Detection of Android Malware based on Sequence Alignment of Permissions

Permissions control accesses to critical resources on Android. Any weaknesses from their exploitation can be of great interest to attackers. Investigation about associations of permissions can reveal some patterns against attacks. In this regards, this paper proposes an approach based on sequence alignment between requested permissions to identify similarities between applications. Permission patterns for malicious and normal samples are determined and exploited to evaluate a similarity score. The nature of an application is obtained based on a threshold, judiciously computed. Experiments have been realized with a dataset of 534 malicious samples (300 training and 234 testing) and 534 normal samples (300 training and 234 testing). Our approach has been able to recognize testing samples (either malware or normal) with an accuracy of 79%, an average precision of 76% and an average recall of 75%. This research reveals that sequence alignment can improve malware detection research

An Architecture for Misconfiguration Patching of Web Services: A Case Study of Apache Server

Services are usually left configured by default and therefore subjects to vulnerabilities because they are not security enforced. Web services are so popular that they are targets of attacks to intrusions related to vulnerabilities discovered by attackers. This work proposes an architecture for patching Web service misconfigurations related to existing vulnerabilities. The approach underlying this architecture first retrieves and structures anti-vulnerability measures published by the official service manufacturers. Second, it evaluates the risk level using Common Vulnerability Scoring System (CVSS) on the current state of configurations. The proposed approach has been applied on Apache server on four vulnerabilities: version discovery, XSS, SQL injection and deny of service. Experimental results on a vulnerable environment demonstrate that the proposed approach considerably reduces vulnerabilities compared to similar solutions

Ein Malware Detection System für Android

Android security is built upon a permission-based mechanism, which restricts access of third-party Android applications to critical resources on an Android device. The user must accept the set of permissions that an application requires, before the installation proceeds. This is to inform the user about the risks of installing and using an application. It has two problems. The first one is that users are not aware enough of existing threats and trust either the application store or the popularity of the application and accept the installation without analysing the intentions of the developer. The second one is that Android does not display the specific resource needed by the application and the corresponding permissions during its installation. It rather presents different categories representing the set of resources with a description. The categories include implicitly permissions necessary to access some resources. The user grants more authorisations than necessary probably confused by the management of permissions, increasing the difficulty of detecting malicious applications and constituting the basis for many attacks. The thesis defines a system for detecting Android malware based only on requested permissions. It focuses on 222 permissions including some exclusively for third-party applications. It is a static analysis technique, which combines two reliable strategies. The the first one focuses on the discriminating metric based on the frequency of permissions and the proportion of requests by malicious applications within the whole sample. The second one relies on security risks related to granting permissions. A comparison has shown that the four protection levels of permissions defined by Google are coarse-grained, hiding the real sense of permissions. The first strategy is fine-grained and more precise in terms of permission semantics. We collected a dataset with 6783 malicious and 1993 normal applications, which have been tested and validated. Profiles for each sample have been generated, depending on both strategies and used as input for training and learning processes. Seven classifiers have been applied to the models to output performance results. We select the good ones to define our classifier, which provides outstanding performance in detection and prediction. A dataset of associations of permissions to weights that can be reused in a different research has been released from our work. Evaluations indicate that our model is one of the best tools with only requested permissions as a feature. It is able to detect around 99.20% of 1260 cases of malware released by the Genome project, which represents behaviour of nowadays malware. This work provides a scheme for weighting permissions possibly applicable to an unknown samples dataset, while keeping a good performance in classification. The model is good in detecting Android malware with around 97% of the True Positive Rate and predicting Android malware with around 95% of the True Positive Rate. This means that it is capable to discriminate almost all cases of malware in detection and prediction. The Area Under Curve (AUC) metric is between 97% and 99%, which confers the outsatnding property of the outstanding detection system for the detection of malware. We propose additionally a system that can be embedded into an Android hand-held device for real-time detection. The results of the comparison to three renowned antiviruses reveal that our framework clearly outperforms two of them

A Malware Detection System For Android

Android security is built upon a permission-based mechanism, which restricts access of third-party Android applications to critical resources on an Android device. The user must accept the set of permissions that an application requires, before the installation proceeds. This is to inform the user about the risks of installing and using an application. It has two problems. The first one is that users are not aware enough of existing threats and trust either the application store or the popularity of the application and accept the installation without analysing the intentions of the developer. The second one is that Android does not display the specific resource needed by the application and the corresponding permissions during its installation. It rather presents different categories representing the set of resources with a description. The categories include implicitly permissions necessary to access some resources. The user grants more authorisations than necessary probably confused by the management of permissions, increasing the difficulty of detecting malicious applications and constituting the basis for many attacks. The thesis defines a system for detecting Android malware based only on requested permissions. It focuses on 222 permissions including some exclusively for third-party applications. It is a static analysis technique, which combines two reliable strategies. The the first one focuses on the discriminating metric based on the frequency of permissions and the proportion of requests by malicious applications within the whole sample. The second one relies on security risks related to granting permissions. A comparison has shown that the four protection levels of permissions defined by Google are coarse-grained, hiding the real sense of permissions. The first strategy is fine-grained and more precise in terms of permission semantics. We collected a dataset with 6783 malicious and 1993 normal applications, which have been tested and validated. Profiles for each sample have been generated, depending on both strategies and used as input for training and learning processes. Seven classifiers have been applied to the models to output performance results. We select the good ones to define our classifier, which provides outstanding performance in detection and prediction. A dataset of associations of permissions to weights that can be reused in a different research has been released from our work. Evaluations indicate that our model is one of the best tools with only requested permissions as a feature. It is able to detect around 99.20% of 1260 cases of malware released by the Genome project, which represents behaviour of nowadays malware. This work provides a scheme for weighting permissions possibly applicable to an unknown samples dataset, while keeping a good performance in classification. The model is good in detecting Android malware with around 97% of the True Positive Rate and predicting Android malware with around 95% of the True Positive Rate. This means that it is capable to discriminate almost all cases of malware in detection and prediction. The Area Under Curve (AUC) metric is between 97% and 99%, which confers the outsatnding property of the outstanding detection system for the detection of malware. We propose additionally a system that can be embedded into an Android hand-held device for real-time detection. The results of the comparison to three renowned antiviruses reveal that our framework clearly outperforms two of them

CIAA-RepDroid: A Fine-Grained and Probabilistic Reputation Scheme for Android Apps Based on Sentiment Analysis of Reviews

To keep its business reliable, Google is concerned to ensure the quality of apps on the store. One crucial aspect concerning quality is security. Security is achieved through Google Play protect and anti-malware solutions. However, they are not totally efficient since they rely on application features and application execution threads. Google provides additional elements to enable consumers to collectively evaluate applications providing their experiences via reviews or showing their satisfaction through rating. The latter is more informal and hides details of rating whereas the former is textually expressive but requires further processing to understand opinions behind it. Literature lacks approaches which mine reviews through sentiment analysis to extract useful information to improve the security aspects of provided applications. This work goes in this direction and in a fine-grained way, investigates in terms of confidentiality, integrity, availability, and authentication (CIAA). While assuming that reviews are reliable and not fake, the proposed approach determines review polarities based on CIAA-related keywords. We rely on the popular classifier Naive Bayes to classify reviews into positive, negative, and neutral sentiment. We then provide an aggregation model to fusion different polarities to obtain application global and CIAA reputations. Quantitative experiments have been conducted on 13 applications including e-banking, live messaging and anti-malware apps with a total of 1050 security-related reviews and 7,835,322 functionality-related reviews. Results show that 23% of applications (03 apps) have a reputation greater than 0.5 with an accent on integrity, authentication, and availability, while the remaining 77% has a polarity under 0.5. Developers should make a lot of effort in security while developing codes and that more efforts should be made to improve confidentiality reputation. Results also show that applications with good functionality-related reputation generally offer a bad security-related reputation. This situation means that even if the number of security reviews is low, it does not mean that the security aspect is not a consumer preoccupation. Unlike, developers put much more time to test whether applications work without errors even if they include possible security vulnerabilities. A quantitative comparison against well-known rating systems reveals the effectiveness and robustness of CIAA-RepDroid to repute apps in terms of security. CIAA-RepDroid can be associated with existing rating solutions to recommend developers exact CIAA aspects to improve within source codes

A Reliable Weighting Scheme for the Aggregation of Crowd Intelligence to Detect Fake News

Social networks play an important role in today’s society and in our relationships with others. They give the Internet user the opportunity to play an active role, e.g., one can relay certain information via a blog, a comment, or even a vote. The Internet user has the possibility to share any content at any time. However, some malicious Internet users take advantage of this freedom to share fake news to manipulate or mislead an audience, to invade the privacy of others, and also to harm certain institutions. Fake news seeks to resemble traditional media to establish its credibility with the public. Its seriousness pushes the public to share them. As a result, fake news can spread quickly. This fake news can cause enormous difficulties for users and institutions. Several authors have proposed systems to detect fake news in social networks using crowd signals through the process of crowdsourcing. Unfortunately, these authors do not use the expertise of the crowd and the expertise of a third party in an associative way to make decisions. Crowds are useful in indicating whether or not a story should be fact-checked. This work proposes a new method of binary aggregation of opinions of the crowd and the knowledge of a third-party expert. The aggregator is based on majority voting on the crowd side and weighted averaging on the third-party side. An experimentation has been conducted on 25 posts and 50 voters. A quantitative comparison with the majority vote model reveals that our aggregation model provides slightly better results due to weights assigned to accredited users. A qualitative investigation against existing aggregation models shows that the proposed approach meets the requirements or properties expected of a crowdsourcing system and a voting system

A smart contract logic to reduce hoax propagation across social media

International audienceOne of the main concerns of cybersecurity is the detection of hoaxes across social media. Hoaxers propagate such messages to mislead users and to promote violence. Several approaches exist in literature to address this issue. They are mainly limited to detect hoax activities by characterizing the message nature and detecting provenance of messages. However, unless hoaxes are detected, they continue to propagate across social media nodes. This work aims at reducing the dissemination of hoaxes across group of users. Relying on social graph structure, this research develops a mechanism based on smart contract logics to prevent a group to consume a fake post. To achieve this objective, we used a smart contract to exploit a trust index computed based on message characteristics and group features such as graph density, group status, group degree, group acceptability. Based on the value of trust index, the message is forwarded or blocked. Experiments realized on groups of different characteristics revealed that the proposed smart contract is even able to reactively block a fake post of the same nature than the group type. Results indicate that the proportion of targeted groups could be reduced even if their interests match with the message subject. This research is an important step forward to anti-promote hoaxes with the novelty of exploiting smart contract approach to contain their propagation