768 research outputs found
Obfuscation-resilient Android Malware Analysis Based on Contrastive Learning
Due to its open-source nature, Android operating system has been the main
target of attackers to exploit. Malware creators always perform different code
obfuscations on their apps to hide malicious activities. Features extracted
from these obfuscated samples through program analysis contain many useless and
disguised features, which leads to many false negatives. To address the issue,
in this paper, we demonstrate that obfuscation-resilient malware analysis can
be achieved through contrastive learning. We take the Android malware
classification as an example to demonstrate our analysis. The key insight
behind our analysis is that contrastive learning can be used to reduce the
difference introduced by obfuscation while amplifying the difference between
malware and benign apps (or other types of malware).
Based on the proposed analysis, we design a system that can achieve robust
and interpretable classification of Android malware. To achieve robust
classification, we perform contrastive learning on malware samples to learn an
encoder that can automatically extract robust features from malware samples. To
achieve interpretable classification, we transform the function call graph of a
sample into an image by centrality analysis. Then the corresponding heatmaps
are obtained by visualization techniques. These heatmaps can help users
understand why the malware is classified as this family. We implement IFDroid
and perform extensive evaluations on two widely used datasets. Experimental
results show that IFDroid is superior to state-of-the-art Android malware
familial classification systems. Moreover, IFDroid is capable of maintaining
98.2% true positive rate on classifying 8,112 obfuscated malware samples
Android Malware Family Classification Based on Resource Consumption over Time
The vast majority of today's mobile malware targets Android devices. This has
pushed the research effort in Android malware analysis in the last years. An
important task of malware analysis is the classification of malware samples
into known families. Static malware analysis is known to fall short against
techniques that change static characteristics of the malware (e.g. code
obfuscation), while dynamic analysis has proven effective against such
techniques. To the best of our knowledge, the most notable work on Android
malware family classification purely based on dynamic analysis is DroidScribe.
With respect to DroidScribe, our approach is easier to reproduce. Our
methodology only employs publicly available tools, does not require any
modification to the emulated environment or Android OS, and can collect data
from physical devices. The latter is a key factor, since modern mobile malware
can detect the emulated environment and hide their malicious behavior. Our
approach relies on resource consumption metrics available from the proc file
system. Features are extracted through detrended fluctuation analysis and
correlation. Finally, a SVM is employed to classify malware into families. We
provide an experimental evaluation on malware samples from the Drebin dataset,
where we obtain a classification accuracy of 82%, proving that our methodology
achieves an accuracy comparable to that of DroidScribe. Furthermore, we make
the software we developed publicly available, to ease the reproducibility of
our results.Comment: Extended Versio
Analysis of Feature Categories for Malware Visualization
It is important to know which features are more effective for certain visualization types. Furthermore, selecting an appropriate visualization tool plays a key role in descriptive, diagnostic, predictive and prescriptive analytics. Moreover, analyzing the activities of malicious scripts or codes is dependent on the extracted features. In this paper, the authors focused on reviewing and classifying the most common extracted features that have been used for malware visualization based on specified categories. This study examines the features categories and its usefulness for effective malware visualization. Additionally, it focuses on the common extracted features that have been used in the malware visualization domain. Therefore, the conducted literature review finding revealed that the features could be categorized into four main categories, namely, static, dynamic, hybrid, and application metadata. The contribution of this research paper is about feature selection for illustrating which features are effective with which visualization tools for malware visualization
Host-based detection and analysis of Android malware: implication for privilege exploitation
The Rapid expansion of mobile Operating Systems has created a proportional development in Android malware infection targeting Android which is the most widely used mobile OS. factors such Android open source platform, low-cost influence the interest of malware writers targeting this mobile OS. Though there are a lot of anti-virus programs for malware detection designed with varying degrees of signatures for this purpose, many don’t give analysis of what the malware does. Some anti-virus engines give clearance during installations of repackaged malicious applications without detection. This paper collected 28 Android malware family samples with a total of 163 sample dataset. A general analysis of the entire sample dataset was created given credence to their individual family samples and year discovered. A general detection and classification of the Android malware corpus was performed using K-means clustering algorithm. Detection rules were written with five major functions for automatic scanning, signature enablement, quarantine and reporting the scan results. The LMD was able to scan a file size of 2048mb and report accurately whether the file is benign or malicious. The K-means clustering algorithm used was set to 5 iteration training phases and was able to classify accurately the malware corpus into benign and malicious files. The obtained result shows that some Android families exploit potential privileges on mobile devices. Information leakage from the victim’s device without consent and payload deposits are some of the results obtained. The result calls proactive measures rather than proactive in tackling malware infection on Android based mobile devices
Lightweight Classification of IoT Malware Based on Image Recognition
The Internet of Things (IoT) is an extension of the traditional Internet,
which allows a very large number of smart devices, such as home appliances,
network cameras, sensors and controllers to connect to one another to share
information and improve user experiences. Current IoT devices are typically
micro-computers for domain-specific computations rather than traditional
functionspecific embedded devices. Therefore, many existing attacks, targeted
at traditional computers connected to the Internet, may also be directed at IoT
devices. For example, DDoS attacks have become very common in IoT environments,
as these environments currently lack basic security monitoring and protection
mechanisms, as shown by the recent Mirai and Brickerbot IoT botnets. In this
paper, we propose a novel light-weight approach for detecting DDos malware in
IoT environments.We firstly extract one-channel gray-scale images converted
from binaries, and then utilize a lightweight convolutional neural network for
classifying IoT malware families. The experimental results show that the
proposed system can achieve 94.0% accuracy for the classification of goodware
and DDoS malware, and 81.8% accuracy for the classification of goodware and two
main malware families
From Malware Samples to Fractal Images: A New Paradigm for Classification. (Version 2.0, Previous version paper name: Have you ever seen malware?)
To date, a large number of research papers have been written on the
classification of malware, its identification, classification into different
families and the distinction between malware and goodware. These works have
been based on captured malware samples and have attempted to analyse malware
and goodware using various techniques, including techniques from the field of
artificial intelligence. For example, neural networks have played a significant
role in these classification methods. Some of this work also deals with
analysing malware using its visualisation. These works usually convert malware
samples capturing the structure of malware into image structures, which are
then the object of image processing. In this paper, we propose a very
unconventional and novel approach to malware visualisation based on dynamic
behaviour analysis, with the idea that the images, which are visually very
interesting, are then used to classify malware concerning goodware. Our
approach opens an extensive topic for future discussion and provides many new
directions for research in malware analysis and classification, as discussed in
conclusion. The results of the presented experiments are based on a database of
6 589 997 goodware, 827 853 potentially unwanted applications and 4 174 203
malware samples provided by ESET and selected experimental data (images,
generating polynomial formulas and software generating images) are available on
GitHub for interested readers. Thus, this paper is not a comprehensive compact
study that reports the results obtained from comparative experiments but rather
attempts to show a new direction in the field of visualisation with possible
applications in malware analysis.Comment: This paper is under review; the section describing conversion from
malware structure to fractal figure is temporarily erased here to protect our
idea. It will be replaced by a full version when accepte
Andro-Simnet: Android Malware Family Classification Using Social Network Analysis
While the rapid adaptation of mobile devices changes our daily life more
conveniently, the threat derived from malware is also increased. There are lots
of research to detect malware to protect mobile devices, but most of them adopt
only signature-based malware detection method that can be easily bypassed by
polymorphic and metamorphic malware. To detect malware and its variants, it is
essential to adopt behavior-based detection for efficient malware
classification. This paper presents a system that classifies malware by using
common behavioral characteristics along with malware families. We measure the
similarity between malware families with carefully chosen features commonly
appeared in the same family. With the proposed similarity measure, we can
classify malware by malware's attack behavior pattern and tactical
characteristics. Also, we apply a community detection algorithm to increase the
modularity within each malware family network aggregation. To maintain high
classification accuracy, we propose a process to derive the optimal weights of
the selected features in the proposed similarity measure. During this process,
we find out which features are significant for representing the similarity
between malware samples. Finally, we provide an intuitive graph visualization
of malware samples which is helpful to understand the distribution and likeness
of the malware networks. In the experiment, the proposed system achieved 97%
accuracy for malware classification and 95% accuracy for prediction by K-fold
cross-validation using the real malware dataset.Comment: 13 pages, 11 figures, dataset link:
http://ocslab.hksecurity.net/Datasets/andro-simnet , demo video:
https://youtu.be/JmfS-ZtCbg4 , In Proceedings of the 16th Annual Conference
on Privacy, Security and Trust (PST), 201
- …