An Early Detection of Android Malware Using System Calls based Machine Learning Model

Abstract

Several host intrusion detection systems (HIDSs) based on system call analysis have been proposed in the past to detect intrusions and malware using relevant datasets. Machine learning (ML) techniques have been applied on those datasets to improve the performances of HIDSs. However, the emphasis given on their real-world deployment is limited. To address this issue, we propose a framework for system call processing for benign and malware Android apps with an ability of early detection of malware. We extracted and analyzed system call traces for benign and malware apps, and processed their system call traces with N-gram and TF-IDF models. Six ML algorithms - Decision Trees, Random Forest, K-Nearest Neighbors, Naive Bayes, Support Vector Machines, and Multi-layer Perceptron - were trained for the malware detection system. The experimental results demonstrate that our Android malware detection system (AMDS), using traces of 3000 system calls, is capable of early detection with an average accuracy of 99.34%. We also implemented an Android app based on a client-server architecture for the proposed AMDS to demonstrate its deployment for malware detection in real-time.