Dynamic malware detection and phylogeny analysis using process mining

In the last years, mobile phones have become essential communication and productivity tools used daily to access business services and exchange sensitive data. Consequently, they also have become one of the biggest targets of malware attacks. New malware is created everyday, most of which is generated as variants of existing malware by reusing its malicious code. This paper proposes an approach for malware detection and phylogeny studying based on dynamic analysis using process mining. The approach exploits process mining techniques to identify relationships and recurring execution patterns in the system call traces gathered from a mobile application in order to characterize its behavior. The recovered characterization is expressed in terms of a set of declarative constraints between system calls and represents a sort of run-time fingerprint of the application. The comparison between the so defined fingerprint of a given application with those of known malware is used to verify: (1) if the application is malware or trusted, (2) in case of malware, which family it belongs to, and (3) how it differs from other known variants of the same malware family. An empirical study conducted on a dataset of 1200 trusted and malicious applications across ten malware families has shown that the approach exhibits a very good discrimination ability that can be exploited for malware detection and malware evolution studying. Moreover, the study has also shown that the approach is robust to code obfuscation techniques increasingly being used by nowadays malware.

[1]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[2]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[4]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[5]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[6]  Terran Lane,et al.  Improving malware classification: bridging the static/dynamic gap , 2012, AISec.

[7]  Andrew Walenstein,et al.  Malware phylogeny generation using permutations of code , 2005, Journal in Computer Virology.

[8]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[9]  Mario Luca Bernardi,et al.  Process Mining Meets Malware Evolution: A Study of the Behavior of Malicious Code , 2016, 2016 Fourth International Symposium on Computing and Networking (CANDAR).

[10]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[11]  Sahin Albayrak,et al.  Enhancing security of linux-based android devices , 2008 .

[12]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[13]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[14]  Andrew Walenstein,et al.  A transformation-based model of malware derivation , 2012, 2012 7th International Conference on Malicious and Unwanted Software.

[15]  Sencun Zhu,et al.  Detecting Software Theft via System Call Based Birthmarks , 2009, 2009 Annual Computer Security Applications Conference.

[16]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[17]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[18]  Ian H. Witten,et al.  WEKA: a machine learning workbench , 1994, Proceedings of ANZIIS '94 - Australian New Zealnd Intelligent Information Systems Conference.

[19]  Franklin Tchakounté,et al.  System Calls Analysis of Malwares on Android , 2013 .

[20]  Fabrizio Maria Maggi,et al.  Using Declarative Workflow Languages to Develop Process-Centric Web Applications , 2012, 2012 IEEE 16th International Enterprise Distributed Object Computing Conference Workshops.

[21]  Arun Kumar Sangaiah,et al.  Android malware detection based on system call sequences and LSTM , 2019, Multimedia Tools and Applications.

[22]  Enrique V. Carrera,et al.  Digital genome mapping: ad-vanced binary malware analysis , 2004 .

[23]  B. Picinbono On deflection as a performance criterion in detection , 1995 .

[24]  Wil M. P. van der Aalst,et al.  DECLARE: Full Support for Loosely-Structured Processes , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[25]  Seong-je Cho,et al.  A kernel-based monitoring approach for analyzing malicious behavior on Android , 2014, SAC.

[26]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[27]  Anshul Arora,et al.  Malware Detection Using Network Traffic Analysis in Android Based Mobile Devices , 2014, 2014 Eighth International Conference on Next Generation Mobile Apps, Services and Technologies.

[28]  Antonella Santone,et al.  Identification of Android Malware Families with Model Checking , 2016, ICISSP.

[29]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[30]  Antonella Santone,et al.  Download malware? no, thanks: how formal methods can block update attacks , 2016, FM 2016.

[31]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[32]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[33]  Yajin Zhou,et al.  Android Malware , 2013, SpringerBriefs in Computer Science.

[34]  Fabrizio Maria Maggi,et al.  Do activity lifecycles affect the validity of a business rule in a business process? , 2016, Inf. Syst..

[35]  Wil M. P. van der Aalst,et al.  Enhancing Declare Maps Based on Event Correlations , 2013, BPM.

[36]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[37]  L. Cavallaro,et al.  A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors , 2013 .

[38]  Pietro Lio',et al.  Unity in Diversity: Phylogenetic-inspired Techniques for Reverse Engineering and Detection of Malware Families , 2011, 2011 First SysSec Workshop.

[39]  Ayumu Kubota,et al.  Kernel-based Behavior Analysis for Android Malware Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[40]  R. P. Jagadeesh Chandra Bose,et al.  Process mining in the large : preprocessing, discovery, and diagnostics , 2012 .

[41]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[42]  A Min Tjoa,et al.  Availability, Reliability, and Security in Information Systems , 2014, Lecture Notes in Computer Science.

[43]  Latifur Khan,et al.  A Machine Learning Approach to Android Malware Detection , 2012, 2012 European Intelligence and Security Informatics Conference.

[44]  Mario Luca Bernardi,et al.  A constraint-driven approach for dynamic malware detection , 2016, 2016 14th Annual Conference on Privacy, Security and Trust (PST).

[45]  Boudewijn F. van Dongen,et al.  The ProM Framework: A New Era in Process Mining Tool Support , 2005, ICATPN.

[46]  Helen J. Wang,et al.  Finding diversity in remote code injection exploits , 2006, IMC '06.

[47]  Wil M. P. van der Aalst,et al.  Process Mining - Discovery, Conformance and Enhancement of Business Processes , 2011 .

[48]  Andrew Walenstein,et al.  Evaluation of malware phylogeny modelling systems using automated variant generation , 2009, Journal in Computer Virology.

[49]  Alessandro Sperduti,et al.  Online Discovery of Declarative Process Models from Event Streams , 2015, IEEE Transactions on Services Computing.

[50]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[51]  Albert B. Jeng,et al.  Android Malware Detection via a Latent Network Behavior Analysis , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.