nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

26.10.2019 | Original Paper

Lightweight versus obfuscation-resilient malware detection in android applications

verfasst von: Ali Aghamohammadi, Fathiyeh Faghih

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 2/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

By increasing growth of mobile applications, providing their security has become significant. Among mobile operating systems, Android is the most popular one, and hence, it has drawn more attention from malware programmers. One of the main challenges in designing a malware detection mechanism is handling obfuscation, where malware programmers try to change malware codes, such that they cannot be detected by malware detectors, while they keep their functionalities. In this paper, we propose an obfuscation-resilient method, called ORDroid, which can detect mutated and transformed malwares. We have used RNN and NLP neural networks for achieving this purpose. Our assumption is that the model is run on a server, before the application is published for end users. Users may get an application from different sources, and hence, it is necessary to design methods that can run on end users’ mobile phones. The challenge that should be considered when designing such methods is the limitation of computation and energy resources on a mobile phone. In the second part of this paper, we propose a lightweight malware detection method, called LightDroid. The main idea of this method is to select a minimal number of features from AndroidManifest file, along with a number of picture-based features from Dalvik executable file in a way that the accuracy of the resulting model is close to the state-of-the-art methods, while its complexity is as low as possible. We have fully implemented our proposed methods, as well as some of the state-of-the-art methods, including Drebin and RevealDroid. The results show that LightDroid is the most lightweight one, with 97.49% accuracy on the test data. Evaluation of ORDroid shows that, considering the overall accuracy of both test and transformed data, our model is the best comparing to the most related methods with the accuracy of 98.07% on the normal and 93.00% on the transformed data.

Vorheriger Artikel Hiding a fault enabled virus through code construction

Nächster Artikel Leveraging branch traces to understand kernel internals from within

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Share of global mobile website traffic. Accessed 9 Dec 2018. https://www.statista.com/statistics/277125/share-of-website-traffic-coming-from-mobile-devices

Smartphone OS Market Share. Accessed 9 Dec 2018. https://www.idc.com/promo/smartphone-market-share/os

McAfee Research & Reports. Accessed 9 Dec 2018. https://www.mcafee.com/enterprise/en-us/about/newsroom/research-reports.html

Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., Siemens, C.E.R.T.: Drebin: effective and explainable detection of android malware in your pocket. In: Ndss, vol. 14, pp. 23–26 (2014)

Nataraj, L., Karthikeyan, S, Jacob, G., Manjunath, B.S.: Malware images: visualization and automatic classification. In: Proceedings of the 8th International Symposium on Visualization for Cyber Security, p. 4. ACM (2011)

Ahmadi, M., Ulyanov, D., Semenov, S., Trofimov, M., Giacinto, G.: Novel feature extraction, selection and fusion for effective malware family classification. In: Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 183–194. ACM (2016)

Saracino, A., Sgandurra, D., Dini, G., Martinelli, F.: Madam: effective and efficient behavior-based android malware detection and prevention. IEEE Trans. Dependable Secure Comput. 15(1), 83–97 (2018)CrossRef

Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. (TOCS) 32(2), 5 (2014)CrossRef

Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Wang, X.S., Zang, B.: Vetting undesirable behaviors in android apps with permission use analysis. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, pp. 611–622. ACM (2013)

10.

How does Google Play Protect aim to improve Android security? Accessed 9 Dec 2018. https://searchsecurity.techtarget.com/answer/How-does-Google-Play-Protect-aim-to-improve-Android-security

11.

Fratantonio, Y., Bianchi, A., Robertson, W., Kirda, E., Kruegel, C., Vigna, G.: Triggerscope: towards detecting logic bombs in android applications. In: Security and Privacy (SP), 2016 IEEE Symposium on, pp. 377–396. IEEE (2016)

12.

Hidden App Malware Found on Google Play. Accessed 9 Dec 2018. https://www.symantec.com/blogs/threat-intelligence/hidden-app-malware-google-play

13.

Crooks infiltrate Google Play with malware in QR reading utilities. Accessed 9 Dec 2018. https://nakedsecurity.sophos.com/2018/03/23/crooks-infiltrate-google-play-with-malware-lurking-in-qr-reading-utilities

14.

A Whale of a Tale: HummingBad Returns. Accessed 9 Dec 2018. https://blog.checkpoint.com/2017/01/23/hummingbad-returns

15.

Garcia, J., Hammad, M., Malek, S.: Lightweight, obfuscation-resilient detection and family identification of android malware. ACM Trans. Softw. Eng. Methodol. 26(3), 11 (2018)CrossRef

16.

Aung, Z., Zaw, W.: Permission-based android malware detection. Int. J. Sci. Technol. Res. 2(3), 228–234 (2013)

17.

Aafer, Y., Du, W., Yin, H.: Droidapiminer: Mining api-level features for robust malware detection in android. In International Conference on Security and Privacy in Communication Systems, pp. 86–103. Springer, Cham (2013)

18.

Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)

19.

Rong, X.: word2vec parameter learning explained. arXiv preprint arXiv:1411.2738 (2014)

20.

ProGuard The open source optimizer and obfuscator for Java bytecode. Accessed 9 Dec 2018. https://www.guardsquare.com/proguard

21.

DexProtector-Cutting edge obfuscator for Android apps. Accessed 9 Dec 2018. https://dexprotector.com

22.

Rastogi, V., Chen, Y., Jiang, X., et al.: Catch me if you can: evaluating android anti-malware against transformation attacks. IEEE Trans. Inf. Forensics Secur. 9(1), 99–108 (2014)CrossRef

23.

Hidden miners on Google Play. Accessed 9 Dec 2018. https://usa.kaspersky.com/blog/google-play-hidden-miners/15101

24.

Gibert, D.: Convolutional neural networks for malware classification. PhD thesis, MS Thesis, Dept. of Computer Science, UPC (2016)

25.

Dalvik bytecode. Accessed 9 Dec 2018. https://source.android.com/devices/tech/dalvik/dalvik-bytecode

26.

Chung, J., Gulcehre, C., Cho, K.H., Bengio, Y.: Empirical evaluation of gated recurrent neural networks on sequence modeling. arXiv preprint arXiv:1412.3555 (2014)

27.

Dalvik executable format. Accessed 9 Dec 2018. https://source.android.com/devices/tech/dalvik/dex-format

28.

Fereidooni, H., Moonsamy, V., Conti, M., Batina, L.: Efficient classification of android malware in the wild using robust static features. Prot. Mobile Netw. Dev.: Chall. Solut. 1, 181–209 (2016)

29.

A deep dive into DEX file format. Accessed 9 Dec 2018. https://elinux.org/images/d/d9/A_deep_dive_into_dex_file_format-chiossi.pdf

30.

Krizhevsky, A., Sutskever, I., Hinton, G.E.: Imagenet classification with deep convolutional neural networks. In: Advances in Neural Information Processing Systems, pp. 1097–1105 (2012)

31.

Desnos, A. et al.: Androguard: reverse engineering, malware and goodware analysis of android applications. https://code.google.com/p/androguard, p. 153 (2013)

32.

RevealDroid Java repository. Accessed 9 Dec 2018. https://bitbucket.org/joshuaga/revealdroid

33.

Abadi, M., Barham, P., Chen, J., Chen, Z., Davis, A., Dean, J., Devin, M., Ghemawat, S., Irving, G., Isard, M., et al.: Tensorflow: a system for large-scale machine learning. OSDI 16, 265–283 (2016)

34.

Chollet, F. et al.: Keras: The python deep learning library. In: Astrophysics Source Code Library (2018)

35.

Jiang, X., Zhou, Y.: Dissecting android malware: characterization and evolution. In: 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE (2012)

36.

Wei, F., Li, Y., Roy, S., Ou, X., Zhou, W.: Deep ground truth analysis of current android malware. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 252–276. Springer, Berlin (2017)

37.

Koodous: an online analysis tools over a vast APKs repository. Accessed 9 Dec 2018. https://koodous.com

38.

Wang, R.: Flash in the pan? Virus Bull. (1998)

39.

Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, Wisconsin Univ-Madison Dept of Computer Sciences (2006)

40.

Narouei, M., Ahmadi, M., Giacinto, G., Takabi, H., Sami, A.: DLLMiner: structural mining for malware detection. Secur. Commun. Netw. 8(18), 3311–3322 (2015)CrossRef

41.

Hu, W., Tan, Y.: Generating adversarial malware examples for black-box attacks based on gan. arXiv preprint arXiv:1702.05983 (2017)

42.

Peiravian, N., Zhu, X.: Machine learning for android malware detection using permission and api calls. In: Tools with Artificial Intelligence (ICTAI), 2013 IEEE 25th International Conference on, pp. 300–305. IEEE (2013)

43.

Gennissen, J., Cavallaro, L., Moonsamy, V., Batina, L.: Gamut: sifting through images to detect android malware (2017)

44.

Vidas, T., Christin, N.: Evading android runtime analysis via sandbox detection. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 447–458. ACM (2014)

45.

Erel. Android tutorial-code obfuscation. https://www.b4x.com/android/forum/threads/code-obfuscation.13773. [Online; accessed 18 July 2019]

46.

Canfora, G., Martinelli, F., Mercaldo, F., Nardone, V., Santone, A., Visaggio, C.A.: Leila: formal tool for identifying mobile malicious behaviour. IEEE Trans. Softw. Eng. (2018)

47.

Hammad, M.: Self-protection of Android systems from inter-component communication attacks. Ph.D. thesis, UC Irvine (2018)

48.

Polakis, I., Diamantaris, M., Petsas, T., Maggi, F., Ioannidis, S.: Powerslave: analyzing the energy consumption of mobile antivirus software. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 165–184. Springer, Berlin (2015)

Titel: Lightweight versus obfuscation-resilient malware detection in android applications
verfasst von: Ali Aghamohammadi
Fathiyeh Faghih
Publikationsdatum: 26.10.2019
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 2/2020
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-019-00341-y

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2020

Exploiting flaws in Windbg: how to escape or fool debuggers from existing flaws

Hiding a fault enabled virus through code construction

Leveraging branch traces to understand kernel internals from within

Deep learning for image-based mobile malware detection