Adaptive and Scalable Android Malware Detection through Online Learning
This addresses the challenge of evolving malware for Android security, offering a scalable and adaptive solution, though it is incremental in applying online learning to a known bottleneck.
The paper tackled the problem of malware population drift in Android malware detection by proposing DroidOL, an online learning framework that achieved 84.29% accuracy on over 87,000 apps, outperforming state-of-the-art batch learning methods by more than 20%.
It is well-known that malware constantly evolves so as to evade detection and this causes the entire malware population to be non-stationary. Contrary to this fact, prior works on machine learning based Android malware detection have assumed that the distribution of the observed malware characteristics (i.e., features) do not change over time. In this work, we address the problem of malware population drift and propose a novel online machine learning based framework, named DroidOL to handle it and effectively detect malware. In order to perform accurate detection, security-sensitive behaviors are captured from apps in the form of inter-procedural control-flow sub-graph features using a state-of-the-art graph kernel. In order to perform scalable detection and to adapt to the drift and evolution in malware population, an online passive-aggressive classifier is used. In a large-scale comparative analysis with more than 87,000 apps, DroidOL achieves 84.29% accuracy outperforming two state-of-the-art malware techniques by more than 20% in their typical batch learning setting and more than 3% when they are continuously re-trained. Our experimental findings strongly indicate that online learning based approaches are highly suitable for real-world malware detection.