Mu Zhang
ABSTRACT
The drastic increase of Android malware has led to a strong interest in developing methods to automate the malware analysis process. Existing automated Android malware detection and classification methods fall into two general categories: 1) signature-based and 2) machine learning-based. Signature-based approaches can be easily evaded by bytecode-level transformation attacks. Prior learning-based works extract features from application syntax, rather than program semantics, and are also subject to evasion. In this paper, we propose a novel semantic-based approach that classifies Android malware via dependency graphs. To battle transformation attacks, we extract a weighted contextual API dependency graph as program semantics to construct feature sets. To fight against malware variants and zero-day malware, we introduce graph similarity metrics to uncover homogeneous application behaviors while tolerating minor implementation differences. We implement a prototype system, DroidSIFT, in 23 thousand lines of Java code. We evaluate our system using 2200 malware samples and 13500 benign samples. Experiments show that our signature detection can correctly label 93\% of malware instances; our anomaly detector is capable of detecting zero-day malware with a low false negative rate (2\%) and an acceptable false positive rate (5.15\%) for a vetting purpose.
- Android Malware Genome Project. http://www.malgenomeproject.org/.Google Scholar
- Soot: a Java Optimization Framework. http://www.sable.mcgill.ca/soot/.Google Scholar
- McAfee Labs Threats report Fourth Quarter 2013. http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4--2013.pdf, 2013.Google Scholar
- Number of Android Applications. http://www.appbrain.com/stats/number-ofandroid-apps, 2014.Google Scholar
- Y. Aafer, W. Du, and H. Yin. DroidAPIMiner: MiningAPI-Level Features for Robust Malware Detection in Android. In Proceedings of the 9th International Conference on Security and Privacy in Communication Networks (SecureComm'13), September 2013.Google ScholarCross Ref
- D. Arp, M. Spreitzenbarth, M. Hübner, H. Gascon, and K. Rieck. Drebin: Efficient and Explainable Detection of Android Malware in Your Pocket. In Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS'14), February 2014.Google ScholarCross Ref
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. le Traon, D. Octeau, and P. McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI '14), June 2014. Google ScholarDigital Library
- K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12), October 2012. Google ScholarDigital Library
- D. Caselden, A. Bazhanyuk, M. Payer, S. McCamant, and D. Song. HI-CFG: Construction by Binary Analysis, and Application to Attack Polymorphism. In Proceedings of 18th European Symposium on Research in Computer Security (ESORICS'13), September 2013.Google ScholarCross Ref
- K. Z. Chen, N. Johnson, V. D'Silva, S. Dai, K. MacNamara, T. Magrino, E. X. Wu, M. Rinard, and D. Song. Contextual Policy Enforcement in Android Applications with Permission Event Graphs. In Proceedings of the 20th Annual Network and Distributed System Security Symposium (NDSS'13), February 2013.Google Scholar
- M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-Aware Malware Detection. In Proceedings of the 2005 IEEE Symposium on Security and Privacy (Oakland'05), May 2005. Google ScholarDigital Library
- H. Dharmdasani. Android.HeHe: Malware Now Disconnects Phone Calls. http://www.fireeye.com/blog/ technical/2014/01/android-hehe-malwarenow- disconnects-phone-calls.html, 2014.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI'10), October 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th Usenix Security Symposium, August 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), November 2009. Google ScholarDigital Library
- M. Fredrikson, S. Jha, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors. In Proceedings of the 2010 IEEE Symposium on Security and Privacy (Oakland'10), May 2010. Google ScholarDigital Library
- H. Gascon, F. Yamaguchi, D. Arp, and K. Rieck. Structural Detection of Android Malware Using Embedded Call Graphs. In Proceedings of the 2013 ACM Workshop on Artificial Intelligence and Security (AISec'13), November 2013. Google ScholarDigital Library
- M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang. RiskRanker: Scalable and Accurate Zero-day Android Malware Detection. In Proceedings of the 10th International Conference on Mobile Systems, Applications and Services (MobiSys'12), June 2012. Google ScholarDigital Library
- S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. Juxtapp: A Scalable System for Detecting Code Reuse Among Android Applications. In Proceedings of the 9th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA'12), July 2012. Google ScholarDigital Library
- X. Hu, T.-c. Chiueh, and K. G. Shin. Large-scale Malware Indexing Using Function-call Graphs. In Proceedings of the 16th ACM Conference on Computer and Communications Security (CCS'09), November 2009. Google ScholarDigital Library
- C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and Efficient Malware Detection at the End Host. In Proceedings of the 18th Conference on USENIX Security Symposium, August 2009. Google ScholarDigital Library
- H. Lockheimer. Android and Security. http://googlemobile.blogspot.com/2012/02/android-and-security.html, 2012.Google Scholar
- L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12), October 2012. Google ScholarDigital Library
- J. Oberheide and C. Miller. Dissecting the Android Bouncer. SummerCon, 2012.Google Scholar
- D. Octeau, P. McDaniel, S. Jha, A. Bartel, E. Bodden, J. Klein, and Y. L. Traon. Effective Inter-Component Communication Mapping in Android with Epicc: AnEssential Step Towards Holistic Security Analysis. In Proceedings of the 22nd USENIX Security Symposium, August 2013. Google ScholarDigital Library
- R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the 22nd USENIX Conference on Security, August 2013. Google ScholarDigital Library
- H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy. Using Probabilistic Generative Models for Ranking Risks of Android Apps. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS'12), October 2012. Google ScholarDigital Library
- V. Rastogi, Y. Chen, and X. Jiang. DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. In Proceedings of the 8th ACM Symposium on InformAtion, Computer and Communications Security (ASIACCS'13), May 2013. Google ScholarDigital Library
- K. Riesen, S. Emmenegger, and H. Bunke. A Novel Software Toolkit for Graph Edit Distance Computation. In Proceedings of the 9th International Workshop on Graph Based Representations in Pattern Recognition, May 2013.Google ScholarCross Ref
- S. J. Russell and P. Norvig. Artificial Intelligence: A Modern Approach. 2003. Google ScholarDigital Library
- F. Yamaguchi, N. Golde, D. Arp, and K. Rieck. Modeling and Discovering Vulnerabilities with Code Property Graphs. In Proceedings of the 35th IEEE Symposium on Security and Privacy (Oakland'14), May 2014. Google ScholarDigital Library
- L.-K. Yan and H. Yin. DroidScope: Seamlessly Reconstructing OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Proceedings of the 21st USENIX Security Symposium, August 2012. Google ScholarDigital Library
- M. Zhang and H. Yin. AppSealer: Automatic Generation of Vulnerability-Specific Patches for Preventing Component Hijacking Attacks in Android Applications. In Proceedings of the 21th Annual Network and Distributed System Security Symposium (NDSS'14), San Diego, CA, February 2014.Google ScholarCross Ref
- M. Zhang and H. Yin. Efficient, Context-aware Privacy Leakage Confinement for Android Applications Without Firmware Modding. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security (ASIACCS'14), 2014. Google ScholarDigital Library
- Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, and B. Zang. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS'13), November 2013. Google ScholarDigital Library
- Y. Zhou and X. Jiang. Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland'12), May 2012. Google ScholarDigital Library
- Y. Zhou, Z. Wang, W. Zhou, and X. Jiang. Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In Proceedings of 19th Annual Network and Distributed System Security Symposium (NDSS'12), February 2012.Google Scholar
Index Terms
- Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs
Recommendations
Obfuscated malware detection using API call dependency
SecurIT '12: Proceedings of the First International Conference on Security of Internet of ThingsMalwares pose a grave threat to security of a network and host systems. Many events such as Distributed Denial-of-Service attacks, spam emails etc., often have malwares as their root cause. So a great deal of research is being invested in detection and ...
Effectiveness of Android Obfuscation on Evading Anti-malware
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and PrivacyObfuscation techniques have been conventionally used for legitimate applications, including preventing application reverse engineering, tampering and protecting intellectual property. A malware author could also leverage these benign techniques to hide ...
Machine-Learning based analysis and classification of Android malware signatures
AbstractMulti-scanner Antivirus (AV) systems are often used for detecting Android malware since the same piece of software can be checked against multiple different AV engines. However, in many cases the same software application is flagged as ...
Highlights- Analysis and Normalization of more than 250k Android related multi-scanner malware signatures using SignatureMiner.
Comments