Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben
Empirical Software Engineering
Erschienen in: Empirical Software Engineering 3/2018

30.08.2017

A multi-view context-aware approach to Android malware detection and malicious code localization

Erschienen in: Empirical Software Engineering | Ausgabe 3/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config
loading …

Abstract

Many existing Machine Learning (ML) based Android malware detection approaches use a variety of features such as security-sensitive APIs, system calls, control-flow structures and information flows in conjunction with ML classifiers to achieve accurate detection. Each of these feature sets provides a unique semantic perspective (or view) of apps’ behaviors with inherent strengths and limitations. Meaning, some views are more amenable to detect certain attacks but may not be suitable to characterize several other attacks. Most of the existing malware detection approaches use only one (or a selected few) of the aforementioned feature sets which prevents them from detecting a vast majority of attacks. Addressing this limitation, we propose MKLDroid, a unified framework that systematically integrates multiple views of apps for performing comprehensive malware detection and malicious code localization. The rationale is that, while a malware app can disguise itself in some views, disguising in every view while maintaining malicious intent will be much harder. MKLDroid uses a graph kernel to capture structural and contextual information from apps’ dependency graphs and identify malice code patterns in each view. Subsequently, it employs Multiple Kernel Learning (MKL) to find a weighted combination of the views which yields the best detection accuracy. Besides multi-view learning, MKLDroid’s unique and salient trait is its ability to locate fine-grained malice code portions in dependency graphs (e.g., methods/classes). Malicious code localization caters several important applications such as supporting human analysts studying malware behaviors, engineering malware signatures, and other counter-measures. Through our large-scale experiments on several datasets (incl. wild apps), we demonstrate that MKLDroid outperforms three state-of-the-art techniques consistently, in terms of accuracy while maintaining comparable efficiency. In our malicious code localization experiments on a dataset of repackaged malware, MKLDroid was able to identify all the malice classes with 94% average recall. Our work opens up two new avenues in malware research: (i) enables the research community to elegantly look at Android malware behaviors in multiple perspectives simultaneously, and (ii) performing precise and scalable malicious code localization.
Vorheriger Artikel On the diffuseness and the impact on maintainability of code smells: a large scale empirical investigation
Nächster Artikel Studying the dialogue between users and developers of free apps in the Google Play Store

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 340 Zeitschriften

aus folgenden Fachgebieten:

  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Versicherung + Risiko




Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

  • über 67.000 Bücher
  • über 390 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Maschinenbau + Werkstoffe




 

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

  • über 102.000 Bücher
  • über 537 Zeitschriften

aus folgenden Fachgebieten:

  • Automobil + Motoren
  • Bauwesen + Immobilien
  • Business IT + Informatik
  • Elektrotechnik + Elektronik
  • Energie + Nachhaltigkeit
  • Finance + Banking
  • Management + Führung
  • Marketing + Vertrieb
  • Maschinenbau + Werkstoffe
  • Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren
Anhänge
Nur mit Berechtigung zugänglich
Fußnoten
1
The detailed procedure for constructing the ADG is provided later in Section 3.2.
 
2
Two existing works, PScout (Au et al. 2012) and SUSI (Rasthofer et al. 2014) listcommonly known security-sensitive Android APIs. We use these two lists to identify sensitiveAPIs.
 
3
This follows from the observation that in most malware the malice code portion is closely-kniti.e., spanning only to a few methods. We also attempted two other variants of CADG. Wereduce the path in CICFG to edges in CADG (i) only if the calling and called nodes belong tothe same package and (ii) only if the calling and called nodes belong to the same class. Boththese variants contained much larger number of edges and also failed to capture the attacks aseffectively as the CADG defined above (experimentally verified).
 
4
PScout (Au et al. 2012) provides a mapping from Android APIs and URIs to permissionsrequired to access them. Furthermore, we infer the usage of intents, reflection and native code through relevant APIs and consider them as using special permissions. We use these mappingsto build CPDGs.
 
5
To identify information sources and sinks accessed in CICFG nodes, we leverage on SUSI(Rasthofer et al. 2014) and MUDFLOW (Avdiienko et al. 2015). Together, these worksmap Android APIs and URIs to 15 source and 18 sink categories.
 
6
To determine the categories of Dalvik instructions to be used as CICFGinsnode labels, werefer to Adagio(Gascon et al. 2013). The authors manually analyzed and categorized allthe instructions into 15 distinct categories (such as move, invoke, etc.).
 
7
Pouik et al. (2012) leveraged on a grammar proposed by Cesare and Xiang (2010) to representCFG textual signatures in their work on establishing similarity between Android apps.
 
8
The reason why such an issue rises only in the case of CICFGins and CICFGsigns is understandable. That is, in the case of CADG, CPDG and CSSDG, the number of unique node labels is limited by the APIs, permissions, information source and sink categories available. Consequently, limited contextual neighborhood labels to emerge from the relabeling process and thereby limiting the size of the vocabulary. However, in the case of CICFGins and CICFGsigns, the number of unique node labels (i.e., the number of unique instruction sequence and CFG signatures, respectively) across the whole dataset is extremely large, leading to mammoth vocabulary Σ.
 
9
From (9), it could be noted that, the prediction made in this fashion will be equivalent to one made with a linear SVM learnt as an optimization on \(\overrightarrow {\mathsf {\textbf {W}}}\) as follows:\( \min _{\overrightarrow {\mathsf {\textbf {W}}}} ||\overrightarrow {\mathsf {\textbf {W}}}||^2 + {\sum }_{i=1}^N max(0,1-y^{(i)}f(\overrightarrow {\mathsf {\textbf {X}}}^{(i)}))\).
 
11
Recently, Li et al. (2017a) provided a dataset of repackaged apps of the form: (a p p1,a p p2), where a p p1 is the original (benign) app and a p p2 is the repackaged version of a p p1. However, they do not ascertain whether or not the new code injected in a p p2 is malicious. In fact, exploring this dataset, we observe that a majority of the repackaged apps were adware or other type of PHAs. Hence, we refrain from using this dataset which lacks precise ground truth labels on malice methods and classes in our experiments.
 
12
More than 80% of samples in this dataset are piggybacked malware thus making this dataset amenable for our qualitative analysis (Li et al. 2017a).
 
13
Remember, we intend to avoid computing expensive data-flows in the app and believe other views (computed at much lesser expense) would complement and mitigate the absence of data-flow related features.
 
14
Though Adagio, in principle could identify malice methods from CGs, the implementation provided at Adagio (2017) does not include this.
 
15
MD5: 1944d8ee5bdda3a1bd06555fdb10d3267ab0cc4511d1e40611baf3ce1b81e5e8
 
16
In this context, the leaks through internet is considered akin to writing into a file and hence we see a FILE sink instead of a NETWORK sink.
 
17
MD5: 7bbd566f2f3abb78b3ffcc23ba4ad84e06a00f758d245c660c61b21814a850a5
 
18
As discussed in Arp et al. (2014), Avdiienko et al. (2015), Garcia et al. (2015), Yang et al. (2014), Kimberly et al. (2017) performing precise data-flow and dynamic analysis to extract features is computationally heavy.
 
Literatur
Aafer Y et al (2013) DroidAPIMiner: Mining API-level features for robust malware detection in android. In: International conference on security and privacy in communication systems. Springer International Publishing
Allix K et al (2014) Machine learning-based malware detection for android applications: history matters! University of Luxembourg SnT, Luxembourg
Allix K et al (2016a) Empirical assessment of machine learning-based malware detectors for Android. Empirical Softw Eng 21(1):183–211CrossRef
Allix K et al (2016b) Androzoo: Collecting millions of android apps for the research community. In: Proceedings of the 13th international conference on mining software repositories . ACM
Arp D et al (2014) Drebin: Effective and explainable detection of android malware in your pocket. In: Proceedings of the annual symposium on network and distributed system security (NDSS)
Arzt S et al (2014) Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Not 49(6):259–269CrossRef
Au KWY et al (2012) Pscout: analyzing the android permission specification. In: Proceedings of the 2012 ACM conference on computer and communications security. ACM
Avdiienko V et al (2015) Mining apps for abnormal usage of sensitive data. In: 2015 IEEE/ACM 37th IEEE international conference on software engineering (ICSE), vol 1. IEEE
Biggio B et al (2014) Poisoning behavioral malware clustering. In: Proceedings of the 2014 workshop on artificial intelligent and security workshop. ACM
Borgwardt KM, Kriegel H-P (2005) Shortest-path kernels on graphs. In: Fifth IEEE international conference on data mining (ICDM’05). IEEE
Burges CJC (1998) A tutorial on support vector machines for pattern recognition. Data Min Knowl Discov 2(2):121–167CrossRef
Burguera I et al (2011) Crowdroid: behavior-based malware detection system for android. In: Proceedings of the 1st ACM workshop on security and privacy in smartphones and mobile devices. ACM
Cesare S, Xiang Y (2010) Classification of malware using structured control flow. In: Proceedings of the eighth Australasian aymposium on parallel and distributed computing, vol 107. Australian Computer Society, Inc., pp 61–70
Chakradeo S et al (2013) Mast: triage for market-scale mobile malware analysis. In: Proceedings of the sixth ACM conference on security and privacy in wireless and mobile networks. ACM
Chen K et al (2015) Finding unknown malice in 10 seconds: Mass vetting for new threats at the google-play scale. In: 24th USENIX security symposium (USENIX Security 15)
Dash SK et al (2016) DroidScribe: Classifying android malware based on runtime behavior. Mob Secur Technol (MoST 2016) 7148:1–12
Deo A et al (2016) Prescience: Probabilistic guidance on the retraining conundrum for malware detection. In: Proceedings of the 2016 ACM workshop on artificial intelligence and security. ACM
Elish KO et al (2015) Profiling user-trigger dependence for Android malware detection. Comput Secur 49:255–273CrossRef
Enrico M et al (2016) MAMADROID: Detecting android malware by building markov chains of behavioral models. arXiv:1612.​04433
Fredrikson M et al (2010) Synthesizing near-optimal malware specifications from suspicious behaviors. In: 2010 IEEE symposium on security and privacy (SP). IEEE
Forman G (2003) An extensive empirical study of feature selection metrics for text classification. J Mach Learn Res 3:1289–1305MATH
Garcia J et al (2015) Obfuscation-resilient, efficient, and accurate detection and family identification of android malware. Department of Computer Science, George Mason University, Technical Report, USA
Gärtner T et al (2003) On graph kernels: hardness results and efficient alternatives. Learning theory and kernel machines. Springer, Berlin Heidelberg, pp 129–143MATHCrossRef
Gönen M, Alpaydın E (2011) Multiple kernel learning algorithms. J Mach Learn Res 12:2211–2268MathSciNetMATH
Gorla A et al (2014) Checking app behavior against app descriptions. In: Proceedings of the 36th international conference on software engineering. ACM
Gordon MI et al (2015) Information flow analysis of android applications in droidSafe. NDSS
Gascon H et al (2013) Structural detection of android malware using embedded call graphs. In: Proceedings of the 2013 ACM workshop on artificial intelligence and security. ACM
Guyon I, Elisseeff A (2003) An introduction to variable and feature selection. J Mach Learn Res 3:1157–1182MATH
Hassen M, Chan PK (2017) Scalable Function Call Graph-based Malware Classification
Hido S, Kashima H (2009) A linear-time graph kernel. In: Ninth IEEE international conference on data mining 2009. ICDM’09. IEEE
Kantchelian A et al (2013) Approaches to adversarial drift. In: Proceedings of the 2013 ACM workshop on artificial intelligence and security. ACM
Kimberly T et al (2017) The evolution of android malware and android analysis techniques. ACM Comput Surv (CSUR) 49(4):76
Kriege NM et al (2017) A unifying view of explicit and implicit feature maps for structured data: systematic studies of graph kernels. arXiv:1703.​00676
Li L et al (2015) Iccta: Detecting inter-component privacy leaks in android apps. In: Proceedings of the 37th international conference on software engineering, vol 1. IEEE Press
Li L et al (2017a) Understanding android app piggybacking: a systematic study of malicious code grafting. In: IEEE transactions on information forensics and security
Li L et al (2017b) Automatically locating malicious packages in piggybacked android apps. In: Proceedings of the international workshop on mobile software engineering and systems. ACM
Ma J et al (2009) Identifying suspicious URLs: an application of large-scale online learning. In: Proceedings of the 26th annual international conference on machine learning. ACM
Meng G et al (2016) Mystique: evolving android malware for auditing anti-malware tools. In: Proceedings of the 11th ACM on Asia conference on computer and communications security. ACM
Mu Z et al (2014) Semantics-aware Android malware classification using weighted contextual API dependency graphs. In: Proceedings of the 2014 ACM SIGSAC conference on computer and communications security. ACM
Narayanan A et al (2016a) Subgraph2vec: learning distributed representations of rooted sub-graphs from large graphs. In: Workshop on mining and learning with graphs
Narayanan A et al (2016b) Contextual weisfeiler-lehman graph kernel for malware detection. In: The 2016 international joint conference on neural networks (IJCNN). IEEE
Narayanan A et al (2016c) Adaptive and scalable android malware detection through online learning. In: The 2016 international joint conference on neural networks (IJCNN). IEEE
Octeau D et al (2015) Composite constant propagation: application to android inter-component communication analysis. In: Proceedings of the 37th international conference on software engineering, vol 1. IEEE Press
Peiravian N, Zhu X (2013) Machine learning for android malware detection using permission and api calls. In: 2013 IEEE 25th international conference on tools with artificial intelligence. IEEE
Rasthofer S, Arzt S, Bodden E (2014) A machine-learning approach for classifying and categorizing android sources and sinks NDSS
Ribeiro MT et al (2016) Why Should I Trust You?: Explaining the predictions of any classifier. In: Proceedings of SIGKDD
Roy S et al (2015) Experimental study with real-world data for android app security analysis using machine learning. In: Proceedings of the 31st Annual Computer Security Applications Conference. ACM
Searles R et al (2017) Parallelization of machine learning applied to call graphs of binaries for malware detection. In: Proceedings of the 25th Euromicro International Conference on Parallel, Distributed and Network-Based Processing, PDP 2017, Russia
Sahs J, Khan L (2012) A machine learning approach to android malware detection. In: 2012 European Intelligence and Security Informatics Conference (EISIC). IEEE
Singh A et al (2012) Tracking concept drift in malware families. In: Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence. ACM
Saracino A et al (2016) Madam: Effective and efficient behavior-based android malware detection and prevention. In: IEEE Transactions on Dependable and Secure Computing
Shervashidze N et al (2009) Efficient graphlet kernels for large graph comparison. AISTATS 5:488–495
Suarez-Tangil G et al (2016) DroidSieve: Fast and Accurate Classification of Obfuscated Android Malware
Sun Z, Ampornpunt N, Varma M, Vishwanathan S (2010) Multiple kernel learning and the SMO algorithm. In: Advances in Neural Information Processing Systems, pp 2361–2369
Tian K e et al (2016) Analysis of code heterogeneity for high-precision classification of repackaged malware. In: 2016 IEEE Security and Privacy Workshops (SPW). IEEE
Yanardag P, Vishwanathan S (2015) Deep graph kernels. In: Proceedings of SIGKDD
Xu L et al (2016) HADM: Hybrid analysis for detection of malware. SAI Intelligent Systems Conference (IntelliSys), UK
Yang C et al (2014) Droidminer: Automated mining and characterization of fine-grained malicious behaviors in android applications. In: Computer Security-ESORICS 2014. Springer International Publishing, pp 163–182
Yang W et al (2015) Appcontext: Differentiating malicious and benign mobile app behaviors using context. In: Proceedings of the International Conference on Software Engineering (ICSE)
Zhou Y, Jiang X (2012) Dissecting android malware: Characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy (SP). IEEE
Metadaten
Titel
A multi-view context-aware approach to Android malware detection and malicious code localization
Publikationsdatum
30.08.2017
Erschienen in
Empirical Software Engineering / Ausgabe 3/2018
Print ISSN: 1382-3256
Elektronische ISSN: 1573-7616
DOI
https://doi.org/10.1007/s10664-017-9539-8

Weitere Artikel der Ausgabe 3/2018

Empirical Software Engineering 3/2018 Zur Ausgabe

OriginalPaper

Challenges and pitfalls on surveying evidence in the software engineering technical literature: an exploratory study with novices

OriginalPaper

Data-efficient performance learning for configurable systems

OriginalPaper

Studying the dialogue between users and developers of free apps in the Google Play Store

OriginalPaper

General methods for software architecture recovery: a potential approach and its evaluation

Erratum

Erratum to: Architecture consistency: State of the practice, challenges and requirements

OriginalPaper

An empirical study on the interplay between semantic coupling and co-change of software classes