Pinpointing Mobile Malware Using Code Analysis

Omer Tripp, Marco Pistoia, Pietro Ferrara, J. Rubin
{"title":"Pinpointing Mobile Malware Using Code Analysis","authors":"Omer Tripp, Marco Pistoia, Pietro Ferrara, J. Rubin","doi":"10.1145/2897073.2897707","DOIUrl":null,"url":null,"abstract":"Mobile malware has recently become an acute problem. Existing solutions either base static reasoning on syntactic properties, such as exception handlers or configuration fields, or compute data-flow reachability over the program, which leads to scalability challenges. We explore a new and complementary category of features, which strikes a middleground between the above two categories. This new category focuses on security-relevant operations (communcation, lifecycle, etc) --- and in particular, their multiplicity and happens-before order --- as a means to distinguish between malicious and benign applications. Computing these features requires semantic, yet lightweight, modeling of the program's behavior. We have created a malware detection system for Android, MassDroid, that collects traces of security-relevant operations from the call graph via a scalable form of data-flow analysis. These are reduced to happens-before and multiplicity features, then fed into a supervised learning engine to obtain a malicious/benign classification. MassDroid also embodies a novel reporting interface, containing pointers into the code that serve as evidence supporting the determination. We have applied MassDroid to 35,000 Android apps from the wild. The results are highly encouraging with an F-score of 95% in standard testing, and >90% when applied to previously unseen malware signatures. MassDroid is also efficient, requiring about two minutes per app. MassDroid is publicly available as a cloud service for malware detection.","PeriodicalId":296509,"journal":{"name":"2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE/ACM International Conference on Mobile Software Engineering and Systems (MOBILESoft)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2897073.2897707","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 2

Abstract

Mobile malware has recently become an acute problem. Existing solutions either base static reasoning on syntactic properties, such as exception handlers or configuration fields, or compute data-flow reachability over the program, which leads to scalability challenges. We explore a new and complementary category of features, which strikes a middleground between the above two categories. This new category focuses on security-relevant operations (communcation, lifecycle, etc) --- and in particular, their multiplicity and happens-before order --- as a means to distinguish between malicious and benign applications. Computing these features requires semantic, yet lightweight, modeling of the program's behavior. We have created a malware detection system for Android, MassDroid, that collects traces of security-relevant operations from the call graph via a scalable form of data-flow analysis. These are reduced to happens-before and multiplicity features, then fed into a supervised learning engine to obtain a malicious/benign classification. MassDroid also embodies a novel reporting interface, containing pointers into the code that serve as evidence supporting the determination. We have applied MassDroid to 35,000 Android apps from the wild. The results are highly encouraging with an F-score of 95% in standard testing, and >90% when applied to previously unseen malware signatures. MassDroid is also efficient, requiring about two minutes per app. MassDroid is publicly available as a cloud service for malware detection.
使用代码分析精确定位移动恶意软件
手机恶意软件最近已经成为一个严重的问题。现有的解决方案要么基于语法属性(如异常处理程序或配置字段)的静态推理,要么计算程序上的数据流可达性,这将导致可伸缩性方面的挑战。我们探索了一种新的、互补的特征类别,它介于上述两类之间。这个新类别侧重于与安全相关的操作(通信、生命周期等)——特别是它们的多样性和发生顺序——作为区分恶意和良性应用程序的一种手段。计算这些特性需要对程序的行为进行语义的、轻量级的建模。我们已经为Android创建了一个恶意软件检测系统,MassDroid,它通过可扩展的数据流分析形式从调用图中收集安全相关操作的痕迹。这些特征被简化为发生前和多重特征,然后输入监督学习引擎以获得恶意/良性分类。MassDroid还包含一个新颖的报告接口,其中包含指向代码的指针,作为支持判断的证据。我们已经将MassDroid应用于3.5万个Android应用。结果非常令人鼓舞,在标准测试中f得分为95%,并且在应用于以前未见过的恶意软件签名时>90%。MassDroid的效率也很高,每个应用大约需要两分钟。MassDroid作为恶意软件检测的云服务公开提供。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信