IMPROVING MOBILE MALWARE DETECTORS USING CO-EVOLUTION TO CREATE AN ARTIFICIAL ARMS RACES
Abstract
On the Internet today, mobile malware is one of the most common attack methods.
These attacks are usually established via malicious mobile apps. One technique
used to combat this threat is the deployment of mobile malware detectors. In this
thesis, I aim to explore the similarity between artificial evolution and the cycle of
developmental adaptation between malware and cyber security developers. Mo-
bile malware is often a derivative of past results, only modified slightly to avoid
detection. In turn, this requires the security, malware detectors, to react and im-
prove. The result is a cycle of modifications of malware and improvements of secu-
rity. Using this cycle, I shape an artificial evolutionary arms race between mobile
malware and malware detectors to consider how this structure will allow for the
adaptation of detectors to evolving threats. To model this interaction, I present a
co-evolution of two genetic algorithms in the roles of malware and malware detec-
tor. The experimental evaluations on publicly available malicious / non-malicious
mobile apps and their variants generated by the artificial arms race show that this
approach improves the detector’s understanding of the problem. During the ex-
periments, the detectors generated were simpler then when not using an artificial
arms race, and required less data from each malware sample to detect the mali-
cious behaviours. Given the variety of apps available, I also considered how this
approach performs when trained with different sources of non-malicious apps. I
considered apps from: F-Droid, an open source app repository for Android; and
Google Play, the default installed app store on Android devices. Each source was
used to train detectors with one set as a baseline and then testing performance
with the other set. I found that the F-Droid trained detectors performed better
than the Google Play trained detectors at differentiation between malware and
non-malicious apps outside of the source they were trained on. In conclusion, al-
though my evaluations were performed using Android malware, this approach is
sufficiently generic that it could be extended to other forms of malware on other
platforms.