SDAC: A Slow-Aging Solution for Android Malware Detection Using Semantic Distance Based API Clustering

A novel slow-aging solution named SDAC is proposed to address the model aging problem in Android malware detection, which is due to the lack of adapting to the changes in Android specifications during malware detection. Different from periodic retraining of detection models in existing solutions, SDAC evolves effectively by evaluating new APIs' contributions to malware detection according to existing API's contributions. In SDAC, the contributions of APIs are evaluated by their contexts in the API call sequences extracted from Android apps. A neural network is applied on the sequences to assign APIs to vectors, among which the differences of API vectors are regarded as the semantic distances. SDAC then clusters all APIs based on their semantic distances to create a feature set in the training phase, and extends the feature set to include all new APIs in the detecting phase. Without being trained by any new set of real-labelled apps, SDAC can adapt to the changes in Android specifications by simply identifying new APIs appearing in the detection phase. In extensive experiments with datasets dated from 2011 to 2016, SDAC achieves a significantly higher accuracy and a significantly slower aging speed compared with MaMaDroid, a state-of-the-art Android malware detection solution which maintains resilience to API changes.

Automated summary

SDAC is a novel slow-aging solution proposed to address the model aging problem in Android malware detection, achieving significantly higher accuracy and slower aging speed compared to state-of-the-art solutions. By evaluating the contributions of new APIs and evolving based on existing API contributions, SDAC effectively adapts to changes in Android specifications without the need for retraining on new labeled datasets.