Towards the Usage of Invariant-Based App Behavioral Fingerprinting for the Detection of Obfuscated Versions of Known Malware

2016 10th International Conference on Next Generation Mobile Applications, Security and Technologies (NGMAST) Pub Date : 2016-08-01 DOI:10.1109/NGMAST.2016.16

Zigrid Shehu, Claudio Ciccotelli, Daniele Ucci, Leonardo Aniello, R. Baldoni

{"title":"Towards the Usage of Invariant-Based App Behavioral Fingerprinting for the Detection of Obfuscated Versions of Known Malware","authors":"Zigrid Shehu, Claudio Ciccotelli, Daniele Ucci, Leonardo Aniello, R. Baldoni","doi":"10.1109/NGMAST.2016.16","DOIUrl":null,"url":null,"abstract":"App fingerprints can be used to verify whether two apps are the same, and are useful tools for malware detection because they can allow to recognize obfuscated versions of known malware. Fingerprinting an app on the base of static features is known to fail against obfuscation, as it is successful in hiding the static characteristics that reveal the malicious nature of an app. In this paper we propose a novel way to compute app fingerprints, which is based on behavioral features. The aim is to capture the semantics of the app, so that obfuscation results ineffective. The technique we introduce exploits invariants, found among pairs of metrics, collected during app execution, and produces a fingerprint consisting of the list of the correlation values of these pairs. We present an experimental evaluation carried out on a real Android device, whose obtained results support the methodology we propose, and show it can be a viable research direction to investigate further.","PeriodicalId":340716,"journal":{"name":"2016 10th International Conference on Next Generation Mobile Applications, Security and Technologies (NGMAST)","volume":"141 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 10th International Conference on Next Generation Mobile Applications, Security and Technologies (NGMAST)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NGMAST.2016.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

App fingerprints can be used to verify whether two apps are the same, and are useful tools for malware detection because they can allow to recognize obfuscated versions of known malware. Fingerprinting an app on the base of static features is known to fail against obfuscation, as it is successful in hiding the static characteristics that reveal the malicious nature of an app. In this paper we propose a novel way to compute app fingerprints, which is based on behavioral features. The aim is to capture the semantics of the app, so that obfuscation results ineffective. The technique we introduce exploits invariants, found among pairs of metrics, collected during app execution, and produces a fingerprint consisting of the list of the correlation values of these pairs. We present an experimental evaluation carried out on a real Android device, whose obtained results support the methodology we propose, and show it can be a viable research direction to investigate further.

查看原文本刊更多论文

基于不变量的应用程序行为指纹检测已知恶意软件的混淆版本

应用程序指纹可以用来验证两个应用程序是否相同，并且是恶意软件检测的有用工具，因为它们可以识别已知恶意软件的混淆版本。众所周知，基于静态特征的应用程序指纹识别无法防止混淆，因为它成功地隐藏了揭示应用程序恶意性质的静态特征。在本文中，我们提出了一种基于行为特征计算应用程序指纹的新方法。其目的是捕获应用程序的语义，以便混淆结果无效。我们介绍的技术利用在应用程序执行期间收集的指标对中发现的不变量，并生成由这些对的相关值列表组成的指纹。我们提出了一个在真实的Android设备上进行的实验评估，其获得的结果支持我们提出的方法，并表明它可以是一个可行的研究方向，以进一步调查。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 10th International Conference on Next Generation Mobile Applications, Security and Technologies (NGMAST)

自引率

0.00%

发文量