The International Arab Journal of Information Technology (IAJIT)


Mining Android Bytecodes through the Eyes of Gabor Filters for Detecting Malware

One of the basic characteristics of a Gabor filter is that it provides useful information about specific frequencies in a localized region. Such information can be used in locating snippets of code, i.e., localized code, in a program when transformed into an image for finding embedded malicious patterns. Keeping this phenomenon, we propose a novel technique using a sliding Window over Gabor filters for mining the Dalvik Executable (DEX) bytecodes of an Android application (APK) to find malicious patterns. We extract the structural and behavioral functionality and localized information of an APK through Gabor filtered images of the 2D grayscale image of the DEX bytecodes. A Window is slid over these features and a weight is assigned based on its frequency of use. The selected Windows whose weights are greater than a given threshold, are used for training a classifier to detect malware APKs. Our technique does not require any disassembly or execution of the malware program and hence is much safer and more accurate. To further improve feature selection, we apply a greedy optimization algorithm to find the best performing feature subset. The proposed technique, when tested using real malware and benign APKs, obtained a detection rate of 98.9% with 10-fold cross-validation.

[1] Abuthawabeh M. and Mahmoud K., “Enhanced Android Malware Detection and Family Classification, Using Conversation-Level Network Traffic Features,” The International Arab Journal of Information Technology, vol. 17, no. 4A, pp. 607-614, 2020.

[2] Chen H., Du R., Liu Z., and Xu H., “Android 188 The International Arab Journal of Information Technology, Vol. 20, No. 2, March 2023 Malware Classification Using Xgboost Based on Images Patterns,” in Proceedings of 4th Information Technology and Mechatronics Engineering Conference, Chongqing, pp. 1358- 1362, 2018.

[3] Clausi D. and Jernigan M., “Designing Gabor Filters for Optimal Texture Separability,” Pattern Recognition, vol. 33, no. 11, pp. 1835-1849, 2000.

[4] Darus F., Ahmad S., and Ariffin A., “Android Malware Detection Using Machine Learning on Image Patterns,” Cyber Resilience Conference, Putrajaya, pp. 1-2, 2018.

[5] Daugman J., “Image Analysis and Compact Coding by Oriented 2d Gabor Primitives,” in Proceedings of Image Understanding and the Man-Machine Interface, Los Angeles, pp. 19-30, 1987.

[6] Fang Y., Gao Y., Jing F., and Zhang L., “Android Malware Familial Classification Based on Dex File Section Features,” IEEE Access, vol. 8, pp. 10614-10627, 2020.

[7] Fawcett T., “An Introduction to ROC Analysis. Pattern Recogn, vol. 27, no. 8, pp. 861-874, 2006.

[8] James G., Witten D., Hastie T., and Tibshirani R., An Introduction to Statistical Learning, Springer, 2013.

[9] Joachims T., “Text Categorization with Support Vector Machines: Learning with Many Relevant Features,” in Proceedings of European Conference on Machine Learning, pp. 137-142, 1998.

[10] Kancherla K. Mukkamala S., “Image Visualization Based Malware Detection,” in Proceedings of Symposium on Computational Intelligence in Cyber Security, Singapore, pp. 40- 44, 2013.

[11] Kumar A., Sagar K., Kuppusamy K., and Aghila G., Machine Learning Based Malware Classification for Android Applications Using Multimodal Image Representations,” in Proceedings of 10th International Conference on Intelligent Systems and Control, Coimbatore, pp. 1-6, 2016.

[12] List of Cyber Security Statistics for 2019. statistics/, Last Visited, 2020.

[13] Makandar A. and Patrot A., “Malware Class Recognition Using Image Processing Techniques,” in Proceedings of International Conference on Data Management, Analytics and Innovation, Pune, pp. 76-80, 2017.

[14] Makandar A. and Patrot A., “Malware Image Analysis And Classification Using Support Vector Machine,” International Journal of Trends in Computer Science and Engineering, vol. 4, no. 5, pp. 1-3, 2015.

[15] McCallum A. and Nigam K., “A Comparison of Event Models for Naive Bayes Text Classification,” AAAI-98 Workshop on Learning for Text Categorization. vol. 752, pp. 41-48, 1998.

[16] Naeem H., Guo B., Naeem M., Ullah F., Aldabbas H., and Javed M., “Identification of Malicious Code Variants Based on Image Visualization,” Computers and Electrical Engineering, vol. 76, pp. 225-237, 2019.

[17] Naeem H., Guo B., and Naeem M., “A Light- Weight Malware Static Visual Analysis for Iot Infrastructure,” in Proceedings of International Conference on Artificial Intelligence and Big Data, Chengdu, pp. 240-244, 2018.

[18] Naeem H., Guo B., Ullah F., and Naeem M., “A Cross-Platform Malware Variant Classification Based on Image Representation,” KSII Transactions on Internet and Information Systems, vol. 13, no. 7, pp. 3756-3777, 2019.

[19] Nataraj L., Karthikeyan S., Jacob G., and Manjunath B., “Malware Images: Visualization and Automatic Classification,” in Proceedings of the 8th International Symposium on Visualization for Cyber Security, New York, pp. 1-7 2011.

[20] Nataraj L., Yegneswaran V., Porras P., and Zhang J., “A Comparative Assessment of Malware Classification Using Binary Texture Analysis and Dynamic Analysis,” in Proceedings of the 4th ACM Workshop on Security and Artificial Intelligence, New York, pp. 21-30, 2011.

[21] Oliva A. and Torralba A., “Modeling the Shape of the Scene: A Holistic Representation of the Spatial Envelope,” International Journal of Computer Vision, vol. 42, no. 3, pp. 145-175, 2001.

[22] Parkour M., “Mobile Malware Dump,”, Last Visited, 2020.

[23] Randen T. and Husoy J., “Optimal Filter-Bank Design for Multiple Texture Discrimination,” in Proceedings of International Conference on Image Processing, Santa Barbara, pp. 215-218, 1997.

[24] Samani R., “McAfee Mobile Threat Report,” en-us/docs/2020-Mobile-Threat-Report.pdf, Last Visited, 2020.

[25] Sharma S., Challa R., and Kumar R., “An Ensemble-Based Supervised Machine Learning Framework for Android Ransomware Detection,” The International Arab Journal of Information Technology, vol. 18, no. 3A, pp. 422-429, 2021.

[26] Stimson A., Photometry and Radiometry for Engineers, Wiley-Interscience, 1974.

[27] Team A., Android Dalvik Virtual Machine Opcodes, Mining Android Bytecodes Through the Eyes of Gabor Filters for Detecting Malware 189 ecode/ Opcodes.html, Last Visited, 2020.

[28] Temes G. and Mitra S., Modern Filter Theory and Design, Wiley-Interscience, 1973.

[29] Teuner A., Pichler O., and Hosticka B., “Unsupervised Texture Segmentation of Images Using Tuned Matched Gabor Filters,” IEEE Transactions on Image Processing, vol. 4, no. 6, pp. 863-870, 1995.

[30] Tukey J., Exploratory Data Analysis, Pearson, 1977.

[31] Weldon T. and Higgins W., “Design of Multiple Gabor Filters for Texture Segmentation,” in Proceedings of IEEE International Conference on Acoustics, Speech, and Signal Processing Conference Proceedings, Atlanta, pp. 2243-2246, 1996.

[32] Yoo I., “Visualizing Windows Executable Viruses Using Self-Organizing Maps,” in Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security, New York, pp. 82-89, 2004.

[33] Zhou X., Pang J., and Liang G., “Image Classification For Malware Detection Using Extremely Randomized Trees,” in Proceedings of 11th IEEE International Conference on Anti- counterfeiting, Security, and Identification, Xiamen, pp. 54-59, 2017.

[34] Zhou Y. and Jiang X., “Dissecting Android Malware: Characterization and Evolution,” in Proceedings of IEEE Symposium on Security and Privacy, San Francisco, pp. 95-109, 2012. Shahid Alam is currently working as an assistant professor in the department of Computer Engineering at Adana Alparslan Turkes Science and Technology University, Adana, Turkey. He received his PhD in Computer Science from University of Victoria, Canada in 2014. His research interests include software engineering, programming languages, computer security, and malware analysis and detection. He has published several journal and conference papers in these areas. Currently he is looking into applying compiler, binary analysis, and machine learning techniques to automate and optimize malware analysis and detection. Alper Kamil Demir is an Assoc. Prof. at Computer Engineering Department of Adana Alparslan Turkes Science and Technology University since 2013. Between 2009 and 2013, he worked at Huawei Telecommunications Inc. as a Senior Software and Research Engineer. Between 2001 and 2009 he worked at Kocaeli University, Computer Engineering Department. He is interested in Security and Forensics, Computer Networks, Distributed Systems and Operating Systems in general. Currently, his research is focused on Internet of Things.