Spotting the Malicious Moment: Characterizing Malware Behavior Using Dynamic Features

While mobile devices have become more pervasive every day, the interest in them from attackers has also been increasing, making effective malware detection tools of ultimate importance for malware investigation and user protection. Most informative malware identification techniques are the ones that are able to identify where the malicious behavior is located in applications. In this way, better understanding of malware can be achieved and effective tools for its detection can be written. However, due to complexity of such a task, most of the current approaches just classify applications as malicious or benign, without giving any further insights. In this work, we propose a technique for automatic analysis of mobile applications which allows its users to automatically identify the sub-sequences of execution traces where malicious activity happens, hence making further manual analysis and understanding of malware easier. Our technique is based on dynamic features concerning resources usage and system calls, which are jointly collected while the application is executed. An execution trace is then split in shorter chunks that are analyzed with machine learning techniques to detect local malicious behaviors. Obtained results on the analysis of 3,232 Android applications show that collected features contain enough information to identify suspicious execution traces that should be further analysed and investigated.

[1]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.

[2]  Steve Hanna,et al.  A survey of mobile malware in the wild , 2011, SPSM '11.

[3]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[4]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[5]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[6]  L. Cavallaro,et al.  A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors , 2013 .

[7]  Miroslaw Malek,et al.  What does the memory say? Towards the most indicative features for efficient malware detection , 2016, 2016 13th IEEE Annual Consumer Communications & Networking Conference (CCNC).

[8]  Aniello Cimitile,et al.  Mobile Malware Detection in the Real World , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[9]  Sahin Albayrak,et al.  An Android Application Sandbox system for suspicious software detection , 2010, 2010 5th International Conference on Malicious and Unwanted Software.

[10]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[11]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[12]  Lei Liu,et al.  VirusMeter: Preventing Your Cellphone from Spies , 2009, RAID.

[13]  Sergei Vassilvitskii,et al.  k-means++: the advantages of careful seeding , 2007, SODA '07.

[14]  Eric Medvet,et al.  Acquiring and Analyzing App Metrics for Effective Mobile Malware Detection , 2016, IWSPA@CODASPY.

[15]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Seong-je Cho,et al.  A kernel-based monitoring approach for analyzing malicious behavior on Android , 2014, SAC.

[17]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[18]  Ayumu Kubota,et al.  Kernel-based Behavior Analysis for Android Malware Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[19]  Mi-Jung Choi,et al.  Analysis of Android malware detection performance using machine learning classifiers , 2013, 2013 International Conference on ICT Convergence (ICTC).

[20]  Franklin Tchakounté,et al.  System Calls Analysis of Malwares on Android , 2013 .

[21]  Felix C. Freiling,et al.  Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices , 2011, 2011 IEEE Symposium on Security and Privacy.

[22]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[23]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[24]  Miroslaw Malek,et al.  A Friend or a Foe? Detecting Malware using Memory and CPU Features , 2016, SECRYPT.

[25]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[26]  Vrizlynn L. L. Thing,et al.  Securing Android , 2015, ACM Comput. Surv..

[27]  Eric Medvet,et al.  Effectiveness of Opcode ngrams for Detection of Multi Family Android Malware , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[28]  Andrew Hoog Android software development kit and android debug bridge , 2011 .

[29]  Alessandro Armando,et al.  Security Issues in the Android Cross-Layer Architecture , 2012, ArXiv.

[30]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[31]  Antonella Santone,et al.  Download Malware? No, Thanks. How Formal Methods Can Block Update Attacks , 2016, 2016 IEEE/ACM 4th FME Workshop on Formal Methods in Software Engineering (FormaliSE).

[32]  Eemil Lagerspetz,et al.  The company you keep: mobile malware infection rates and inexpensive risk indicators , 2013, WWW.

[33]  Sahin Albayrak,et al.  Enhancing security of linux-based android devices , 2008 .

[34]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[35]  Gerardo Canfora,et al.  Evaluating Op-Code Frequency Histograms in Malware and Third-Party Mobile Applications , 2015, ICETE.

[36]  Gianluca Dini,et al.  MADAM: A Multi-level Anomaly Detector for Android Malware , 2012, MMM-ACNS.

[37]  Antonella Santone,et al.  Download malware? no, thanks: how formal methods can block update attacks , 2016, FM 2016.

[38]  N. Ye,et al.  Robustness of Chi‐square and Canberra distance metrics for computer intrusion detection , 2002 .

[39]  Simone Atzeni,et al.  Evaluation of Android Malware Detection Based on System Calls , 2016, IWSPA@CODASPY.

[40]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[41]  Gerardo Canfora,et al.  Mobile malware detection using op-code frequency histograms , 2015, 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE).