Ensemble Framework Combining Family Information for Android Malware Detection

Each malware application belongs to a specific malware family, and each family has unique characteristics. However, existing Android malware detection schemes do not pay attention to the use of malware family information. If the family information is exploited well, it could improve the accuracy of malware detection. In this paper, we propose a general Ensemble framework combining Family Information for Android Malware Detector, called EFIMDetector. First, eight categories of features are extracted from Android application packages. Then, we define the malware family with a large sample size as a prosperous family and construct a classifier for each prosperous family as a conspicuousness evaluator for the family characteristics. These conspicuousness evaluators are combined with a general classifier (which can be a base or ensemble classifier in itself), called the final classifier, to form a two-layer ensemble framework. For the samples of prosperous families with conspicuous family characteristics, the conspicuousness evaluators directly provide detection results. For other samples (including the samples of prosperous families with nonconspicuous family characteristics and the samples of nonprosperous families), the final classifier is responsible for detection. Seven common base classifiers and three common ensemble classifiers are used to detect malware in the experiment. The results show that the proposed ensemble framework can effectively improve the detection accuracy of these classifiers.