On the Effect of k Values and Distance Metrics in KNN Algorithm for Android Malware Detection

Abstract

There is a remarkable increase in mobile device usage in recent years. The Android operating system is by far the most preferred open-source mobile operating system around the world. Besides, the Android operating system is preferred in many devices on the Internet of Things (IoT) devices are used in many areas of daily life. Smart cities, smart environment, health, home automation, agriculture, and livestock are some of the usage areas. Health is one of the most frequently used areas. Since the Android operating system is both the widely used operating system and open-source, the vast majority of malware released on the market is now designed for Android platforms. Therefore, devices using the Android operating system are under serious threat. In this study, a system that detects malware on Android operating systems based on machine learning is proposed. Besides, feature vectors are created with permissions that have an important place in the security of the Android operating system. Feature vectors created using the k-nearest neighbor algorithm (KNN), one of the machine learning techniques, are given as input to this algorithm, and a classification of malicious software and benign software is provided. In the KNN algorithm, the k value and the distance metric used to find the closest sample directly affect the classification performance. In addition, the study examining the parameters of the KNN algorithm in detail in permission-based studies is limited. For this reason, the performance of the malware detection system is presented comparatively using five different k values and five different distance metrics under different data sets. When the results are examined, it is observed that higher classification performances are obtained when values such as 1, 3 are given to k and metrics such as Euclidean and Minkowski are chosen instead of the Chebyshev distance metric.