Android Malware Detection Using Data Mining Techniques on Process Control Block Information

Abstract

Because smartphones are increasingly becoming the mobile computing device of choice, we are experiencing an increase in the number and sophistication of mobile-computing-based malware attacks. A lot of these attacks target users' sensitive information, such as banking usernames, and passwords. A widespread type of malicious app encrypts user data locking their devices with passwords and asking money to decrypt it. Moreover, they can illegitimately collect browsing-related information or install other apps.

Available malware detection techniques can be categorized as dynamic or static based on the type of features used in the analysis. Using process behavior (as in dynamic analysis) to detect malware is generally more reliable than examining application files only (as in static analysis). Nonetheless, dynamic analysis is more time and computationally intensive. Hence, real-time malware detection is considered a challenging task. The limitations of mobile devices, such as storage, computing capacity, and battery life, make the task even more challenging.

In this research, we propose a dynamic malware detection approach that identifies malicious behavior using deep learning techniques on Process Control Block (PCB) information mined over the process execution time. Our mining approach is performed at the kernel level and synchronized with the process CPU utilization. It precisely tracks changes in PCB parameters over the execution time. It does not only represent the process behavior efficiently but also all threads created by that process.

We then use the PCB sequence information to train a deep learning model to identify malicious behavior. We validated our approach using 2600 benign and 2500 malware-infested recent Android applications. Our mining approach successfully captured more than 99\% of context switches for the vast majority of tested applications. Furthermore, our detection model was able to identify malicious behavior at various points of the process execution time using 12 PCBs only with an F1-score of 95.8\%. To the best of our knowledge, no available dynamic malware detection technique has achieved such minimal detection time. We also introduce a closed dynamic malware analysis framework for application testing running on multiple Android phones concurrently.