffusion of mobile devices, widely used for critical tasks such as the transmission of sensitive and private information, corresponds to an increasing need for methods to detect malicious actions that can undermine our data. As demonstrated in the literature, the signature-based approach provided by antimalware is not able to defend users from new threats. In this paper, we propose an approach based on the adoption of model checking to detect malicious families in the Android environment. We consider two different automata representing Android applications, based respectively on Control Flow Graphs and Call Graphs. The adopted graph data structure allows to detect potentially malicious behaviour and also localize the code where the malicious action happens. We experiment the effectiveness of the proposed method evaluating more than 3000 real-world Android samples (with 2552 malware belonging to 21 malicious family), by reaching an accuracy ranging from 0.97 to 1 in malicious family detection.

Download Full-text

MADFU: An Improved Malicious Application Detection Method Based on Features Uncertainty

Entropy ◽

10.3390/e22070792 ◽

2020 ◽

Vol 22 (7) ◽

pp. 792

Author(s):

Hongli Yuan ◽

Yongchuan Tang

Keyword(s):

False Positive Rate ◽

Regression Function ◽

Detection Accuracy ◽

Detection Model ◽

Android Apps ◽

Positive Rate ◽

Android App ◽

Android Applications ◽

Malicious Apps ◽

Static Detection

Millions of Android applications (apps) are widely used today. Meanwhile, the number of malicious apps has increased exponentially. Currently, there are many security detection technologies for Android apps, such as static detection and dynamic detection. However, the uncertainty of the features in detection is not considered sufficiently in these technologies. Permissions play an important role in the security detection of Android apps. In this paper, a malicious application detection model based on features uncertainty (MADFU) is proposed. MADFU uses logistic regression function to describe the input (permissions) and output (labels) relationship. Moreover, it uses the Markov chain Monte Carlo (MCMC) algorithm to solve features’ uncertainty. After experimenting with 2037 samples, for malware detection, MADFU achieves an accuracy of up to 95.5%, and the false positive rate (FPR) is 1.2%. MADFU’s Android app detection accuracy is higher than the accuracy of directly using 24 dangerous permission. The results also indicate that the method for an unknown/new sample’s detection accuracy is 92.7%. Compared to other state-of-the-art approaches, the proposed method is more effective and efficient, by detecting malware.

Download Full-text

Generating Realistic Morphologies of Neurons in Rodent Hippocampus with DCGAN

10.1101/363481 ◽

2018 ◽

Author(s):

Darian H. Hadjiabadi

Keyword(s):

Computational Models ◽

False Positive Rate ◽

A Priori ◽

Image Features ◽

Generative Adversarial Network ◽

Dendritic Trees ◽

Form And Function ◽

Adversarial Network ◽

Positive Rate ◽

And Function

AbstractDendritic size and branching patterns are important features of neural form and function. However, current computational models of neuronal networks use simplistic cylindrical geometries to mimic dendritic arborizations. One reason for this is that current methods to generate dendritic trees have rigid a priori constraints. To address this, a deep convolutional generative adversarial network (DCGAN) trained on images of rodent hippocampal granule and pyramidal dendritic trees. Image features learned by the network were used to generate realistic dendritic morphologies. Results show that DCGANs achieved greater stability∗ and high generalization, as quantified by kernel maximum mean discrepancy, when exposed to instance noise and/or label smoothing during training. Trained models successfully generated realistic morphologies for both neuron types, with high false positive rate reported by expert reviewers. Collectively, DCGANs offer a unique opportunity to advance the geometry of neural modeling, and, therefore, to propel our understanding of neuronal function.∗ A “stable/stabilized DCGAN”, as mentioned throughout this work, is a DCGAN which was stable throughout training.

Download Full-text

Structural similarity based common library detection method for Android

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University ◽

10.1051/jnwpu/20213920448 ◽

2021 ◽

Vol 39 (2) ◽

pp. 448-453

Author(s):

Zhiying Mu ◽

Zhihu Li ◽

Xiaoyu Li

Keyword(s):

Large Scale ◽

Detection Method ◽

False Positive Rate ◽

Structural Similarity ◽

Detection Methods ◽

Fine Grained ◽

Real World Applications ◽

Positive Rate ◽

Android Applications ◽

Detection Speed

The correct classifying and filtering of common libraries in Android applications can effectively improve the accuracy of repackaged application detection. However, the existing common library detection methods barely meet the requirement of large-scale app markets due to the low detection speed caused by their classification rules. Aiming at this problem, a structural similarity based common library detection method for Android is presented. The sub-packages with weak association to main package are extracted as common library candidates from the decompiled APK (Android application package) by using PDG (program dependency graph) method. With package structures and API calls being used as features, the classifying of those candidates is accomplished through coarse and fine-grained filtering. The experimental results by using real-world applications as dataset show that the detection speed of the present method is higher while the accuracy and false positive rate are both ensured. The method is proved to be efficient and precise.

Download Full-text

Improving diagnosis of acute appendicitis with atypical findings by Tc-99m HMPAO leukocyte scan

Nuklearmedizin ◽

10.1055/s-0038-1623994 ◽

2002 ◽

Vol 41 (01) ◽

pp. 37-41 ◽

Cited By ~ 3

Author(s):

S. Shung-Shung ◽

S. Yu-Chien ◽

Y. Mei-Due ◽

W. Hwei-Chung ◽

A. Kao

Keyword(s):

Acute Appendicitis ◽

False Positive ◽

False Positive Rate ◽

Accurate Method ◽

Clinical Findings ◽

Pathological Findings ◽

Lower Quadrant ◽

Predictive Values ◽

Positive Rate

Summary Aim: Even with careful observation, the overall false-positive rate of laparotomy remains 10-15% when acute appendicitis was suspected. Therefore, the clinical efficacy of Tc-99m HMPAO labeled leukocyte (TC-WBC) scan for the diagnosis of acute appendicitis in patients presenting with atypical clinical findings is assessed. Patients and Methods: Eighty patients presenting with acute abdominal pain and possible acute appendicitis but atypical findings were included in this study. After intravenous injection of TC-WBC, serial anterior abdominal/pelvic images at 30, 60, 120 and 240 min with 800k counts were obtained with a gamma camera. Any abnormal localization of radioactivity in the right lower quadrant of the abdomen, equal to or greater than bone marrow activity, was considered as a positive scan. Results: 36 out of 49 patients showing positive TC-WBC scans received appendectomy. They all proved to have positive pathological findings. Five positive TC-WBC were not related to acute appendicitis, because of other pathological lesions. Eight patients were not operated and clinical follow-up after one month revealed no acute abdominal condition. Three of 31 patients with negative TC-WBC scans received appendectomy. They also presented positive pathological findings. The remaining 28 patients did not receive operations and revealed no evidence of appendicitis after at least one month of follow-up. The overall sensitivity, specificity, accuracy, positive and negative predictive values for TC-WBC scan to diagnose acute appendicitis were 92, 78, 86, 82, and 90%, respectively. Conclusion: TC-WBC scan provides a rapid and highly accurate method for the diagnosis of acute appendicitis in patients with equivocal clinical examination. It proved useful in reducing the false-positive rate of laparotomy and shortens the time necessary for clinical observation.

Download Full-text

Predicting Fetal Chromosome Anomalies in the First Trimester Using Pregnancy Associated Plasma Protein-A: A Comparison of Statistical Methods

Methods of Information in Medicine ◽

10.1055/s-0038-1634910 ◽

1993 ◽

Vol 32 (02) ◽

pp. 175-179 ◽

Cited By ~ 7

Author(s):

B. Brambati ◽

T. Chard ◽

J. G. Grudzinskas ◽

M. C. M. Macintosh

Keyword(s):

Logistic Regression ◽

General Population ◽

Likelihood Ratio ◽

False Positive ◽

False Positive Rate ◽

Ratio Method ◽

Detection Rates ◽

Gaussian Distributions ◽

Positive Rate ◽

Likelihood Ratio Method

Abstract:The analysis of the clinical efficiency of a biochemical parameter in the prediction of chromosome anomalies is described, using a database of 475 cases including 30 abnormalities. A comparison was made of two different approaches to the statistical analysis: the use of Gaussian frequency distributions and likelihood ratios, and logistic regression. Both methods computed that for a 5% false-positive rate approximately 60% of anomalies are detected on the basis of maternal age and serum PAPP-A. The logistic regression analysis is appropriate where the outcome variable (chromosome anomaly) is binary and the detection rates refer to the original data only. The likelihood ratio method is used to predict the outcome in the general population. The latter method depends on the data or some transformation of the data fitting a known frequency distribution (Gaussian in this case). The precision of the predicted detection rates is limited by the small sample of abnormals (30 cases). Varying the means and standard deviations (to the limits of their 95% confidence intervals) of the fitted log Gaussian distributions resulted in a detection rate varying between 42% and 79% for a 5% false-positive rate. Thus, although the likelihood ratio method is potentially the better method in determining the usefulness of a test in the general population, larger numbers of abnormal cases are required to stabilise the means and standard deviations of the fitted log Gaussian distributions.

Download Full-text

Identification of and Correction for Publication Bias: Comment

10.31222/osf.io/dh87m ◽

2019 ◽

Author(s):

Amanda Kvarven ◽

Eirik Strømland ◽

Magnus Johannesson

Keyword(s):

Publication Bias ◽

False Positive ◽

Large Scale ◽

Meta Analysis ◽

False Positive Rate ◽

Effect Sizes ◽

Replication Studies ◽

Moderate Reduction ◽

Positive Rate ◽

Meta Analyses

Andrews & Kasy (2019) propose an approach for adjusting effect sizes in meta-analysis for publication bias. We use the Andrews-Kasy estimator to adjust the result of 15 meta-analyses and compare the adjusted results to 15 large-scale multiple labs replication studies estimating the same effects. The pre-registered replications provide precisely estimated effect sizes, which do not suffer from publication bias. The Andrews-Kasy approach leads to a moderate reduction of the inflated effect sizes in the meta-analyses. However, the approach still overestimates effect sizes by a factor of about two or more and has an estimated false positive rate of between 57% and 100%.

Download Full-text

Forms, Importance, and Ineffability of Factor Interactions to Define Personality Disorders: Comment on Lilienfeld et al. (2019)

10.31234/osf.io/v8t7q ◽

2019 ◽

Author(s):

Stephen D Benning ◽

Edward Smith

Keyword(s):

Personality Disorders ◽

False Positive Rate ◽

Empirical Work ◽

Design Studies ◽

Linear Threshold ◽

Positive Rate ◽

Saturation Effects ◽

Factor Interactions ◽

Main Effects ◽

Criterion Variables

The emergent interpersonal syndrome (EIS) approach conceptualizes personality disorders as the interaction among their constituent traits to predict important criterion variables. We detail the difficulties we have experienced finding such interactive predictors in our empirical work on psychopathy, even when using uncorrelated traits that maximize power. Rather than explaining a large absolute proportion of variance in interpersonal outcomes, EIS interactions might explain small amounts of variance relative to the main effects of each trait. Indeed, these interactions may necessitate samples of almost 1,000 observations for 80% power and a false positive rate of .05. EIS models must describe which specific traits’ interactions constitute a particular EIS, as effect sizes appear to diminish as higher-order trait interactions are analyzed. Considering whether EIS interactions are ordinal with non-crossing slopes, disordinal with crossing slopes, or entail non-linear threshold or saturation effects may help researchers design studies, sampling strategies, and analyses to model their expected effects efficiently.

Download Full-text