Talos: no more ransomware victims with formal methods

Ransomware is a very effective form of malware that is recently spreading out on an impressive number of workstations and smartphones. This malware blocks the access to the infected machine or to the files located in the infected machine. The attackers will restore the machine and files only after the payment of a certain amount of money, usually given in the form of bitcoins. Commercial solutions are still ineffective to recognize the last variants of ransomware, and the problem has been poorly investigated in literature. In this paper we discuss a methodology based on formal methods for detecting ransomware malware on Android devices. We have implemented our method in a tool named Talos. We evaluate the method, and the obtained results show that Talos is very effective in recognizing ransomware (accuracy of 0.99) even when it is obfuscated (accuracy still remains at 0.99).

[1]  Robin Milner,et al.  Communication and concurrency , 1989, PHI Series in computer science.

[2]  Roberto Giacobazzi,et al.  Semantics-based code obfuscation by abstract interpretation , 2009, J. Comput. Secur..

[3]  Aniello Cimitile,et al.  Mobile Malware Detection in the Real World , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[4]  Frederic P. Miller,et al.  Advanced Encryption Standard , 2009 .

[5]  Sunil Kumar Muttoo,et al.  Android malware detection: state of the art , 2017, International Journal of Information Technology.

[6]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[7]  Patrick Traynor,et al.  Secure outsourced garbled circuit evaluation for mobile devices , 2013, J. Comput. Secur..

[8]  Zubair A. Baig,et al.  Ransomware: Emergence of the cyber-extortion menace , 2015 .

[9]  Antonella Santone,et al.  Hey Malware, I Can Find You! , 2016, 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE).

[10]  Antonella Santone,et al.  Ransomware Steals Your Phone. Formal Methods Rescue It , 2016, FORTE.

[11]  Tayssir Touili,et al.  PoMMaDe: pushdown model-checking for malware detection , 2013, ESEC/FSE 2013.

[12]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[13]  Antonella Santone,et al.  Ransomware Inside Out , 2016, 2016 11th International Conference on Availability, Reliability and Security (ARES).

[14]  Jian Xu,et al.  Malware Obfuscation Detection via Maximal Patterns , 2009, 2009 Third International Symposium on Intelligent Information Technology Application.

[15]  John C. S. Lui,et al.  ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems , 2012, DIMVA.

[16]  Antonella Santone,et al.  A user-friendly interface to specify temporal properties of concurrent systems , 2007, Inf. Sci..

[17]  Eric Medvet,et al.  Detecting Android malware using sequences of system calls , 2015, DeMobile@SIGSOFT FSE.

[18]  Sabrina De Capitani di Vimercati,et al.  Data Privacy: Definitions and Techniques , 2012, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[19]  Juyong Lee,et al.  Preallocated Duplicate Name Prefix Detection Mechanism Using Naming Pool in CCN Based Mobile IoT Networks , 2016, Mob. Inf. Syst..

[20]  Wallace Jackson An Introduction to the Android Application Development Platform , 2014 .

[21]  Gerardo Canfora,et al.  An HMM and structural entropy based detector for Android malware: An empirical study , 2016, Comput. Secur..

[22]  Gerardo Canfora,et al.  Evaluating Op-Code Frequency Histograms in Malware and Third-Party Mobile Applications , 2015, ICETE.

[23]  Giovanni Vigna,et al.  Detecting malicious JavaScript code in Mozilla , 2005, 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05).

[24]  James Wyke The Current State of Ransomware , 2015 .

[25]  Yunhao Liu,et al.  Guest Editorial Special Issue on Security for IoT: The State of the Art , 2014, IEEE Internet Things J..

[26]  Tayssir Touili,et al.  Efficient Malware Detection Using Model-Checking , 2012, FM.

[27]  Sattar Hashemi,et al.  Detection of Metamorphic Malware based on HMM: A Hierarchical Approach , 2016 .

[28]  Christopher Krügel,et al.  Analyzing and Detecting Malicious Flash Advertisements , 2009, 2009 Annual Computer Security Applications Conference.

[29]  Eric Medvet,et al.  Effectiveness of Opcode ngrams for Detection of Multi Family Android Malware , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[30]  Vrizlynn L. L. Thing,et al.  Securing Android , 2015, ACM Comput. Surv..

[31]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[32]  Antonella Santone,et al.  Download malware? no, thanks: how formal methods can block update attacks , 2016, FM 2016.

[33]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[34]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[35]  Eric Filiol,et al.  Formalization of Viruses and Malware Through Process Algebras , 2010, 2010 International Conference on Availability, Reliability and Security.

[36]  Somesh Jha,et al.  A semantics-based approach to malware detection , 2007, POPL '07.

[37]  Dexter Kozen,et al.  RESULTS ON THE PROPOSITIONAL’p-CALCULUS , 2001 .

[38]  Tayssir Touili,et al.  Model-Checking for Android Malware Detection , 2014, APLAS.

[39]  Christopher Krügel,et al.  Limits of Static Analysis for Malware Detection , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[40]  Mark Stamp,et al.  Hidden Markov models for malware classification , 2015, Journal of Computer Virology and Hacking Techniques.

[41]  Konrad Rieck,et al.  DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket , 2014, NDSS.

[42]  Rajiv Ranjan,et al.  An integrated static detection and analysis framework for android , 2016, Pervasive Mob. Comput..

[43]  David Brumley,et al.  Towards Automatic Software Lineage Inference , 2013, USENIX Security Symposium.

[44]  Gerardo Canfora,et al.  Composition-Malware: Building Android Malware at Run Time , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[45]  Antonella Santone,et al.  Identification of Android Malware Families with Model Checking , 2016, ICISSP.

[46]  Sanggeun Song,et al.  The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform , 2016, Mob. Inf. Syst..

[47]  Thomas Schreck,et al.  Mobile-sandbox: having a deeper look into android applications , 2013, SAC '13.

[48]  P. Cochat,et al.  Et al , 2008, Archives de pediatrie : organe officiel de la Societe francaise de pediatrie.

[49]  Soo-Mook Moon,et al.  Bytecode-to-C ahead-of-time compilation for Android Dalvik Virtual Machine , 2015, 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[50]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[51]  Jiqiang Liu,et al.  A Two-Layered Permission-Based Android Malware Detection Scheme , 2014, 2014 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering.

[52]  Stephan Merz,et al.  Model Checking , 2000 .

[53]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[54]  Rance Cleaveland,et al.  The NCSU Concurrency Workbench , 1996, CAV.

[55]  Curtis B. Storlie,et al.  Graph-based malware detection using dynamic analysis , 2011, Journal in Computer Virology.

[56]  Colin Stirling,et al.  An Introduction to Modal and Temporal Logics for CCS , 1991, Concurrency: Theory, Language, And Architecture.

[57]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[58]  Gianluca Dini,et al.  MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention , 2018, IEEE Transactions on Dependable and Secure Computing.

[59]  david. wineland ENCRYPTION STANDARD , 2001 .

[60]  Tilo Müller,et al.  Divide-and-Conquer: Why Android Malware Cannot Be Stopped , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[61]  Gerardo Canfora,et al.  A Classifier of Malicious Android Applications , 2013, 2013 International Conference on Availability, Reliability and Security.

[62]  Dan Arp,et al.  Drebin : � Efficient and Explainable Detection of Android Malware in Your Pocket , 2014 .

[63]  Mark Stamp,et al.  Profile hidden Markov models and metamorphic virus detection , 2009, Journal in Computer Virology.

[64]  Aniello Cimitile,et al.  Model checking for mobile Android malware evolution , 2017 .

[65]  Simin Nadjm-Tehrani,et al.  Crowdroid: behavior-based malware detection system for Android , 2011, SPSM '11.

[66]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[67]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[68]  Yu Yang,et al.  Automated Detection and Analysis for Android Ransomware , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[69]  Andrew H. Sung,et al.  Static analyzer of vicious executables (SAVE) , 2004, 20th Annual Computer Security Applications Conference.

[70]  Morris Dworkin 800-38 G Recommendation for Block Cipher Modes of Operation : Methods for Format-Preserving Encryption , 2013 .

[71]  Gerardo Canfora,et al.  Mobile malware detection using op-code frequency histograms , 2015, 2015 12th International Joint Conference on e-Business and Telecommunications (ICETE).

[72]  Brian A. Carter,et al.  Advanced Encryption Standard , 2007 .

[73]  Eunjin Jung,et al.  Obfuscated malicious javascript detection using classification techniques , 2009, 2009 4th International Conference on Malicious and Unwanted Software (MALWARE).

[74]  Gerardo Canfora,et al.  Obfuscation Techniques against Signature-Based Detection: A Case Study , 2015, 2015 Mobile Systems Technologies Workshop (MST).

[75]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[76]  Muttukrishnan Rajarajan,et al.  Android Security: A Survey of Issues, Malware Penetration, and Defenses , 2015, IEEE Communications Surveys & Tutorials.