ririhedou / dr_droid Goto Github PK

Analysis of code structure for malware classification with machine learning

License: Apache License 2.0

HTML 0.01% Python 93.48% Makefile 0.04% C++ 6.29% Shell 0.19%

dr_droid's Introduction

A Static Android Malware Analyzing Tool with Graph Analysis and Machine Learning

Description

The tool builds a dependence graph of an app and partitions it into different regions based on the graph connection. Each region is independently classified via machine learning algorithms. The tool provides more insight code structure information than conventional whole-program-based machine learning.

How to run

python main.py -h
usage: main.py [-h] [-w] [+w] [-a] [-f] [-m] [-p PREDICT]

running analysis...

optional arguments:
  -h, --help            show this help message and exit
  -w                    Turn whole-program-analysis off, use regions for
                        classification
  +w                    Turn whole-program-analysis on, ignore code structure
  -a, --apkinfo         get Application information
  -f, --feainfo         get Feature information
  -m, --mlparameters    show how we choose a machine learning algorithm based
                        on ROC and precision-recall curves.
  -p PREDICT, --predict PREDICT
                        predict a tested apk: 1-malicious 0-benign [0-1]:
                        malicious score

Example command lines:

use region analysis:

 python main.py -w -a -f -p apks/Geinimi--2e998614b17adbafeb55b5fb9820f63aec5ce8b4.apk

use whole program anlysis:

 python main.py +w -a -f -p apks/Geinimi--2e998614b17adbafeb55b5fb9820f63aec5ce8b4.apk

get ML parameters:

 python main.py -m

Extra functions (TODO):

Statistics of the apk files: (TODO implement more features )

python Dir_With_APKs

Dependences:

Sklearn, NetworkX, Androguard, Androwarn, MatplotLib

Python 2.7.6 (default, Jun 22 2015, 17:58:13) 
[GCC 4.8.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pkg_resources
>>> pkg_resources.get_distribution("networkx").version
'1.9.1'
>>> >>> import sklearn
>>> sklearn.__version__
'0.14.1'
>>> import numpy
>>> numpy.__version__
'1.8.2'

Disclaim

A rsearch prototype for Android malware detection with code-Heterogeneity features.

version 0.0.1

If you like this tool, citing the paper "K. Tian, D. D. Yao, B. G. Ryder, G. Tan and G. Peng, "Detection of Repackaged Android Malware with Code-Heterogeneity Features," in IEEE Transactions on Dependable and Secure Computing, 2017" is highly appreciated.

dr_droid's People

Contributors

Stargazers

Watchers

Forkers

lzto fbeyond xinweifu peeratham annamalai-nr chubbymaggie tumblr1978 afcarl irene9adler lixiaohua30 hzj415909583 sqlkill wqvigi harel-coffee

dr_droid's Issues

new features

Hi,
I tested this tool and it is very helpful. I wonder could you add some new features (e.g., hardware features from Drebin) to make this tool more powerful?
https://www.tu-braunschweig.de/Medien-DB/sec/pubs/2014-ndss.pdf

Best,

questions about the tool

I am a newbie in Android malware detection. I saw many ML-based tools are implemented based on Smali-IR. And I am also looking into the Soot for a more comprehensive analysis.

I have some questions on this tool.

How accurate is it to construct the call graph? (I saw Android app is event driven and contains many asynchronous callbacks)
Did you realize data-flow analysis in your tool?

Classification on the Ads library?

Hi,
I get a little confused on the region based classification. Does a region means a third-party library or something else? If not, is this tool capable to identify third-party libraries (e.g., ads libraries)?
Thanks

networkx compatible issue

Hi,

I have this problem on running the code:

/usr/local/lib/python2.7/dist-packages/numpy/core/fromnumeric.py:2699: VisibleDeprecationWarning: rank is deprecated; use the ndim attribute or function instead. To find the rank of a matrix see numpy.linalg.matrix_rank.
VisibleDeprecationWarning)
Namespace(apkinfo=True, feainfo=True, mlparameters=False, predict='apks/Geinimi--2e998614b17adbafeb55b5fb9820f63aec5ce8b4.apk', w=False)
Traceback (most recent call last):
File "main.py", line 59, in
runApkInfo(input_file)
File "/home/fuxinwei/temp/dr_droid/AppInfo.py", line 26, in runApkInfo
new_app = newStart(input_file)
File "/home/fuxinwei/temp/dr_droid/NewApp.py", line 102, in init
self.Tab_CallInOut()
File "/home/fuxinwei/temp/dr_droid/NewApp.py", line 144, in Tab_CallInOut
self._Callinout = YY_CallInOut(M,C,self.classlist)
File "/home/fuxinwei/temp/dr_droid/Callinout.py", line 22, in init
self.process_class_graph(classInvokelist, KE_classlist)
File "/home/fuxinwei/temp/dr_droid/Callinout.py", line 115, in process_class_graph
self.fcgnx_class_level = nx.DiGraph(nx.from_pydot(dgraph_class))
AttributeError: 'module' object has no attribute 'from_pydot'

could you help me to look into the problem?

detection stealthy apps

I tested the tool with some pretty new apps but the accuracy is not as good as I expected.
I saw the dataset you use is rather old. Do you have some thoughts on detection of the stealthy malicious apps? The stealthy apps, i mean, may utilize some strategies to hide their malicious behaviors.