Clustering iOS executable using self-organizing maps

The 2013 International Joint Conference on Neural Networks (IJCNN) Pub Date : 2013-08-01 DOI:10.1109/IJCNN.2013.6706728

Fang Yu, Shin-Ying Huang, Li-ching Chiou, R. Tsaih

{"title":"Clustering iOS executable using self-organizing maps","authors":"Fang Yu, Shin-Ying Huang, Li-ching Chiou, R. Tsaih","doi":"10.1109/IJCNN.2013.6706728","DOIUrl":null,"url":null,"abstract":"We pioneer the study on applying both SOMs and GHSOMs to cluster mobile apps based on their behaviors, showing that the SOM family works well for clustering samples with more than ten thousands of attributes. The behaviors of apps are characterized by system method calls that are embedded in their executable, but may not be perceived by users. In the data preprocessing stage, we propose a novel static binary analysis to resolve and count implicit system method calls of iOS executable. Since an app can make thousands of system method calls, it is needed a large dimension of attributes to model their behaviors faithfully. On collecting 115 apps directly downloaded from Apple app store, the analysis result shows that each app sample is represented with 18000+ kinds of methods as their attributes. Theoretically, such a sample representation with more than ten thousand attributes raises a challenge to traditional clustering mechanisms. However, our experimental result shows that apps that have similar behaviors (due to having been developed from the same company or providing similar services) can be clustered together via both SOMs and GHSOMs.","PeriodicalId":376975,"journal":{"name":"The 2013 International Joint Conference on Neural Networks (IJCNN)","volume":"2016 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-08-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"6","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"The 2013 International Joint Conference on Neural Networks (IJCNN)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IJCNN.2013.6706728","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 6

Abstract

We pioneer the study on applying both SOMs and GHSOMs to cluster mobile apps based on their behaviors, showing that the SOM family works well for clustering samples with more than ten thousands of attributes. The behaviors of apps are characterized by system method calls that are embedded in their executable, but may not be perceived by users. In the data preprocessing stage, we propose a novel static binary analysis to resolve and count implicit system method calls of iOS executable. Since an app can make thousands of system method calls, it is needed a large dimension of attributes to model their behaviors faithfully. On collecting 115 apps directly downloaded from Apple app store, the analysis result shows that each app sample is represented with 18000+ kinds of methods as their attributes. Theoretically, such a sample representation with more than ten thousand attributes raises a challenge to traditional clustering mechanisms. However, our experimental result shows that apps that have similar behaviors (due to having been developed from the same company or providing similar services) can be clustered together via both SOMs and GHSOMs.

查看原文本刊更多论文

使用自组织映射集群iOS可执行文件

我们率先将SOM和ghsom应用于基于行为的移动应用聚类研究，结果表明SOM家族可以很好地聚类具有超过一万个属性的样本。应用程序的行为以嵌入在可执行文件中的系统方法调用为特征，但可能不会被用户感知。在数据预处理阶段，我们提出了一种新的静态二进制分析方法来解析和计数iOS可执行文件的隐式系统方法调用。由于应用程序可以进行数千个系统方法调用，因此需要一个大维度的属性来忠实地模拟它们的行为。在收集了从苹果应用商店直接下载的115个应用后，分析结果显示，每个应用样本都有18000多种方法作为其属性。从理论上讲，这种具有超过一万个属性的样本表示对传统的聚类机制提出了挑战。然而，我们的实验结果表明，具有相似行为(由于由同一家公司开发或提供类似服务)的应用程序可以通过SOMs和GHSOMs聚集在一起。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

The 2013 International Joint Conference on Neural Networks (IJCNN)

自引率

0.00%

发文量