Detecting Android Malware using Support Vector Machines (SVM)

Question

I'm trying to develop an application capable to detect malicious application for Android platform using Support Vector Machines (SVM). I can get many system information from "logcat" and "strace" tools but I don't now how to manage to detect real malicious applications. Does anyone know how to stablish/record normal behavior use of the device using those tools, I mean, get information from the device and set a behaviour pattern.

Best regards

Answer 1

For Windows API usually people take a look on the sequence to determine their sets of actions. You can find papers/researches done on that too for the Android platform.

Answer 2

what if you use sets of malicious calls in Android first rather than profiling the normal ones.

Also, take note, if you're using unsupervised classification, it does not know what kind of data that it classifies

Answer 3

You will always have trouble determining malicious application behavior: Kymie M.C. Tan, Roy A. Maxion, ""Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector," sp, pp.188, 2002 IEEE Symposium on Security and Privacy, 2002

But if you really want to try, perhaps the starting point is here: "Intrusion Detection Using Sequences of System Calls." S. Hofmeyr, S. Forrest, and A. Somayaji Journal of Computer Security Vol. 6, pp. 151-180 (1998)

Answer 4

I wonder, if this is possible ...

How do you want to rate whether a behavior is normal for an application? Do you plan a "learning phase" where everything a certain app does, is recorded (if that's possible without root access in the first place!) and then saved as the "profile" of "normal behavior" of that app?
Say you record whatever behavior an application has, e.g. a tool to organize icons on the homescreen. Now say this application also offers the function to call one of your favorite contacts directly, it will need the permission to access your contacts and to make phonecalls. If this feature is hardly used, you would probably not record it during your "learning" period of this app and rate the app as malicious once it tries to make a phone call.
And what if an app shows malicious behavior during the "learning phase" where you can't detect it because you haven't determined the "normal behavior" yet?

Sounds like the "normal behavior" has to be saved somewhere to rate an app before you install it and it starts acting weird or performs unwanted actions. But then again: what is anwanted for one user may be perfectly normal for another one ...

I'm interested in whatever fancy solutions people come up with, but I guess this will be a hard one ...