Back-propagation neural network on Markov chains from system call sequences: a new approach for detecting Android malware with system call sequences

Back-propagation neural network on Markov chains from system call sequences: a new approach for detecting Android malware with system call sequences

For access to this article, please select a purchase option:

Buy article PDF
(plus tax if applicable)
Buy Knowledge Pack
10 articles for $120.00
(plus taxes if applicable)

IET members benefit from discounts to all IET publications and free access to E&T Magazine. If you are an IET member, log in to your account and the discounts will automatically be applied.

Learn more about IET membership 

Recommend Title Publication to library

You must fill out fields marked with: *

Librarian details
Your details
Why are you recommending this title?
Select reason:
IET Information Security — Recommend this title to your library

Thank you

Your recommendation has been sent to your librarian.

Android has become the most prevalent mobile system, but in the meanwhile malware on this platform is widespread. System call sequences are studied to detect malware. However, malware detection with these approaches relies on common system-call-subsequences. It is not so efficient because it is difficult to decide the appropriate length of the common subsequences. To address this issue, the authors propose a new approach, back-propagation neural network on Markov chains from system call sequences (BMSCS). It treats one system call sequence as a homogeneous stationary Markov chain and applies back-propagation neural network (BPNN) to detect malware by comparing transition probabilities in the chain. Since transition probabilities from one system call to another in malware are significantly different from those in benign applications, BMSCS can efficiently detect malware by capturing the anomaly in state transitions with the help of BPNN. The authors evaluate the performance of BMSCS by experiments with real application samples. The experiment results show that the F-score of BMSCS achieves up to 0.982773, which is higher than the other methods in the literature.


    1. 1)
      • 1. Yerima, S.Y., Sezer, S., McWilliams, G.: ‘Analysis of Bayesian classification-based approaches for Android malware detection’, IET Inf. Sec., 2014, 8, (1), pp. 2536.
    2. 2)
      • 2. Liu, J., Pan, W., Hu, J., et al: ‘Research of secure ecosystem based on Android platform’. Proc. of Int. Conf. on IET Cyberspace Technology (CCT 2013), Beijing, China, November 2013, pp. 376380.
    3. 3)
      • 3. Zhao, X., Fang, J., Wang, X.: ‘An Android malware detection based on permissions’. Proc. of Int. Conf. on Information and Communications Technologies (ICT 2014), Nanjing, China, May 2014, pp. 15.
    4. 4)
      • 4. Xiao, X., Xiao, X., Jiang, Y., et al: ‘Detecting mobile malware with TMSVM’. Proc. of 10th Int. Conf. on Security and Privacy in Communication Networks (SecureComm 2014), Beijing, China, September 2014.
    5. 5)
      • 5. Juniper Networks Mobile Threat Center: ‘Third annual mobile threats report: March 2012 through March 2013’. Available at
    6. 6)
      • 6. Enck, W., Ongtang, M., McDaniel, P.: ‘On lightweight mobile phone application certification’. Proc. of 16th ACM Int. Conf. on Computer and Communications Security, New York, USA, November 2009, pp. 235245.
    7. 7)
      • 7. Fuchs, A.P., Chaudhuri, A., Foster, J.S.: ‘SCanDroid: automated security certification of Android applications’. Proc. of 31st IEEE Int. Conf. on Security and Privacy (S&P 2009), California, USA, 2009.
    8. 8)
      • 8. Peiravian, N., Zhu, X.: ‘Machine learning for android malware detection using permission and API calls’. Proc. of 25th IEEE Int. Conf. on Tools with Artificial Intelligence, Herndon, USA, November 2013, pp. 300305.
    9. 9)
      • 9. Arp, D., Spreitzenbarth, M., Hubner, M., et al: ‘Drebin: effective and explainable detection of android malware in your pocket’. Proc. of Int. Conf. on Network and Distributed System Security Symp. (NDSS 2014), San Diego, California, USA, February 2014.
    10. 10)
      • 10. Moser, A., Kruegel, C., Kirda, E.: ‘Limits of static analysis for malware detection’. Proc. of 23th Annual Computer Security Applications Conf. (ACSAC), Florida, USA, December 2007, pp. 421430.
    11. 11)
      • 11. Blasing, T., Batyuk, L., Schmidt, A.D., et al: ‘An android application sandbox system for suspicious software detection’. Proc. of 5th IEEE Int. Conf. on Malicious and Unwanted Software, Lorraine, France, October 2010, pp. 5562.
    12. 12)
      • 12. Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: ‘Crowdroid: behavior-based malware detection system for android’. Proc. of 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, New York, USA, 2011, pp. 1526.
    13. 13)
      • 13. Isohara, T., Takemori, K., Kubota, A.: ‘Kernel-based behavior analysis for android malware detection’. Proc. of 7th Int. Conf. on Computational Intelligence and Security, Hainan, China, December 2011, pp. 10111015.
    14. 14)
      • 14. Lin, Y.D., Lai, Y.C., Chen, C.H., et al: ‘Identifying android malicious repackaged applications by thread-grained system call sequences’, Comput. Secur., 2013, 39, pp. 340350.
    15. 15)
      • 15. Enck, W., Gilbert, P., Chun, B.G., et al: ‘TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones’, Commun. ACM, 2014, 57, (3), pp. 99106.
    16. 16)
      • 16. Shabtai, A., Kanonov, U., Elovici, Y., et al: ‘Andromaly: a behavioral malware detection framework for android devices’, J. Intell. Inf. Syst., 2012, 38, (1), pp. 161190.
    17. 17)
      • 17. Shabtai, A., Tenenboim-Chekina, L., Mimran, D., et al: ‘Mobile malware detection through analysis of deviations in application network behavior’, Comput. Secur., 2014, 43, pp. 118.
    18. 18)
      • 18. Rozenberg, B., Gudes, E., Elovici, Y., et al: ‘A method for detecting unknown malicious executables’. Proc. of 10th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications (TustCom 2011), Shanghai, China, November 2011, pp. 190196.
    19. 19)
      • 19. Gupta, V., Dharmaraja, S.: ‘Semi-Markov modeling of dependability of VoIP network in the presence of resource degradation and security attacks’, Reliab. Eng. Syst. Saf., 2011, 96, (12), pp. 16271636.
    20. 20)
      • 20. Kuang, G.C., Wang, X.F., Yin, L.R.: ‘A fuzzy forecast method for network security situation based on Markov’. Proc. of IEEE Int. Conf. on Computer Science and Information Processing (CSIP), Shanxi, China, August 2012, pp. 785789.
    21. 21)
      • 21. Rahman, M.: ‘DroidMLN: a Markov logic network approach to detect android malware’. Proc. of 12th Int. Conf. on Machine Learning and Applications (ICMLA'13), Florida, USA, December 2013, pp. 166169.
    22. 22)
      • 22. Xiao, X., Tian, X., Zhai, Q., et al: ‘A variable-length model for masquerade detection’, J. Syst. Softw., 2012, 85, (11), pp. 24702478.
    23. 23)
      • 23. Zhou, Y., Jiang, X.: ‘Dissecting android malware: characterization and evolution’. Proc. of IEEE Int. Conf. on Symp. Security and Privacy, San Francisco, USA, May 2012, pp. 95109.
    24. 24)
      • 24. Sheldon, M.R.: ‘Stochastic processes’ (John Wiley & Sons, Inc., 1996, 2nd edn.).
    25. 25)
      • 25. Ronald, W.W.: ‘Stochastic modeling and the theory of queues’ (Prentice-Hall, London, 1989).
    26. 26)
      • 26. Lennartsson, J., Baxevani, A., Chen, D.: ‘Modelling precipitation in Sweden using multiple step Markov chains and a composite model’, J. Hydrol., 2008, 363, (1), pp. 4259.
    27. 27)
      • 27. Haykin, S.S.: ‘Neural networks and learning machines’ (Pearson Education, New Jersey, 2006, 3rd edn.).
    28. 28)
      • 28. Basheer, I.A., Hajmeer, M.: ‘Artificial neural networks: fundamentals, computing, design, and application’, J. Microbiol. Methods, 2000, 43, (1), pp. 331.
    29. 29)
      • 29. Hecht-Nielsen, R.: ‘Theory of the backpropagation neural network’. Proc. of IEEE Int. Joint Conf. on Neural Networks (IJCNN), Washington, DC, USA, June 1989, pp. 593605.
    30. 30)
      • 30. Zheng, M., Sun, M., Lui, J.: ‘Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware’. Proc. of 12th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications (TrustCom 2013), Melbourne, Australia, July 2013, pp. 163171.
    31. 31)
      • 31. Zhou, W., Zhou, Y., Jiang, X., et al: ‘Detecting repackaged smartphone applications in third-party android marketplaces’. Proc. of 2nd ACM Conf. on Data and Application Security and Privacy, New York, USA, 2012, pp. 317326.
    32. 32)
      • 32. Aafer, Y., Du, W., Yin, H.: ‘DroidAPIMiner: mining API-level features for robust malware detection in android’. Proc. of 9th Int. Conf. on Security and Privacy in Communication Networks (SecureComm2013), Sydney, Australia, September 2013, pp. 86103.
    33. 33)
      • 33. Wei, T.E., Mao, C.H., Jeng, A.B., et al: ‘Android malware detection via a latent network behavior analysis’. Proc. of 11th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications (TrustCom 2012), Liverpool, UK, June 2012, pp. 12511258.

Related content

This is a required field
Please enter a valid email address