A fuzzy-based process mining approach for dynamic malware detection

Mobile systems have become essential for communication and productivity but are also becoming target of continuous malware attacks. New malware are often obtained as variants of existing malicious code. This work describes an approach for dynamic malware detection based on the combination of Process Mining (PM) and Fuzzy Logic (FL) techniques. The firsts are used to characterize the behavior of an application identifying some recurring execution expressed as a set of declarative constraints between the system calls. Fuzzy logic is used to classify the analyzed malware applications and verify their relations with the existing malware variants. The combination of the two techniques allows to obtain a fingerprint of an application that is used to verify its maliciousness/trustfulness, establish if it belongs from a known malware family and identify the differences between the detected malware behavior and the other variants of the some malware family. The approach is applied on a dataset of 3000 trusted and malicious applications across twelve malware families and has shown a very good discrimination ability that can be exploited for malware detection and family identification.

[1]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[2]  Franklin Tchakounté,et al.  System Calls Analysis of Malwares on Android , 2013 .

[3]  Fabrizio Maria Maggi,et al.  Do activity lifecycles affect the validity of a business rule in a business process? , 2016, Inf. Syst..

[4]  Fabrizio Maria Maggi,et al.  Using Declarative Workflow Languages to Develop Process-Centric Web Applications , 2012, 2012 IEEE 16th International Enterprise Distributed Object Computing Conference Workshops.

[5]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[6]  Wil M. P. van der Aalst,et al.  DECLARE: Full Support for Loosely-Structured Processes , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[7]  Eyke Hüllermeier,et al.  FURIA: an algorithm for unordered fuzzy rule induction , 2009, Data Mining and Knowledge Discovery.

[8]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[9]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[10]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[11]  Seong-je Cho,et al.  A kernel-based monitoring approach for analyzing malicious behavior on Android , 2014, SAC.

[12]  Pericles A. Mitkas,et al.  Applying Machine Learning Techniques on Air Quality Data for Real-Time Decision Support , 2003 .

[13]  Chris Cornelis,et al.  A New Approach to Fuzzy-Rough Nearest Neighbour Classification , 2008, RSCTC.

[14]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[15]  L. Cavallaro,et al.  A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors , 2013 .

[16]  Sahin Albayrak,et al.  Enhancing security of linux-based android devices , 2008 .

[17]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[18]  Mario Luca Bernardi,et al.  Process Mining Meets Malware Evolution: A Study of the Behavior of Malicious Code , 2016, 2016 Fourth International Symposium on Computing and Networking (CANDAR).

[19]  Mario Luca Bernardi,et al.  A constraint-driven approach for dynamic malware detection , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[20]  Boudewijn F. van Dongen,et al.  The ProM Framework: A New Era in Process Mining Tool Support , 2005, ICATPN.

[21]  Ayumu Kubota,et al.  Kernel-based Behavior Analysis for Android Malware Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[22]  William W. Cohen Fast Effective Rule Induction , 1995, ICML.

[23]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[24]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[25]  Eric Medvet,et al.  Spotting the Malicious Moment: Characterizing Malware Behavior Using Dynamic Features , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).