MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention

Android users are constantly threatened by an increasing number of malicious applications (apps), generically called malware. Malware constitutes a serious threat to user privacy, money, device and file integrity. In this paper we note that, by studying their actions, we can classify malware into a small number of behavioral classes, each of which performs a limited set of misbehaviors that characterize them. These misbehaviors can be defined by monitoring features belonging to different Android levels. In this paper we present MADAM, a novel host-based malware detection system for Android devices which simultaneously analyzes and correlates features at four levels: kernel, application, user and package, to detect and stop malicious behaviors. MADAM has been designed to take into account those behaviors characteristics of almost every real malware which can be found in the wild. MADAM detects and effectively blocks more than 96% of malicious apps, which come from three large datasets with about 2,800 apps, by exploiting the cooperation of two parallel classifiers and a behavioral signature-based detector. Extensive experiments, which also includes the analysis of a testbed of 9,804 genuine apps, have been conducted to show the low false alarm rate, the negligible performance overhead and limited battery consumption

A Framework for Probabilistic Contract Compliance

We propose PICARD (ProbabIlistic Contract on AndRoiD), a framework to detect repackaged applications for Android smartphones based upon probabilistic contract matching. A contract describes the sequences of actions that an application is allowed to perform at run-time, i.e. its legal behavior. In PICARD, contracts are generated from the set of traces that represent the usage profile of the application. Both the contract and the application\u27s run-time behavior are represented through clustered probabilistic automata. At run-time, a monitoring system verifies the compliance of the application trace with the contract. This approach is useful in detecting repackaged applications, whose behavior is strongly similar to the original application but it differs only from small paths in the traces. In this paper, we discuss the framework of PICARD for describing and generating contracts through probabilistic automata and introduce the notion of ActionNode, a cluster of related system calls. Then, we present a first set of results using a prototype implementation of PICARD for Android smartphones to prove the efficacy of the framework in detecting two classes of applications, repackaged and trojanized ones

Digital Waste Sorting: A Goal-Based, Self-Learning Approach to Label Spam Email Campaigns

Fast analysis of correlated spam emails may be vital in the effort of finding and prosecuting spammers performing cybercrimes such as phishing and online frauds. This paper presents a self-learning framework to automatically divide and classify large amounts of spam emails in correlated labeled groups. Building on large datasets daily collected through honeypots, the emails are firstly divided into homogeneous groups of similar messages campaigns), which can be related to a specific spammer. Each campaign is then associated to a class which specifies the goal of the spammer, i.e. phishing, advertisement, etc. The proposed framework exploits a categorical clustering algorithm to group similar emails, and a classifier to subsequently label each email group. The main advantage of the proposed framework is that it can be used on large spam emails datasets, for which no prior knowledge is provided. The approach has been tested on more than 3200 real and recent spam emails, divided in more than 60 campaigns, reporting a classification accuracy of 97% on the classified data.pringer International Publishing Switzerland 2015 S. Foresti (Ed.): STM 2015, LNCS 9331, pp. 3?19, 2015. DOI: 10.1007/978-3-319-24858-5

A Multi-Criteria-Based Evaluation of Android Applications

Android users can face the risk of downloading and installing bad applications on their devices. In fact, many applications may either hide malware, or their expected behavior do not fully follow the user\u27s expectation. This happens because, at install-time, even if the user is warned with the potential security threat of the application, she often skips this alert message. On Android this is due to the complexity of the permission system, which may be tricky to fully understand. We propose a multi-criteria evaluation of Android applications, to help the user to easily understand the trustworthiness degree of an application, both from a security and a functional side. We validate our approach by testing it on more than 180 real applications found either on official and unofficial markets

Risk analysis of Android applications: A user-centric solution

Android applications (apps) pose many risks to their users, e.g., by including code that may threaten user privacy or system integrity. Most of the current security countermeasures for detecting dangerous apps show some weaknesses, mainly related to users' understanding and acceptance. Hence, users would benefit from an effective but simple technique that indicates whether an app is safe or risky to be installed. In this paper, we present MAETROID (Multi-criteria App Evaluator of TRust for AndrOID), a framework to evaluate the trustworthiness of Android apps, i.e., the amount of risk they pose to users, e.g., in terms of confidentiality and integrity. MAETROID performs a multi-criteria analysis of an app at deploy-time and returns a single easy-to-understand evaluation of the app's risk level (i.e., Trusted, Medium Risk, and High Risk), aimed at driving the user decision on whether or not installing a new app. The criteria include the set of requested permissions and a set of metadata retrieved from the marketplace, denoting the app quality and popularity. We have tested MAETROID on a set of 11,000 apps both coming from Google Play and from a database of known malicious apps. The results show a good accuracy in both identifying the malicious apps and in terms of false positive rate

A Borehole Muon Telescope for Underground Muography

Radiographic imaging with muons by absorption, also called Muon Radiography or Muography, is a methodology based on the characteristic of the matter to be crossed by high energy muons. This physical property allows muons to pass through the material with a measurable degree of absorption depending on the density of the material. Muon Radiography applies to several different situations and is particularly suitable for investigating subsoil of civil or archaeological interest. This kind of applications needs the muon detector to be installed below the target region. A novel borehole cylindrical detector has been built and tested for use in harsh conditions and for limited space installations. It is based on the past expertise with scintillator detectors and is composed of two types of scintillating elements, bar-shaped and arcshaped. Due to its size, it can be easily installed in drilled holes of 25 cm in diameter or more, typically economical to make. Here, we describe the idea, commissioning, and some preliminary results

Muon Radiography Investigations in Boreholes with a Newly Designed Cylindrical Detector

Muons are constantly produced in cosmic-rays and reach the Earth surface with a flux of about 160 particles per second per square meter. The abundance of muons with respect to other cosmic particles and their capability to cross dense materials with low absorption rate allow them to be exploited for large scale geological or human-made object imaging. Muon radiography is based on similar principles as X-ray radiography, measuring the surviving rate of muons escaping the target and relating it to the mass distribution inside the object. In the course of decades, after the first application in 1955, the methodology has been applied in several different fields. Muography allows us to measure the internal density distribution of the investigated object, or to simply highlight the presence of void regions by observing any excess of muons. Most of these applications require the detector to be installed below the rock being probed. In case that possible installation sites are not easily accessible by people, common instrumentation cannot be installed. A novel borehole cylindrical detector for muon radiography has been recently developed to deal with these conditions. It has been realized with a cylindrical geometry to fit typical borehole dimensions. Its design maximizes the geometrical acceptance, minimizing the dead spaces by the use of arc-shaped scintillators. The details of the construction and preliminary results of the first usage are described in this paper

Muography applied to nuclear waste storage sites

Legacy storage sites for nuclear waste can pose a serious environmental problem. In fact, since certain sites date from the middle of the last century when safety protocols had not been properly established and strict bookkeeping was not enforced, a situation has evolved where the content of storage silos is basically known only with a large uncertainty both on quantity and quality. At the same time maintenance work on old storage structures is becoming ever more urgent and yet this work requires exactly that information which is now lacking on the type of waste that was stored inside. Because of the difficulty in accessing the storage silos and the near impossibility of making visual inspections inside, techniques have to be developed which can determine the presence or absence of heavy elements (i.e. uranium) within the structures. Muography is a very promising technique which could allow the survey of previously inaccessible structures. We have begun an evaluation performing feasibility studies using simulations based on real case scenarios. This paper will outline the storage site scenarios and then present some of the results obtained from the Monte Carlo simulations

Participatory Patterns in an International Air Quality Monitoring Initiative

The issue of sustainability is at the top of the political and societal agenda, being considered of extreme importance and urgency. Human individual action impacts the environment both locally (e.g., local air/water quality, noise disturbance) and globally (e.g., climate change, resource use). Urban environments represent a crucial example, with an increasing realization that the most effective way of producing a change is involving the citizens themselves in monitoring campaigns (a citizen science bottom-up approach). This is possible by developing novel technologies and IT infrastructures enabling large citizen participation. Here, in the wider framework of one of the first such projects, we show results from an international competition where citizens were involved in mobile air pollution monitoring using low cost sensing devices, combined with a web-based game to monitor perceived levels of pollution. Measures of shift in perceptions over the course of the campaign are provided, together with insights into participatory patterns emerging from this study. Interesting effects related to inertia and to direct involvement in measurement activities rather than indirect information exposure are also highlighted, indicating that direct involvement can enhance learning and environmental awareness. In the future, this could result in better adoption of policies towards decreasing pollution.Comment: 17 pages, 6 figures, 1 supplementary fil