Xu, Lifan. (University of Delaware), “Android malware classification using parallelized machine learning methods”

Xu, Lifan. (University of Delaware), “Android malware classification using parallelized machine learning methods” (2016) Advisor: Cavazos, John

Android is the most popular mobile operating system with a market share of over 80%. Due to its popularity and also its open source nature, Android is now the platform most targeted by malware, creating an urgent need for effective defense mechanisms to protect Android-enabled devices.

In this dissertation, the authors present a novel characterization and machine learning method for Android malware classification. The authors first present a method of dynamically analyzing and classifying Android applications as either malicious or benign based on their execution behaviors. The authors invent novel graph-based methods of characterizing an application's execution behavior that are inspired by traditional vector-based characterization methods. The authors show evidence that their graph-based techniques are superior to vector-based techniques for the problem of classifying malicious and benign applications.

The authors also augment their dynamic analysis characterization method with a static analysis method which the authors call HADM, Hybrid Analysis for Detection of Malware. The authors first extract static and dynamic information, and convert this information into vector-based representations. It has been shown that combining advanced features derived by deep learning with the original features provides significant gains. Therefore, the authors feed each of the original dynamic and static feature vector sets to a Deep Neural Network (DNN) which outputs a new set of features. These features are then concatenated with the original features to construct DNN vector sets. Different kernels are then applied onto the DNN vector sets. The authors also convert the dynamic information into graph-based representations and apply graph kernels onto the graph sets. Learning results from various vector and graph feature sets are combined using hierarchical Multiple Kernel Learning (MKL) to build a final hybrid classifier.

Graph-based characterization methods and their associated machine learning algorithm tend to yield better accuracy for the problem of malware detection. However, the graph-based machine learning techniques the authors use, i.e., graph kernels, are computationally expensive. Therefore, the authors also study the parallelization of graph kernels in this dissertation. The authors first present a fast sequential implementation of the graph kernel. Then, the authors explore two different parallelization schemes on the CPU and four different implementations on the GPU. After analyzing the advantages of each, the authors present a hybrid parallel scheme, which dynamically chooses the best parallel implementation to use based on characteristics of the problem.

In the last chapter of this dissertation, the authors explore parallelizing deep learning on a novel architecture design, which may be prevalent in the future. Parallelization of deep learning methods has been studied on traditional CPU and GPU clusters. However, the emergence of Processing In Memory (PIM) with die-stacking technology presents an opportunity to speed up deep learning computation and reduce energy consumption by providing low-cost high-bandwidth memory accesses. PIM uses 3D die stacking to move computations closer to memory and therefore reduce data movement overheads. In this dissertation, the authors study the parallelization of deep learning methods on a system with multiple PIM devices. The authors select three representative deep learning neural network layers: the convolutional, pooling, and fully connected layers, and parallelize them using different schemes targeted to PIM devices.