Computer Science and Engineering, Department of


Date of this Version


Document Type



Lichao Sun, Qiben Yan, and Witawas Srisa-an, "Significant Permission Identification for Android Malware Detection," Master Thesis at UNL, 2016


A THESIS Presented to the Faculty of The Graduate College at the University of Nebraska In Partial Fulfillment of Requirements For the Degree of Master of Science, Major: Computer Science, Under the Supervision of Professors Witawas Srisa-an and Qiben Yan. Lincoln, Nebraska: August, 2016

Copyright (c) 2016 Lichao Sun


A recent report indicates that a newly developed malicious app for Android is introduced every 11 seconds. To combat this alarming rate of malware creation, we need a scalable malware detection approach that is effective and efficient. In this thesis, we introduce SigPID, a malware detection system based on permission analysis to cope with the rapid increase in the number of Android malware. Instead of analyzing all 135 Android permissions, our approach applies 3-level pruning by mining the permission data to identify only significant permissions that can be effective in distinguishing benign and malicious apps. Based on the identified significant permissions, SigPID utilizes classification algorithms to classify different families of malware and benign apps. Our evaluation finds that only 25% of permissions (34 out of 135 permissions) are significant. We then compare the performance of our approach, using only 25% of all permissions, against a baseline approach that analyzes all permissions. The results indicate that when Support Vector Machine (SVM) is used as the classifier, we can achieve over 90% of precision, recall, accuracy, and F-measure, which are about the same as those produced by the baseline approach. We also show that SigPID is effective when used with 67 other commonly used supervised learning approaches. We find that 55 out of 67 algorithms can achieve F-measure of at least 85%, while the average running time can be reduced by 85.6\% compared with the baseline approach. When we compare the detection effectiveness of SigPID to those of other approaches, SigPID can detect 96.54% of malware in the data set while other approaches detect 3.99% to 96.41%.

Advisers: Witawas Srisa-an, Qiben Yan