Detecting Mobile Malware with Apache Spark with David Pryce

1 like•377 views

The document summarizes David Pryce's presentation on detecting mobile malware with Apache Spark. It discusses how mobile malware is a growing problem, the features extracted from mobile apps to train a machine learning model, and how Apache Spark was used to build a scalable production-ready model that classifies apps in real-time. It also briefly discusses Wandera's data science team and their focus on solving real-world mobile security problems.

Data & Analytics

David Pryce PhD, Wandera
Detecting Mobile Malware
with Apache Spark
#SAISDev9

#SAISDev9
Summary
• The problem: Mobile-first malware detection
• The data and features
• The Machine Learning (ML) model
• Why Apache Spark?
• Making it production ready
• Data Science @ Wandera
!2

#SAISDev9
The power of enterprise mobility
!3
Devices are prone to
security threats
Concerns around
appropriate usage
Data usage costs are
opaque and spiraling
Potentially exposing
sensitive data
Seamless internal
communication
Added flexibility to
working hours
Access to more apps and
productivity tools
E-mail and other services
available anywhere

#SAISDev9
Happy hunting ground for attackers
!4
“Mobile threats can no longer be ignored”
- AUGUST 2017 - GARTNER MARKET GUIDE TO MOBILE THREAT DEFENSE
100%
Mobile malware
growth in 2016
435%
High severity threats
(CVSS) growth in 2016
80%
of organizations
experienced mobile
phishing attack
38%
of hackers bypass
endpoint defense using
social engineering

#SAISDev9
Secure Mobile Gateway
!5
ON-DEVICE
DETECTION
IN-NETWORK
PROTECTION

#SAISDev9
The Rise of Mobile Malware
!6
Credit: GData 2017

Our objectives: Identify and Classify
!7
SMS
MALWARE TYPES
Ransomware Spyware Banker Trojan
Rooting Adware

#SAISDev9
Why is this a novel problem?
• Mobile malware is on the rise
• Signature based detection is no longer scalable or effective
• We needed a solution that could
• work across both known and unknown threats;
• effectively protect our customers; and
• enable threat research to quickly identify new outbreaks
• First solution = signatures and lists
• Our solution = machine learning!
!8

#SAISDev9
The data …
!9
Good and bad apps
• Source 1: official app stores
• Source 2: seen in our devices
• Source 3: seen by our gateway
3rd-party threat intelligence
External input verified for labels
(supervised learning)
Currently storing: ~2 million labelled apps
+

#SAISDev9
… the features …
!10
Baidu 2016

#SAISDev9
… how we extract them
!11
Direct metadata extraction
• Total unique fields for all apps ~ 500,000
• A typical app ~ 10+ fields
• SPARSE VECTOR
Solution:
• Hashing function (vector to indices)
• Allows for fast retrieval
• With big enough map (2^20) to avoid clashes
• DENSE VECTOR

#SAISDev9
… and how the Machine Learns
!12
• Selected model = Logistic Regression
◦ Models tried = (LogReg, SVM, Decision Tree)
• K-fold cross validation to select best parameters
• Accuracy: 0.96

#SAISDev9
Why Apache Spark?
!13
Model
persistence
PMML paradigm already
integrated
Truly big
data
Millions of data points,
millions of fields
Ease of use
Fast, easy and iterative.
From EDA to app in
days. Scala and python
API.
Deployment
and Scale
From local to cluster is
easy!

#SAISDev9 !14
Wandera 2018
Production Ready?

#SAISDev9
P.M.M.L
• Predictive Model Markup Language
• Industry standard
• Pro: Language agnostic, REST API, good algo
coverage
• Con: large file size
!15

#SAISDev9
Production Ready?
!16
• Saving to PMML (ML vs MLlib / DF vs RDD)
• DataFrame API - doesn’t have PMML functionality (yet)
• Hacked PMML to get probabilities for predictions
• Size of model ~ 20Mb (compressed)
• Overall time to train: less than 2 hours on a big enough cluster
F

#SAISDev9
Live Scoring
!17
Extracts features &
scores app
User installs new app
1
2
If score > 0.9
INVESTIGATE / NOTIFY
3

#SAISDev9
Data Science @ Wandera
!18
• Cross-disciplinary team of scientists, analysts & developers
• Focus on solving real-world problems in a real-time, distributed network
• Global team with presence in USA, London, UK and Czech Republic
= Innovative Research + Scalable Architecture + Efficient Feature Delivery

#SAISDev9
Appendix 1: model testing results
!20
Wandera 2018

More Related Content

Similar to Detecting Mobile Malware with Apache Spark with David Pryce (20)

PDF

Detecting Mobile Malware with Apache Spark with David PryceDatabricks

PDF

Accelerate Big Data Application Development with CascadingCascading

PDF

Scaling up with Cisco Big Data: Data + Science = Data ScienceeRic Choo

PPTX

Evolving Beyond the Data Lake: A Story of Wind and RainMapR Technologies

PDF

Spark and MapR Streams: A Motivating ExampleIan Downard

PDF

Smack Stack and Beyond—Building Fast Data Pipelines with Jorg SchadSpark Summit

PPTX

20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch

PPTX

MapR Product Update - Spring 2017MapR Technologies

PPTX

MapR and Machine Learning PrimerMathieu Dumoulin

PDF

RightScale Roadtrip - Accelerate To CloudRightScale

PPTX

Cassandra Summit 2014: Apache Cassandra at Telefonica CBSDataStax Academy

PDF

Inawisdom Overview - construction.pdfPhilipBasford

PDF

Introduction to the source{d} Stack source{d}

PPTX

Get Started with Cloudera’s Cyber SolutionCloudera, Inc.

PDF

Accelerate to CloudRightScale

PDF

Big Data LDN 2017: How to leverage the cloud for Business SolutionsMatt Stubbs

PDF

Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...Carol McDonald

PPTX

July NY Enterprise Technology MeetupShay Hassidim

PPTX

Get started with Cloudera's cyber solutionCloudera, Inc.

PDF

Fast Cars, Big Data How Streaming can help Formula 1Carol McDonald

Detecting Mobile Malware with Apache Spark with David PryceDatabricks

Accelerate Big Data Application Development with CascadingCascading

Scaling up with Cisco Big Data: Data + Science = Data ScienceeRic Choo

Evolving Beyond the Data Lake: A Story of Wind and RainMapR Technologies

Spark and MapR Streams: A Motivating ExampleIan Downard

Smack Stack and Beyond—Building Fast Data Pipelines with Jorg SchadSpark Summit

20160000 Cloud Discovery Event - Cloud Access Security BrokersRobin Vermeirsch

MapR Product Update - Spring 2017MapR Technologies

MapR and Machine Learning PrimerMathieu Dumoulin

RightScale Roadtrip - Accelerate To CloudRightScale

Cassandra Summit 2014: Apache Cassandra at Telefonica CBSDataStax Academy

Inawisdom Overview - construction.pdfPhilipBasford

Introduction to the source{d} Stack source{d}

Get Started with Cloudera’s Cyber SolutionCloudera, Inc.

Accelerate to CloudRightScale

Big Data LDN 2017: How to leverage the cloud for Business SolutionsMatt Stubbs

Applying Machine learning to IOT: End to End Distributed Distributed Pipeline...Carol McDonald

July NY Enterprise Technology MeetupShay Hassidim

Get started with Cloudera's cyber solutionCloudera, Inc.

Fast Cars, Big Data How Streaming can help Formula 1Carol McDonald

More from Databricks (20)

PPTX

DW Migration Webinar-March 2022.pptxDatabricks

PPTX

Data Lakehouse Symposium | Day 1 | Part 1Databricks

PPT

Data Lakehouse Symposium | Day 1 | Part 2Databricks

PPTX

Data Lakehouse Symposium | Day 2Databricks

PPTX

Data Lakehouse Symposium | Day 4Databricks

PDF

5 Critical Steps to Clean Your Data Swamp When Migrating Off of HadoopDatabricks

PDF

Democratizing Data Quality Through a Centralized PlatformDatabricks

PDF

Learn to Use Databricks for Data ScienceDatabricks

PDF

Why APM Is Not the Same As ML MonitoringDatabricks

PDF

The Function, the Context, and the Data—Enabling ML Ops at Stitch FixDatabricks

PDF

Stage Level Scheduling Improving Big Data and AI IntegrationDatabricks

PDF

Simplify Data Conversion from Spark to TensorFlow and PyTorchDatabricks

PDF

Scaling your Data Pipelines with Apache Spark on KubernetesDatabricks

PDF

Scaling and Unifying SciKit Learn and Apache Spark PipelinesDatabricks

PDF

Sawtooth Windows for Feature AggregationsDatabricks

PDF

Redis + Apache Spark = Swiss Army Knife Meets Kitchen SinkDatabricks

PDF

Re-imagine Data Monitoring with whylogs and SparkDatabricks

PDF

Raven: End-to-end Optimization of ML Prediction QueriesDatabricks

PDF

Processing Large Datasets for ADAS Applications using Apache SparkDatabricks

PDF

Massive Data Processing in Adobe Using Delta LakeDatabricks

DW Migration Webinar-March 2022.pptxDatabricks

Data Lakehouse Symposium | Day 1 | Part 1Databricks

Data Lakehouse Symposium | Day 1 | Part 2Databricks

Data Lakehouse Symposium | Day 2Databricks

Data Lakehouse Symposium | Day 4Databricks

5 Critical Steps to Clean Your Data Swamp When Migrating Off of HadoopDatabricks

Democratizing Data Quality Through a Centralized PlatformDatabricks

Learn to Use Databricks for Data ScienceDatabricks

Why APM Is Not the Same As ML MonitoringDatabricks

The Function, the Context, and the Data—Enabling ML Ops at Stitch FixDatabricks

Stage Level Scheduling Improving Big Data and AI IntegrationDatabricks

Simplify Data Conversion from Spark to TensorFlow and PyTorchDatabricks

Scaling your Data Pipelines with Apache Spark on KubernetesDatabricks

Scaling and Unifying SciKit Learn and Apache Spark PipelinesDatabricks

Sawtooth Windows for Feature AggregationsDatabricks

Redis + Apache Spark = Swiss Army Knife Meets Kitchen SinkDatabricks

Re-imagine Data Monitoring with whylogs and SparkDatabricks

Raven: End-to-end Optimization of ML Prediction QueriesDatabricks

Processing Large Datasets for ADAS Applications using Apache SparkDatabricks

Massive Data Processing in Adobe Using Delta LakeDatabricks

Recently uploaded (20)

PPTX

White Blue Simple Modern Enhancing Sales Strategy Presentation_20250724_21093...RamNeymarjr

PPT

introdution to python with a very little difficultyHUZAIFABINABDULLAH

PPTX

Solution+Architecture+Review+-+Sample.pptxmanuvratsingh1

PDF

SUMMER INTERNSHIP REPORT[1] (AutoRecovered) (6) (1).pdfpandeydiksha814

PDF

Key_Statistical_Techniques_in_Analytics_by_CA_Suvidha_Chaplot.pdfCA Suvidha Chaplot

PPTX

short term project on AI Driven Data AnalyticsJMJCollegeComputerde

PDF

apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...apidays

PPTX

World-population.pptx fire bunberbpeopleumutunsalnsl4402

PDF

Blitz Campinas - Dia 24 de maio - Piettro.pdffabigreek

PPTX

Introduction-to-Python-Programming-Language (1).pptxdhyeysapariya

PDF

McKinsey - Global Energy Perspective 2023_11.pdfniyudha

PPTX

Data-Users-in-Database-Management-Systems (1).pptxdharmik832021

PPTX

Fluvial_Civilizations_Presentation (1).pptxalisslovemendoza7

PPTX

Insurance-Analytics-Branch-Dashboard (1).pptxtrivenisapate02

PDF

Top Civil Engineer Canada Services111111nengineeringfirms

PDF

D9110.pdfdsfvsdfvsdfvsdfvfvfsvfsvffsdfvsdfvsdminhn6673

PPTX

lecture 13 mind test academy it skills.pptxggesjmrasoolpark

PDF

apidays Munich 2025 - Developer Portals, API Catalogs, and Marketplaces, Miri...apidays

PPTX

The whitetiger novel review for collegeassignment.pptxDhruvPatel754154

PDF

apidays Munich 2025 - The Physics of Requirement Sciences Through Application...apidays

White Blue Simple Modern Enhancing Sales Strategy Presentation_20250724_21093...RamNeymarjr

introdution to python with a very little difficultyHUZAIFABINABDULLAH

Solution+Architecture+Review+-+Sample.pptxmanuvratsingh1

SUMMER INTERNSHIP REPORT[1] (AutoRecovered) (6) (1).pdfpandeydiksha814

Key_Statistical_Techniques_in_Analytics_by_CA_Suvidha_Chaplot.pdfCA Suvidha Chaplot

short term project on AI Driven Data AnalyticsJMJCollegeComputerde

apidays Munich 2025 - The Double Life of the API Product Manager, Emmanuel Pa...apidays

World-population.pptx fire bunberbpeopleumutunsalnsl4402

Blitz Campinas - Dia 24 de maio - Piettro.pdffabigreek

Introduction-to-Python-Programming-Language (1).pptxdhyeysapariya

McKinsey - Global Energy Perspective 2023_11.pdfniyudha

Data-Users-in-Database-Management-Systems (1).pptxdharmik832021

Fluvial_Civilizations_Presentation (1).pptxalisslovemendoza7

Insurance-Analytics-Branch-Dashboard (1).pptxtrivenisapate02

Top Civil Engineer Canada Services111111nengineeringfirms

D9110.pdfdsfvsdfvsdfvsdfvfvfsvfsvffsdfvsdfvsdminhn6673

lecture 13 mind test academy it skills.pptxggesjmrasoolpark

apidays Munich 2025 - Developer Portals, API Catalogs, and Marketplaces, Miri...apidays

The whitetiger novel review for collegeassignment.pptxDhruvPatel754154

apidays Munich 2025 - The Physics of Requirement Sciences Through Application...apidays

Detecting Mobile Malware with Apache Spark with David Pryce

1. David Pryce PhD, Wandera Detecting Mobile Malware with Apache Spark #SAISDev9

2. #SAISDev9 Summary • The problem: Mobile-first malware detection • The data and features • The Machine Learning (ML) model • Why Apache Spark? • Making it production ready • Data Science @ Wandera !2

3. #SAISDev9 The power of enterprise mobility !3 Devices are prone to security threats Concerns around appropriate usage Data usage costs are opaque and spiraling Potentially exposing sensitive data Seamless internal communication Added flexibility to working hours Access to more apps and productivity tools E-mail and other services available anywhere

4. #SAISDev9 Happy hunting ground for attackers !4 “Mobile threats can no longer be ignored” - AUGUST 2017 - GARTNER MARKET GUIDE TO MOBILE THREAT DEFENSE 100% Mobile malware growth in 2016 435% High severity threats (CVSS) growth in 2016 80% of organizations experienced mobile phishing attack 38% of hackers bypass endpoint defense using social engineering

5. #SAISDev9 Secure Mobile Gateway !5 ON-DEVICE DETECTION IN-NETWORK PROTECTION

6. #SAISDev9 The Rise of Mobile Malware !6 Credit: GData 2017

7. Our objectives: Identify and Classify !7 SMS MALWARE TYPES Ransomware Spyware Banker Trojan Rooting Adware

8. #SAISDev9 Why is this a novel problem? • Mobile malware is on the rise • Signature based detection is no longer scalable or effective • We needed a solution that could • work across both known and unknown threats; • effectively protect our customers; and • enable threat research to quickly identify new outbreaks • First solution = signatures and lists • Our solution = machine learning! !8

9. #SAISDev9 The data … !9 Good and bad apps • Source 1: official app stores • Source 2: seen in our devices • Source 3: seen by our gateway 3rd-party threat intelligence External input verified for labels (supervised learning) Currently storing: ~2 million labelled apps +

10. #SAISDev9 … the features … !10 Baidu 2016

11. #SAISDev9 … how we extract them !11 Direct metadata extraction • Total unique fields for all apps ~ 500,000 • A typical app ~ 10+ fields • SPARSE VECTOR Solution: • Hashing function (vector to indices) • Allows for fast retrieval • With big enough map (2^20) to avoid clashes • DENSE VECTOR

12. #SAISDev9 … and how the Machine Learns !12 • Selected model = Logistic Regression ◦ Models tried = (LogReg, SVM, Decision Tree) • K-fold cross validation to select best parameters • Accuracy: 0.96  

13. #SAISDev9 Why Apache Spark? !13 Model persistence PMML paradigm already integrated Truly big data Millions of data points, millions of fields Ease of use Fast, easy and iterative. From EDA to app in days. Scala and python API. Deployment and Scale From local to cluster is easy!

14. #SAISDev9 !14 Wandera 2018 Production Ready?

15. #SAISDev9 P.M.M.L • Predictive Model Markup Language • Industry standard • Pro: Language agnostic, REST API, good algo coverage • Con: large file size !15

16. #SAISDev9 Production Ready? !16 • Saving to PMML (ML vs MLlib / DF vs RDD) • DataFrame API - doesn’t have PMML functionality (yet) • Hacked PMML to get probabilities for predictions • Size of model ~ 20Mb (compressed) • Overall time to train: less than 2 hours on a big enough cluster F

17. #SAISDev9 Live Scoring !17 Extracts features & scores app User installs new app 1 2 If score > 0.9 INVESTIGATE / NOTIFY 3

18. #SAISDev9 Data Science @ Wandera !18 • Cross-disciplinary team of scientists, analysts & developers • Focus on solving real-world problems in a real-time, distributed network • Global team with presence in USA, London, UK and Czech Republic = Innovative Research + Scalable Architecture + Efficient Feature Delivery

19. #SAISDev9 Thanks for listening !19

20. #SAISDev9 Appendix 1: model testing results !20 Wandera 2018