TriDroid: a triage and classification framework for fast detection of mobile threats in android markets

dc.contributor.authorAmira, Abdelouahab
dc.contributor.authorDerhab, Abdelouahid
dc.contributor.authorKarbab, ElMouatez Billah
dc.contributor.authorNouali, Omar
dc.contributor.authorAslam Khan , Farrukh
dc.date.accessioned2023-10-07T19:13:14Z
dc.date.available2023-10-07T19:13:14Z
dc.date.issued2021
dc.description.abstractThe Android platform is highly targeted by malware developers, which aim to infect the maximum number of mobile devices by uploading their malicious applications to different app markets. In order to keep a healthy Android ecosystem, app-markets check the maliciousness of newly submitted apps. These markets need to (a) correctly detect malicious app, and (b) speed up the detection process of the most likely dangerous applications among an overwhelming flow of submitted apps, to quickly mitigate their potential damages. To address these challenges, we propose TriDroid, a market-scale triage and classification system for Android apps. TriDroid prioritizes apps analysis according to their risk likelihood. To this end, we categorize the submitted apps as: botnet, general malware, and benign. TriDroid starts by performing a (1) Triage process, which applies a fast coarse-grained and less-accurate analysis on a continuous stream of the submitted apps to identify their corresponding queue in a three-class priority queuing system. Then, (2) the Classification process extracts fine-grained static features from the apps in the priority queue, and applies three-class machine learning classifiers to confirm with high accuracy the classification decisions of the triage process. In addition to the priority queuing model, we also propose a multi-server queuing model where the classification of each app category is run on a different server. Experiments on a dataset with more than 24K malicious and 3K benign applications show that the priority model offers a trade-off between waiting time and processing overhead, as it requires only one server compared to the multi-server model. Also it successfully prioritizes malicious apps analysis, which allows a short waiting time for dangerous applications compared to the FIFO policy.
dc.identifier.doihttps://doi.org/10.1007/s12652-020-02243-0
dc.identifier.issn1868-5137
dc.identifier.urihttps://dl.cerist.dz/handle/CERIST/987
dc.publisherSpringer-Verlag
dc.relation.ispartofseriesJournal of Ambient Intelligence and Humanized Computing; Vol. 12
dc.relation.pages1731–1755
dc.structureCalcul pervasif et mobile (Pervasive and Mobile Computing group)
dc.subjectAndroid security
dc.subjectApp triage
dc.subjectMalware detection
dc.subjectData mining
dc.subjectMachine learning
dc.titleTriDroid: a triage and classification framework for fast detection of mobile threats in android markets
dc.typeArticle
Files