Skip to content
TriFlow: Triaging Android Applications using Speculative Information Flows
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
Flowcharts Flowcharts of training and scoring in TriFlow Mar 25, 2017
.gitignore Extracts total information flows from applications (latest version) Nov 21, 2018

TriFlow: Triaging Android Applications using Speculative Information Flows


Version (by release date): 2018-11-21


Name: Omid Mirzaei
Laboratory: Computer Security Lab (COSEC)
University: Universidad Carlos III de Madrid


TriFlow: Triaging Android Applications using Speculative Information Flows
O. Mirzaei, G. Suarez-Tangil, J. E. Tapiador, J. M. de Fuentes
ACM Asia Conference on Computer and Communications Security (ASIACCS), Abu Dhabi, UAE (April 2017)


• Best Previously Published Paper Award from 4th Spanish National Cybersecurity Research Conference
Donostia-San Sebastian, Spain (June 2018)

• 3rd Place Award from CSAW-Europe Best Applied Security Research Competition
As the third top applied security research work in Europe
Grenoble INP-ESISAR, Valence, France (November 2017)


Before using TriFlow, you only need to install python 2.7.11 on your system successfully. Moreover, you might need to install some python modules which are not commonly included in the regular installation of python and have been used in our scripts.


TriFlow comes with two main modules which are Train_TriFlow and Score_TriFlow. The former one is used to train the system and to produce probabilities and weights of information flows from the dataset (dataset is an arbitrary directory which consists of 4 main sub-folders, i.e. Benign_Apks, Malware_Apks, Benign_Flows, and Malware_Flows), while the latter is used to score new unseen applications. For more information, we would like to refer you to our publication in AsiaCCS’17, and, also, the flowcharts on this repository.

To train TriFlow, you need to transfer the required files to four sub-folders explained above, and, then, running the below command in terminal:

python –i ‘/Directory/of/Your/Dataset’ -o ‘/Your/Desired/Output/Directory’

Once the above command is terminated, you will have two tables namely “Prob_InfoFlows_Sorted.csv” and “Weights_InfoFlows_Sorted.csv” in your desired output directory. Moreover, you will have two additional tables, “Freq_InfoFlows_Malware.csv” and “Freq_InfoFlows_Benign.csv”, which contain the frequencies of information flows in malwares and benign applications.

To score new applications based on the trained model, you need to copy all your applications in an arbitrary directory, and, then, running the below command in terminal:

python -a ‘/Directory/of/Your/Applications’ -t ‘/Directory/of/ProbabilityAndWeight/Tables’ -o ‘/Your/Desired/Output/Directory'

Once the above command is terminated, you will have two files in your desired output directory. The first one is “Sorted_Scores.csv” and contains all the scores for new applications, while the second one is “Scores_Percent.txt” that provides you with a detailed explanation of scores and the contribution of flows in each score.

To normalize scores to your arbitrary ranges, you need to do the following three simple steps:
• Set the new_min and new_max variables in “” script with your required minimum and maximum ranges.
• Comment the line 92 in “” script.
• Un-comment the line 93 in “” script.


• Source and sink API methods are extracted from .dex file directly by parsing its header.
• Multidex Android applications are taken into account.
• Users/Analysts can normalize scores to their arbitrary ranges.
• The efficiencies of scripts have been improved.

Follow this link for more detailed information regarding Dalvik Executable format:


All rights reserved for the above authors and research center. Please, look at the "License.txt" file for more detailed information regarding the usage and distribution of these source codes.


This work was supported by the MINECO grant TIN2013-46469-R (SPINY: Security and Privacy in the Internet of You); by the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks), and by the MINECO grant TIN2016-79095-C2-2-R (SMOG-DEV - Security Mechanisms for Fog Computing: Advanced Security for Devices)

You can’t perform that action at this time.