197 research outputs found
Unsupervised Anomaly-based Malware Detection using Hardware Features
Recent works have shown promise in using microarchitectural execution
patterns to detect malware programs. These detectors belong to a class of
detectors known as signature-based detectors as they catch malware by comparing
a program's execution pattern (signature) to execution patterns of known
malware programs. In this work, we propose a new class of detectors -
anomaly-based hardware malware detectors - that do not require signatures for
malware detection, and thus can catch a wider range of malware including
potentially novel ones. We use unsupervised machine learning to build profiles
of normal program execution based on data from performance counters, and use
these profiles to detect significant deviations in program behavior that occur
as a result of malware exploitation. We show that real-world exploitation of
popular programs such as IE and Adobe PDF Reader on a Windows/x86 platform can
be detected with nearly perfect certainty. We also examine the limits and
challenges in implementing this approach in face of a sophisticated adversary
attempting to evade anomaly-based detection. The proposed detector is
complementary to previously proposed signature-based detectors and can be used
together to improve security.Comment: 1 page, Latex; added description for feature selection in Section 4,
results unchange
Android Malware Family Classification Based on Resource Consumption over Time
The vast majority of today's mobile malware targets Android devices. This has
pushed the research effort in Android malware analysis in the last years. An
important task of malware analysis is the classification of malware samples
into known families. Static malware analysis is known to fall short against
techniques that change static characteristics of the malware (e.g. code
obfuscation), while dynamic analysis has proven effective against such
techniques. To the best of our knowledge, the most notable work on Android
malware family classification purely based on dynamic analysis is DroidScribe.
With respect to DroidScribe, our approach is easier to reproduce. Our
methodology only employs publicly available tools, does not require any
modification to the emulated environment or Android OS, and can collect data
from physical devices. The latter is a key factor, since modern mobile malware
can detect the emulated environment and hide their malicious behavior. Our
approach relies on resource consumption metrics available from the proc file
system. Features are extracted through detrended fluctuation analysis and
correlation. Finally, a SVM is employed to classify malware into families. We
provide an experimental evaluation on malware samples from the Drebin dataset,
where we obtain a classification accuracy of 82%, proving that our methodology
achieves an accuracy comparable to that of DroidScribe. Furthermore, we make
the software we developed publicly available, to ease the reproducibility of
our results.Comment: Extended Versio
Malware Defense in Mobile Network using Dynamic Analysis of Android Application
Today Android has the biggest market share as compared to other operating system for smart phone. As users are continuously increasing day by day the Security is one of the main concerns for Smartphone users. As the features and power of Smartphone are increase, so that they has their vulnerability for attacks by Malwares. But the android is the operating system which is more secure than any other operating systems available for Smart phones. The Android operating system has very few restrictions for developers and it will increase the security risk for end users. I am proposing an android application which is able to perform dynamic analysis on android program. To perform this analysis i have to deploy the android application, In this proposed system I am going to deploy android application on a cloud. This application executes automatically without any human interaction. It automatically detects malware by using pattern matching algorithm. If malware get detected then user get inform that particular application is malicious and restrict the user from installing application.
DOI: 10.17762/ijritcc2321-8169.150315
A Methodology for Reliable Detection of Anomalous Behavior in Smartphones
Smartphones have become the most preferred computing device for both personal and
business use. Different applications in smartphones result in different power consumption
patterns. The fact that every application has been coded to perform different tasks leads
to the claim that every action onboard (whether software or hardware) will consequently
have a trace in the power consumption of the smartphone. When the same sequence of
steps is repeated on it, it is observed that the power consumption patterns hold some
degree of similarity. A device infected with malware can exhibit increased CPU usage,
lower speeds, strange behavior such as e-mails or messages being sent automatically and
without the user's knowledge; and programs or malware running intermittently or in cycles
in the background. This deviation from the expected behavior of the device is termed an
anomalous behavior and results in a reduction in the similarity of the power consumption.
The anomalous behavior could also be due to gradual degradation of the device or change in
the execution environment in addition to the presence of malware. The change in similarity
can be used to detect the presence of anomalous behavior on smartphones.
This thesis focuses on the detection of anomalous behavior from the power signatures
of the smartphone. We have conducted experiments to measure and analyze the power
consumption pattern of various smartphone apps. The test bench used for the experiments
has a Monsoon Power Meter, which supplies power to the smartphone, and an external
laptop collects the power samples from the meter. To emulate the presence of anomalous
behavior, we developed an app which runs in the background with varying activity windows.
Based on our experiments and analysis, we have developed two separate models for reliable
detection of anomalous behavior from power signatures of the smartphone. The first model
is based on Independent Component Analysis (ICA) and the second model is based on a
Similarity Matrix developed using an array of low pass filters. These models detect the
presence of anomalies by comparing the current power consumption pattern of the device
under test with that of its normal behavior
Detecting crypto-ransomware in IoT networks based on energy consumption footprint
An Internet of Things (IoT) architecture generally consists of a wide range of Internet-connected devices or things such as Android devices, and devices that have more computational capabilities (e.g., storage capacities) are likely to be targeted by ransomware authors.
In this paper, we present a machine learning based approach to detect ransomware attacks by monitoring power consumption of Android devices. Specifically, our proposed method monitors the energy consumption patterns of different processes to classify ransomware
from non-malicious applications. We then demonstrate that our proposed approach out-performs K-Nearest Neighbors, Neural Networks, Support Vector Machine and Random
Forest, in terms of accuracy rate, recall rate, precision rate and F-measure
A First Look at the Crypto-Mining Malware Ecosystem: A Decade of Unrestricted Wealth
Illicit crypto-mining leverages resources stolen from victims to mine
cryptocurrencies on behalf of criminals. While recent works have analyzed one
side of this threat, i.e.: web-browser cryptojacking, only commercial reports
have partially covered binary-based crypto-mining malware. In this paper, we
conduct the largest measurement of crypto-mining malware to date, analyzing
approximately 4.5 million malware samples (1.2 million malicious miners), over
a period of twelve years from 2007 to 2019. Our analysis pipeline applies both
static and dynamic analysis to extract information from the samples, such as
wallet identifiers and mining pools. Together with OSINT data, this information
is used to group samples into campaigns. We then analyze publicly-available
payments sent to the wallets from mining-pools as a reward for mining, and
estimate profits for the different campaigns. All this together is is done in a
fully automated fashion, which enables us to leverage measurement-based
findings of illicit crypto-mining at scale. Our profit analysis reveals
campaigns with multi-million earnings, associating over 4.4% of Monero with
illicit mining. We analyze the infrastructure related with the different
campaigns, showing that a high proportion of this ecosystem is supported by
underground economies such as Pay-Per-Install services. We also uncover novel
techniques that allow criminals to run successful campaigns.Comment: A shorter version of this paper appears in the Proceedings of 19th
ACM Internet Measurement Conference (IMC 2019). This is the full versio
A Novel Approach to Trojan Horse Detection in Mobile Phones Messaging and Bluetooth Services
A method to detect Trojan horses in messaging and Bluetooth in mobile phones by means of monitoring the events produced by the infections is presented in this paper. The structure of the detection approach is split into two modules: the first is the Monitoring module which controls connection requests and sent/received files, and the second is the Graphical User module which shows messages and, under suspicious situations, reports the user about a possible malware. Prototypes have been implemented on different mobile operating systems to test its feasibility on real cellphone malware. Experimental results are shown to be promising since this approach effectively detects various known malwareMinisterio de Ciencia e Innovación TIN2009-14378-C02-0
- …