{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,31]],"date-time":"2026-03-31T09:44:37Z","timestamp":1774950277415,"version":"3.50.1"},"reference-count":65,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2020,3,4]],"date-time":"2020-03-04T00:00:00Z","timestamp":1583280000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CCF-1936522"],"award-info":[{"award-number":["CCF-1936522"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Softw. Eng. Methodol."],"published-print":{"date-parts":[[2020,4,30]]},"abstract":"\n Machine learning\u2013based classification dominates current malware detection approaches for Android. However, due to the evolution of both the Android platform and its user apps, existing such techniques are widely limited by their reliance on new malware samples, which may not be timely available, and constant retraining, which is often very costly. As a result, new and emerging malware slips through, as seen from the continued surging of malware in the wild. Thus, a more practical detector needs not only to be accurate on particular datasets but, more critically, to be able to\n sustain<\/jats:italic>\n its capabilities over time without frequent retraining. In this article, we propose and study the sustainability problem for learning-based app classifiers. We define sustainability metrics and compare them among five state-of-the-art malware detectors for Android. We further developed\n DroidSpan<\/jats:italic>\n , a novel classification system based on a new behavioral profile for Android apps that captures sensitive access distribution from lightweight profiling. We evaluated the sustainability of\n DroidSpan<\/jats:italic>\n versus the five detectors as baselines on longitudinal datasets across the past eight years, which include 13,627 benign apps and 12,755 malware. Through our extensive experiments, we showed that\n DroidSpan<\/jats:italic>\n significantly outperformed all the baselines in substainability at reasonable costs, by 6%\u201332% for same-period detection and 21%\u201337% for over-time detection. The main\n takeaway<\/jats:italic>\n , which also explains the superiority of\n DroidSpan<\/jats:italic>\n , is that the use of features consistently differentiating malware from benign apps over time is essential for sustainable learning-based malware detection, and that these features can be learned from studies on app evolution.\n <\/jats:p>","DOI":"10.1145\/3371924","type":"journal-article","created":{"date-parts":[[2020,3,4]],"date-time":"2020-03-04T12:33:55Z","timestamp":1583325235000},"page":"1-28","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":114,"title":["Assessing and Improving Malware Detection Sustainability through App Evolution Studies"],"prefix":"10.1145","volume":"29","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-5224-9970","authenticated-orcid":false,"given":"Haipeng","family":"Cai","sequence":"first","affiliation":[{"name":"School of Electrical Engineering and Computer Science, Washington State University, Pullman, WA"}]}],"member":"320","published-online":{"date-parts":[[2020,3,4]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"Carly Page. 2015. Android malware accounts for 97% of all malicious mobile apps. Retrieved from: https:\/\/www.theinquirer.net\/inquirer\/news\/2414949\/android-accounts-for-97-percent-of-all-mobile-malware. Carly Page. 2015. Android malware accounts for 97% of all malicious mobile apps. Retrieved from: https:\/\/www.theinquirer.net\/inquirer\/news\/2414949\/android-accounts-for-97-percent-of-all-mobile-malware."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-04283-1_6"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-014-0226-7"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1145\/2901739.2903508"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2018.03.021"},{"key":"e_1_2_1_6_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_18"},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23247"},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/2666356.2594299"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2015.61"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/2046614.2046619"},{"key":"e_1_2_1_11_1","volume-title":"A preliminary study on the sustainability of Android malware detection. arXiv preprint arXiv:1807.08221","author":"Cai Haipeng","year":"2018"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/3183440.3195004"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1145\/3196398.3196433"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2018.2879302"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.36"},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.35"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.31"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897845.2897860"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1109\/ASE.2015.89"},{"key":"e_1_2_1_21_1","volume-title":"Ordinal Methods for Behavioral Data Analysis","author":"Cliff Norman"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1109\/SPW.2016.25"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2018.2889495"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.5555\/2028067.2028088"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMST.2014.2386139"},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/2635868.2635869"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-Companion.2019.00110"},{"key":"e_1_2_1_28_1","first-page":"1","article-title":"Behavior-based features model for malware detection","volume":"12","author":"Galal Hisham Shehata","year":"2015","journal-title":"J. Comput. Virol. Hack. Tech."},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3162625"},{"key":"e_1_2_1_30_1","unstructured":"Google. 2017. Android Monkey. Retrieved from http:\/\/developer.android.com\/tools\/help\/monkey.html. Google. 2017. Android Monkey. Retrieved from http:\/\/developer.android.com\/tools\/help\/monkey.html."},{"key":"e_1_2_1_31_1","doi-asserted-by":"publisher","DOI":"10.1145\/2568225.2568276"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/2307636.2307663"},{"key":"e_1_2_1_33_1","doi-asserted-by":"publisher","DOI":"10.1145\/3180155.3180228"},{"key":"e_1_2_1_34_1","unstructured":"VirusShare. 2016. VirusShare. Retrieved from https:\/\/www.virusshare.com\/. VirusShare. 2016. VirusShare. Retrieved from https:\/\/www.virusshare.com\/."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.74"},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1145\/3197231.3197233"},{"key":"e_1_2_1_37_1","volume-title":"Proceedings of the 26th USENIX Security Symposium (USENIX Security\u201917)","author":"Jordaney Roberto","year":"2017"},{"key":"e_1_2_1_38_1","volume-title":"Proceedings of the USENIX Security Symposium. 351--366","author":"Kolbitsch Clemens","year":"2009"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2015.103"},{"key":"e_1_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.65"},{"key":"e_1_2_1_41_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2015.02.007"},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2017.23353"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2017.2699220"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3194733.3194742"},{"key":"e_1_2_1_45_1","volume-title":"Mach. Learn. Res. 12","author":"Pedregosa Fabian","year":"2011"},{"key":"e_1_2_1_46_1","volume-title":"Proceedings of the USENIX Security Symposium.","author":"Pendlebury Feargus","year":"2019"},{"key":"e_1_2_1_47_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23039"},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2017.35"},{"key":"e_1_2_1_49_1","unstructured":"International Data Corporation (IDC) Research. 2016. Android dominating mobile market. Retrieved from http:\/\/www.idc.com\/promo\/smartphone-market-share\/. International Data Corporation (IDC) Research. 2016. Android dominating mobile market. Retrieved from http:\/\/www.idc.com\/promo\/smartphone-market-share\/."},{"key":"e_1_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2002.806121"},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2016.2536605"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1007\/s10844-010-0148-x"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/TMC.2018.2861405"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1145\/3029806.3029825"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1145\/3017427"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2015.23145"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1145\/2733306"},{"key":"e_1_2_1_58_1","doi-asserted-by":"publisher","DOI":"10.1145\/2897073.2897707"},{"key":"e_1_2_1_59_1","first-page":"25","article-title":"Justification of the three-sigma rule for unimodal distributions","volume":"21","author":"Vysochanskij D. F.","year":"1980","journal-title":"Theor. Prob. Math. Stat."},{"key":"e_1_2_1_60_1","volume-title":"Ye","author":"Walpole Ronald E.","year":"2011"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/2348543.2348563"},{"key":"e_1_2_1_62_1","doi-asserted-by":"publisher","DOI":"10.1109\/AsiaJCIS.2012.18"},{"key":"e_1_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2016.2523912"},{"key":"e_1_2_1_64_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-11203-9_10"},{"key":"e_1_2_1_65_1","doi-asserted-by":"publisher","DOI":"10.1145\/2660267.2660359"},{"key":"e_1_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2012.16"}],"container-title":["ACM Transactions on Software Engineering and Methodology"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3371924","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3371924","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3371924","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:44:19Z","timestamp":1750203859000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3371924"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,3,4]]},"references-count":65,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2020,4,30]]}},"alternative-id":["10.1145\/3371924"],"URL":"https:\/\/doi.org\/10.1145\/3371924","relation":{},"ISSN":["1049-331X","1557-7392"],"issn-type":[{"value":"1049-331X","type":"print"},{"value":"1557-7392","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,3,4]]},"assertion":[{"value":"2019-06-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-11-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2020-03-04","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}