Stimulation and Detection of Android Repackaged Malware with Active Learning

Repackaging is a technique that has been increasingly adopted by authors of Android malware. The main problem facing the research community working on devising techniques to detect this breed of malware is the lack of ground truth that pinpoints the malicious segments grafted within benign apps. Without this crucial knowledge, it is difficult to train reliable classifiers able to effectively classify novel, out-of-sample repackaged malware. To circumvent this problem, we argue that reliable classifiers can be trained to detect repackaged malware, if they are allowed to request new, more accurate representations of an app's behavior. This learning technique is referred to as active learning. In this paper, we propose the usage of active learning to train classifiers able to cope with the ambiguous nature of repackaged malware. We implemented an architecture, Aion, that connects the processes of stimulating and detecting repackaged malware using a feedback loop depicting active learning. Our evaluation of a sample implementation of Aion using two malware datasets (Malgenome and Piggybacking) shows that active learning can outperform conventional detection techniques and, hence, has great potential to detect Android repackaged malware.