Android is the most widely used mobile operating system and responsible for handling a wide variety of data from simple messages to sensitive banking details. The explosive increase in malware targeting this platform has made it imperative to adopt machine learning approaches for effective malware detection and classification. Since its release in 2008, the Android platform has changed substantially and there has also been a significant increase in the number, complexity, and evolution of malware that target this platform. This rapid evolution quickly renders existing malware datasets out of date and has a degrading impact on machine learning-based detection models. Many studies have been carried out to explore the effectiveness of various machine learning models for Android malware detection. Majority of these studies use datasets that have compiled using static or dynamic analysis of malware but the use of hybrid analysis approaches has not been addressed completely. Likewise, the impact of malware evolution has not been fully investigated. Although some of the models have achieved exceptional results, their performance deteriorated for evolving malware and they were also not effective against antidynamic malware. In this paper, we address both these limitations by creating an enhanced subset of the KronoDroid dataset and using it to develop a supervised machine learning model capable of detecting evolving and antidynamic malware. The original KronoDroid dataset contains malware samples from 2008 to 2020, making it effective for the detection of evolving malware and handling concept drift. Also, the dynamic features are collected by executing the malware on a real device, making it effective for handling antidynamic malware. We create an enhanced subset of this dataset by adding malware category labels with the help of multiple online repositories. Then, we train multiple supervised machine learning models and use the ExtraTree classifier to select the top 50 features. Our results show that the random forest (RF) model has the highest accuracy of 98.03% for malware detection and 87.56% for malware category classification (for 15 malware categories).

中文翻译：

---

使用增强型 KronoDroid 数据集进行有效且高效的 Android 恶意软件检测和类别分类

Android 是使用最广泛的移动操作系统，负责处理从简单消息到敏感银行详细信息的各种数据。针对该平台的恶意软件呈爆炸式增长，因此必须采用机器学习方法来进行有效的恶意软件检测和分类。自 2008 年发布以来，Android 平台发生了巨大变化，针对该平台的恶意软件的数量、复杂性和演变也显着增加。这种快速演变很快就会使现有的恶意软件数据集变得过时，并对基于机器学习的检测模型产生不利影响。人们已经开展了许多研究来探索各种机器学习模型在 Android 恶意软件检测方面的有效性。这些研究大多数使用通过恶意软件静态或动态分析编译的数据集，但混合分析方法的使用尚未完全解决。同样，恶意软件演变的影响尚未得到充分研究。尽管一些模型取得了优异的结果，但它们的性能随着不断发展的恶意软件而恶化，并且也不能有效地对抗反动态恶意软件。在本文中，我们通过创建 KronoDroid 数据集的增强子集并使用它开发能够检测不断演变和反动态恶意软件的监督机器学习模型来解决这两个限制。原始 KronoDroid 数据集包含 2008 年至 2020 年的恶意软件样本，使其能够有效检测不断演变的恶意软件并处理概念漂移。此外，通过在真实设备上执行恶意软件来收集动态特征，使其能够有效处理反动态恶意软件。我们通过在多个在线存储库的帮助下添加恶意软件类别标签来创建该数据集的增强子集。然后，我们训练多个监督机器学习模型，并使用 ExtraTree 分类器选择前 50 个特征。我们的结果表明，随机森林 (RF) 模型的恶意软件检测准确率最高，为 98.03%，恶意软件类别分类准确率为 87.56%（针对 15 个恶意软件类别）。