Challenges and Outlook in Machine Learning-based Malware Detection for Android

Just like in traditional desktop computing, one of the major security issues in mobile computing
lies in malicious software. Several recent studies have shown that Android, as today’s most
widespread Operating System, is the target of most of the new families of malware.
Manually analysing an Android application to determine whether it is malicious or not is a time-
consuming process. Furthermore, because of the complexity of analysing an application, this
task can only be conducted by highly-skilled—hence hard to come by—professionals.
Researchers naturally sought to transfer this process from humans to computers to lower the
cost of detecting malware. Machine-Learning techniques, looking at patterns amongst known
malware and inferring models of what discriminates malware from goodware, have long been
summoned to build malware detectors.
The vast quantity of data involved in malware detection, added to the fact that we do not know a
priori how to express in technical terms the difference between malware and goodware, indeed
makes the malware detection question a seemingly textbook example of a possible Machine-
Learning application.
Despite the vast amount of literature published on the topic of detecting malware with machine-
learning, malware detection is not a solved problem. In this Thesis, we investigate issues that
affect performance evaluation and that thus may render current machine learning-based mal-
ware detectors for Android hardly usable in practical settings, and we propose an approach to
overcome those issues. While the experiments presented in this thesis all rely on feature-sets
obtained through lightweight static analysis, several of our findings could apply equally to all
Machine Learning-based malware detection approaches.
In the first part of this thesis, background information on machine-learning and on malware
detection is provided, and the related work is described. A snapshot of the malware landscape
in Android application markets is then presented.
The second part discusses three pitfalls hindering the evaluation of malware detectors. We show
with extensive experiments how validation methodology, History-unaware dataset construction
and the choice of a ground truth can heavily interfere with the performance results of malware
detectors.
In a third part, we present an practical approach to detect Android Malware in real-world settings.
We then propose several research paths to get closer to our long term goal of building practical,
dependable and predictable Android Malware detectors.