»How we trained the dragon^H classified APKs via ANNs«
2018-10-18, 10:50–11:10, Europe

Using machine learning techniques - with a special focus on deep learning to improve Android APK maliciousness classification leads to surprising accurate detection rates - far surpassing standard AV engines.

Antivirus (AV) has for a long time relied on the analyse the sample -> extract a feature -> create a signature -> rinse & repeat cycle. While this cycle is still the main workhorse of the AV industry, there is not a lack of new approaches to AV. The DREBIN paper [1] was one notable example for using machine learning (SVMs) in AV - in the specific context of Android APKs.

The authors worked with students from the data science class of the university of economics of Vienna to re-implement the DREBIN paper and - ultimately to improve on it. One of the improvements is to use a neuronal network (deep learning) instead of a support vector machine (SVM).

The presentation will talk about our journey of improving Android AV detection rates and about remarkable high true positive and low false positive rates via machine learning. Obviously, Android is still a nice test bed (feature extraction is easy, malware does not obfuscate well enough, etc.) but it serves also as a nice play ground for these techniques.

We would like to inspire the audience to play around with machine learning techniques with their data sets. The results can be quite astonishing (or utterly frustrating) . Specifically we would like to point the audience at what could be achieved by using our techniques in the context of MISP.

Yes, machine learning is a buzz word. But sometimes it actually does produce nice results.

[1] DREBIN