A constraint-driven approach for dynamic malware detection

The growth in use of mobile phones to communicate and access sensitive resources drives the research of new approaches for protecting smartphones from all the possible attacks deriving from malicious software. Moreover, the continuous emerging of new and sophisticated malware makes current solutions to protect mobile phones inadequate shortly after being implemented. In this paper a new approach for run-time malware detection is proposed. It consists in analyzing system call traces gathered from malware and trusted applications to identify a set of relationships and recurring execution patterns that characterize their respective behavior. The characterization of the malware behaviour is expressed in terms of declarative constraints between system calls and can be used to identify similarities across malware families, detect malware variants within the same family, and to build trees of malware families based on their similarities. The effectiveness and efficiency of the approach have been assessed using a dataset of more than 1500 between trusted and malicious applications across six malware families. The results show that the proposed approach exhibits a very good discriminating ability exploitable for both malware detection and the study of malware evolution.

[1]  Ayumu Kubota,et al.  Kernel-based Behavior Analysis for Android Malware Detection , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[2]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[3]  Ian H. Witten,et al.  WEKA: a machine learning workbench , 1994, Proceedings of ANZIIS '94 - Australian New Zealnd Intelligent Information Systems Conference.

[4]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[5]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[6]  L. Cavallaro,et al.  A System Call-Centric Analysis and Stimulation Technique to Automatically Reconstruct Android Malware Behaviors , 2013 .

[7]  Sahin Albayrak,et al.  Enhancing security of linux-based android devices , 2008 .

[8]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[9]  Isil Dillig,et al.  Apposcopy: semantics-based detection of Android malware through static analysis , 2014, SIGSOFT FSE.

[10]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[11]  Wil M. P. van der Aalst,et al.  DECLARE: Full Support for Loosely-Structured Processes , 2007, 11th IEEE International Enterprise Distributed Object Computing Conference (EDOC 2007).

[12]  Anshul Arora,et al.  Malware Detection Using Network Traffic Analysis in Android Based Mobile Devices , 2014, 2014 Eighth International Conference on Next Generation Mobile Apps, Services and Technologies.

[13]  Yajin Zhou,et al.  Android Malware , 2013, SpringerBriefs in Computer Science.

[14]  Franklin Tchakounté,et al.  System Calls Analysis of Malwares on Android , 2013 .

[15]  Fabrizio Maria Maggi,et al.  Using Declarative Workflow Languages to Develop Process-Centric Web Applications , 2012, 2012 IEEE 16th International Enterprise Distributed Object Computing Conference Workshops.

[16]  Seong-je Cho,et al.  A kernel-based monitoring approach for analyzing malicious behavior on Android , 2014, SAC.

[17]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[18]  Albert B. Jeng,et al.  Android Malware Detection via a Latent Network Behavior Analysis , 2012, 2012 IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications.

[19]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Boudewijn F. van Dongen,et al.  The ProM Framework: A New Era in Process Mining Tool Support , 2005, ICATPN.

[21]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[22]  Alessandro Sperduti,et al.  Online Discovery of Declarative Process Models from Event Streams , 2015, IEEE Transactions on Services Computing.

[23]  John C. S. Lui,et al.  Droid Analytics: A Signature Based Analytic System to Collect, Extract, Analyze and Associate Android Malware , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.