Analysis of Code Heterogeneity for High-Precision Classification of Repackaged Malware

2016 IEEE Security and Privacy Workshops (SPW) Pub Date : 2016-05-22 DOI:10.1109/SPW.2016.33

K. Tian, D. Yao, B. Ryder, Gang Tan

{"title":"Analysis of Code Heterogeneity for High-Precision Classification of Repackaged Malware","authors":"K. Tian, D. Yao, B. Ryder, Gang Tan","doi":"10.1109/SPW.2016.33","DOIUrl":null,"url":null,"abstract":"During repackaging, malware writers statically inject malcode and modify the control flow to ensure its execution. Repackaged malware is difficult to detect by existing classification techniques, partly because of their behavioral similarities to benign apps. By exploring the app's internal different behaviors, we propose a new Android repackaged malware detection technique based on code heterogeneity analysis. Our solution strategically partitions the code structure of an app into multiple dependence-based regions (subsets of the code). Each region is independently classified on its behavioral features. We point out the security challenges and design choices for partitioning code structures at the class and method level graphs, and present a solution based on multiple dependence relations. We have performed experimental evaluation with over 7,542 Android apps. For repackaged malware, our partition-based detection reduces false negatives (i.e., missed detection) by 30-fold, when compared to the non-partition-based approach. Overall, our approach achieves a false negative rate of 0.35% and a false positive rate of 2.97%.","PeriodicalId":341207,"journal":{"name":"2016 IEEE Security and Privacy Workshops (SPW)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"43","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2016 IEEE Security and Privacy Workshops (SPW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SPW.2016.33","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 43

Abstract

During repackaging, malware writers statically inject malcode and modify the control flow to ensure its execution. Repackaged malware is difficult to detect by existing classification techniques, partly because of their behavioral similarities to benign apps. By exploring the app's internal different behaviors, we propose a new Android repackaged malware detection technique based on code heterogeneity analysis. Our solution strategically partitions the code structure of an app into multiple dependence-based regions (subsets of the code). Each region is independently classified on its behavioral features. We point out the security challenges and design choices for partitioning code structures at the class and method level graphs, and present a solution based on multiple dependence relations. We have performed experimental evaluation with over 7,542 Android apps. For repackaged malware, our partition-based detection reduces false negatives (i.e., missed detection) by 30-fold, when compared to the non-partition-based approach. Overall, our approach achieves a false negative rate of 0.35% and a false positive rate of 2.97%.

查看原文本刊更多论文

重包装恶意软件高精度分类的代码异构性分析

在重新打包过程中，恶意软件编写者静态地注入恶意代码并修改控制流以确保其执行。重新打包的恶意软件很难被现有的分类技术检测到，部分原因是它们的行为与良性应用程序相似。通过对应用内部不同行为的探究，提出了一种基于代码异质性分析的Android重包装恶意软件检测新技术。我们的解决方案战略性地将应用程序的代码结构划分为多个基于依赖的区域(代码子集)。每个区域根据其行为特征独立分类。指出了在类和方法级图上划分代码结构的安全挑战和设计选择，并提出了一种基于多重依赖关系的解决方案。我们对超过7542个Android应用程序进行了实验评估。对于重新打包的恶意软件，与非基于分区的方法相比，我们基于分区的检测减少了30倍的误报(即错过的检测)。总体而言，我们的方法实现了0.35%的假阴性率和2.97%的假阳性率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2016 IEEE Security and Privacy Workshops (SPW)

自引率

0.00%

发文量