Dynamic Malware Detection and Phylogeny Analysis using

Dynamic Malware Detection And Phylogeny Analysis Using-Free PDF

  • Date:05 May 2020
  • Views:21
  • Downloads:0
  • Pages:25
  • Size:1.70 MB

Share Pdf : Dynamic Malware Detection And Phylogeny Analysis Using

Download and Preview : Dynamic Malware Detection And Phylogeny Analysis Using


Report CopyRight/DMCA Form For : Dynamic Malware Detection And Phylogeny Analysis Using


Transcription:

2 Mario Luca Bernardi et al, of new strategies to dissect malware samples and the dis cer executes it in a sandbox for a fixed time window be. covery of software vulnerabilities e g the vulnerabilities fore making it available to users on the official store Con. present in an application may also reside in the applications sequently Bouncer can detect malware actions that happen. derived from it 25 31 in this time interval but cannot detect the other malware. actions that happen after this observation period However. In this paper starting from the assumption that any ma. since signature based detection techniques are evaded by at. licious behavior is implemented by specific sequences of. tackers with new malware which are increasingly aggress. system calls we propose an approach for malware detec. ive new techniques that go beyond to detect malware soft. tion and malware phylogeny analysis that adopts process. ware in Android devices are required, mining techniques for the analysis of the system call traces. With respect to existing approaches to malware detec. generated by an application Process Mining PM is a pro. tion and phylogeny model extraction our approach intro. cess management technique for the analysis of business pro. duces the following novelties, cesses based on event logs 44 In our approach we use PM. to analyze the system call traces of a mobile application the SEF model extracted to characterize a malware be. assuming that similarities and derivations between system havior is obtained using a declarative constraint based. calls can be discovered and modeled in system call traces language that allows to exploit a much wider range of. similarly to what applies for business process activities in properties and relationships between system calls in sys. business process logs According to this in our approach tem call traces. we use PM to derive a characterization of the behavior of a the same model can be effectively used as a malware fin. trusted or malware mobile application from a set of system gerprint for both malware detection and phylogeny ana. call traces gathered from it in response to a set of operating lysis. system events Such characterization is expressed as a set of Finally the approach is particularly suitable to be used. declarative constraints between system calls using the De as an automatic verification step in the approval process per. clare process modeling language 36 and is named System formed by application stores to ensure the security of the. Calls Execution Fingerprint SEF The extracted SEF mod published applications. els can be used to characterize and discriminate malware and This paper is an extension of our earlier work presen. to trace the malware phylogeny ted in 11 and 31 With respect to these works this paper. Even if the proposed approach can be applied to all the presents. existing mobile platforms in this work the focus is on the an integrated approach for both phylogeny analysis and. Android platform as according to recent survey 4 it is the malware detection. favorite target for mobile threats This is not surprising con a wider experimentation involving a larger set of ap. sidering that in 2014 Android holds more than 80 of the plications belonging to an increased number of malware. total market share in smartphones and tablets 5 and that the families. sales of smartphones worldwide totaled 349 million units a robustness analysis aimed at assessing the impact of. in the first quarter of 2016 3 Moreover current solutions behavioral preserving code transformations on the de. to protect Android users are still inadequate For example tection capability of our approach. several antimalware adopt a signature based malware detec. The rest of the paper is organized as follows Section 2. tion approach requiring antimalware vendors to be aware. describes the background of our study Section 3 presents the. of new malware code in order to identify their signatures. proposed approach Section 4 evaluates the effectiveness of. in the form of fixed strings and regular expressions and to. the approach by testing it on a dataset of 9 malware families. send out updates regularly Furthermore there are new tech. and 1200 between trusted and malware applications Section. niques that evade signature based detection approaches by. 5 evaluates the robustness of the approach with regard to a. including various types of source code transformation and. set of well known code transformation techniques Section. simple forms of polymorphic attacks 37 Malware detec. 6 and 7 discuss threats to validity and related work respect. tion in Android is also affected by another problem differ. ively Finally Section 8 provides some conclusive remarks. ently from antimalware software on desktop operating sys. for our work, tems Android does not permit to monitor file system oper. ations An Android application indeed can only access its. own disk space as such an Android antimalware cannot ac 2 Background. cess and verify the malicious code eventually downloaded. and run at run time by another application installed in the 2 1 Mobile Malware Families. device This problem has been mitigated but not solved by. Google with the introduction of Bouncer 34 When a new Malicious programs are frequently related to previous pro. application is submitted to the Google Play Store Boun gram versions through evolutionary relationships The know. Dynamic Malware Detection and Phylogeny Analysis using Process Mining 3. ledge of these relationships can be useful for both construct ted in October 2011 Similarly to the the previous genera. ing a phylogeny model and supporting malware detection tions of DroidKungFu the latest version is able to install a. through the analysis of new malware basing on the similarit backdoor that gives hackers full control of the mobile device. ies with the known ones 28 In particular malware applica Therefore while previous versions of DroidKungFu retrieved. tions can be grouped into families Each family defines a set instructions from a remote command and control server. of behaviors and properties that to a certain extent are com and stored the URL for the server in plain text DroidKungFu3. mon to all its members Starting from the analysis of security and DroidKungFu4 encrypt the URL making it harder to. announcements threat reports articles in researchers blogs identify and block them Moreover starting from this ver. and data published by existing mobile antimalware com sion the vulnerable code is encrypted making more dif. panies in 53 a list of 49 Android malware families with ficult to identify the malware 53 Finally starting from. their characteristics is reported The main properties for the DroidKungFu3 after installing the embedded payload it is. top 10 malware families basing on the number of known masked as an official Google update thus increasing its dif. samples are reported in Table 4 For each malware family fusion and reducing users diffidence. the table shows i the name of the family first column ii. a brief description of the malware family second column. iii the installation type third column which refers to the 2 2 Declare. way the malicious payload is installed r for repackaging. s for standalone and u for update attack and iv the ac In this work the ProM tool and the Declare language are. tivation mechanism fourth column i e the system events used respectively to mine and represent the SEF model de. that activate the malicious behaviour scribing the behavior of a malware family The model is ex. Table 2 shows a list of the most relevant system events tracted from a set of system call traces produced by mobile. that an application can receive during its lifecycle and that applications in response to system events listed in Table 2. according to several studies 27 53 are known to trigger ProM 6 1 45 is a tool supporting a wide variety of pro. a malware payload most frequently Looking at the table cess mining techniques Declare is a declarative constraint. the first row represents the BOOT event the most used within language proposed by Pesic and van der Aalst and largely. existing Android malware This is not surprising since this diffused in the Process Mining domain 36 While proced. event will be triggered and sent to all the applications in ural approaches explicitly specify the interactions between. stalled in an Android device as the system finishes its boot process events Declare represents a process as a set of rules. ing process a perfect time for a malware to kick off its back constraining all the events to be executed in a given order. ground services By listening to this event a malware can and implicitly describing all the possible workflows In other. start itself without any intervention or interaction of the user words while in procedural approaches all the activities that. with the system are not explicitly specified are forbidden the produced mod. els are closed in declarative models all the workflows. Other events frequently used by malware writers are the. that do not violate the constraints are allowed the produced. ACTION ANSWER and NEW OUTGOING CALL events second row. models are open for this reason declarative approaches. in Table 2 these events will be sent in broadcast to the. are suitable to represent complex processes with high flex. whole system and all the running applications when a call. ibility 10 Finally another advantage of using Declare is. is received or started, that it represents a process modeling language more under.
Starting from existing malware new variants are released standable for end users and provided with an executable and. by malware writers to get as much mileage as possible from verifiable formal semantics. the original code and to create new undetectable malware Declare constraints can be seen as concrete instantiations. Therefore malware variants are new strains and slightly mod of templates A template is an abstract entity that defines. ified versions of a malware belonging to the same malware parametrized classes of properties through an usable and. family These malware variants include increasingly soph simple graphical representation connected to a formal se. isticated techniques for obfuscating malicious behavior in mantics based on the adoption of Linear Temporal Logic. order to elude detection strategies employed by current an LTL formulas. timalware products 53 In particular polymorphism and LTL formulas can be traduced in non deterministic Fi. metamorphism are obfuscating techniques rapidly spreading nite State Automatons FSA that represent all the traces. among malware targeting mobile applications 39 satisfying the constraint The temporal operators used to de. For instance the first version of DroidKungFu malware scribe the semantics of the Declare templates are reported in. was detected in June 2011 Successively security research Table 3 In the table LTL formulas are indicated by and. ers detected the second version DroidKungFu2 and the third is used to indicate that has to hold in the next position. version DroidKungFu3 in July and August 2011 respect in a trace means that is always in the subsequent posi. ively Finally the fourth version DroidKungFu4 was detec tions in a trace indicates that has to hold eventually in. 4 Mario Luca Bernardi et al,Table 1 The top 10 malware families. Family Description IT AE, DroidKungFu 1 4 It installs a backdoor that allows attackers to access the smartphone when r BOOT BATT. they want and use it as they please SYS, Opfake It demands payment for the application content through premium text mes r MAIN. GinMaster It contains a malicious service with the ability to root devices to escalate r BOOT. privileges steal confidential information and install applications. AnserverBot It repackages into the host app with two hidden apps r u BOOT NET. BaseBridge It sends information to a remote server running one or more malicious ser r u BOOT SMS. vices in background NET BATT, Kmin It is similar to BaseBridge but does not kill antimalware processes s BOOT. Pjapps It is a Trojan horse that has been embedded on third party applications and r BOOT SMS. opens a back door on the compromised device BATT, Geinimi It has the potential to receive commands from a remote server that allows r MAIN.
the owner of that server to control the phone, Adrd It is close to Geinimi but with less server side commands r BOOT CALL. DroidDream It gains root access to device to access unique identification information r MAIN. Table 2 System events used to activate the malicious payload. Event Description,1 BOOT COMPLETED Able to catch the boot completed. 2 ACTION ANSWER NEW OUTGOING CALL Incoming and Outgoing call. 3 ACTION POWER CONNECTED Battery status in charging. 4 ACTION POWER DISCONNECTED Battery status discharging. 5 BATTERY OKAY Battery full charged,6 BATTERY LOW Battery status at 50. 7 BATTERY EMPTY Battery status at 0,8 SMS RECEIVED Reception of SMS. 9 AIRPLANE MODE The user has switched the phone into or out of Airplane Mode. 10 BATTERY CHANGED Battery status changed, 11 CONFIGURATION CHANGED The current device Configuration orientation locale etc has changed.
12 DATA SMS RECEIVED A new data based SMS message has been received by the device. 13 DATE CHANGED Receives data changed events, 14 DEVICE STORAGE LOW Free storage on device is less than 10 of total space. 15 DEVICE STORAGE OK Free storage on device is adequate. Dynamic Malware Detection and Phylogeny Analysis using Process Mining 3 ledge of these relationships can be useful for both construct ing a phylogeny model and supporting malware detection through the analysis of new malware basing on the similarit ies with the known ones 28 In particular malware applica tions can be grouped into families

Related Books