Structural information based malicious app similarity calculation and clustering

Abstract

Depending on expansion of supply of smartphone, development of mobile application is more active using various mobile platform. As a result of malicious applications, but also targeting the mobile it is rapidly increasing. In this paper, method of Android malware similarity and clustering. First, there is a need for a process for extracting the control flow graph in an Android application. By extract the control flow graph, we form structural information of methods in Android application called'4-tuple'. After we create the structural information extracted from the control flow graph it is necessary to compare the matching process. Matching process we propose has two steps, 'initial matching' and 'second matching'. Initial matching step is the process of matching the'4-tuple' information but not exactly same with each other only a single in Android application. Second matching step is process of matching in the same way as the initial matching target method that calling its method and method that is invoked. Finally, it measure the ratio of the total number of method in Android application and matched method after initial matching and second matching. Finally, it measure the ratio of the total number of method in Android application and matched method after initial matching and second matching. We proceeds clustering using the above process. Based on previous studies, we used the DBSCAN algorithm for clustering. It was 65.8% average using the structural information of the result of the clustering.