IMPROVING MOBILE MALWARE DETECTORS USING CO-EVOLUTION TO CREATE AN ARTIFICIAL ARMS RACES

Abstract

On the Internet today, mobile malware is one of the most common attack methods. These attacks are usually established via malicious mobile apps. One technique used to combat this threat is the deployment of mobile malware detectors. In this thesis, I aim to explore the similarity between artificial evolution and the cycle of developmental adaptation between malware and cyber security developers. Mo- bile malware is often a derivative of past results, only modified slightly to avoid detection. In turn, this requires the security, malware detectors, to react and im- prove. The result is a cycle of modifications of malware and improvements of secu- rity. Using this cycle, I shape an artificial evolutionary arms race between mobile malware and malware detectors to consider how this structure will allow for the adaptation of detectors to evolving threats. To model this interaction, I present a co-evolution of two genetic algorithms in the roles of malware and malware detec- tor. The experimental evaluations on publicly available malicious / non-malicious mobile apps and their variants generated by the artificial arms race show that this approach improves the detector’s understanding of the problem. During the ex- periments, the detectors generated were simpler then when not using an artificial arms race, and required less data from each malware sample to detect the mali- cious behaviours. Given the variety of apps available, I also considered how this approach performs when trained with different sources of non-malicious apps. I considered apps from: F-Droid, an open source app repository for Android; and Google Play, the default installed app store on Android devices. Each source was used to train detectors with one set as a baseline and then testing performance with the other set. I found that the F-Droid trained detectors performed better than the Google Play trained detectors at differentiation between malware and non-malicious apps outside of the source they were trained on. In conclusion, al- though my evaluations were performed using Android malware, this approach is sufficiently generic that it could be extended to other forms of malware on other platforms.