A temporal analysis and evaluation of fuzzy hashing algorithms for Android malware analysis

IF 2 4区 医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Murray Fleming, Oluwafemi Olukoya
{"title":"A temporal analysis and evaluation of fuzzy hashing algorithms for Android malware analysis","authors":"Murray Fleming,&nbsp;Oluwafemi Olukoya","doi":"10.1016/j.fsidi.2024.301770","DOIUrl":null,"url":null,"abstract":"<div><p>Fuzzy hashing has been utilised in digital forensics and malware analysis for malware detection, malware variant classification, file clustering, document similarity detection, embedded object detection and fragment detection. Previous research considered the efficacy of fuzzy hashing at a point in time for malware classification and did not specifically address the problem of malware evolution. Android malware presents a significant cybersecurity threat, and since malware is constantly mutating, a temporal analysis of the effectiveness of fuzzy hashing techniques for Android malware detection and classification contributes to understanding the value of fuzzy hashes in the evolution of malware. Through experimental examination, this study sought to determine whether or not fuzzy hashes are always effective, how quickly malware is evolving, and how malware evolution affects fuzzy hashing. Comparisons are made between the performance of different fuzzy hashing algorithms and the distinction between hashes at the file and class levels. Experiments with known malware family and analysis with over 4500 APK files, including 100 benign samples collected from 2012 - 2022 were conducted using various fuzzy hashing algorithms, file-level and section-level similarity hashing, symbolic and raw opcode hashing, and optimisations for improving fuzzy hashing comparisons. The performance of the methods was evaluated using detection and false positive rates. The results show that fuzzy hashing algorithms remain a valuable technique that demonstrates robustness to malware evolution with 10-year detection rates of over 80%.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2024-05-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2666281724000891/pdfft?md5=45e25e15294ae9f8fbf35e580e62dc65&pid=1-s2.0-S2666281724000891-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281724000891","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Fuzzy hashing has been utilised in digital forensics and malware analysis for malware detection, malware variant classification, file clustering, document similarity detection, embedded object detection and fragment detection. Previous research considered the efficacy of fuzzy hashing at a point in time for malware classification and did not specifically address the problem of malware evolution. Android malware presents a significant cybersecurity threat, and since malware is constantly mutating, a temporal analysis of the effectiveness of fuzzy hashing techniques for Android malware detection and classification contributes to understanding the value of fuzzy hashes in the evolution of malware. Through experimental examination, this study sought to determine whether or not fuzzy hashes are always effective, how quickly malware is evolving, and how malware evolution affects fuzzy hashing. Comparisons are made between the performance of different fuzzy hashing algorithms and the distinction between hashes at the file and class levels. Experiments with known malware family and analysis with over 4500 APK files, including 100 benign samples collected from 2012 - 2022 were conducted using various fuzzy hashing algorithms, file-level and section-level similarity hashing, symbolic and raw opcode hashing, and optimisations for improving fuzzy hashing comparisons. The performance of the methods was evaluated using detection and false positive rates. The results show that fuzzy hashing algorithms remain a valuable technique that demonstrates robustness to malware evolution with 10-year detection rates of over 80%.

用于 Android 恶意软件分析的模糊哈希算法的时间分析和评估
在数字取证和恶意软件分析中,模糊散列已被用于恶意软件检测、恶意软件变种分类、文件聚类、文档相似性检测、嵌入对象检测和片段检测。以前的研究考虑的是模糊哈希算法在恶意软件分类中的时间点功效,并没有专门解决恶意软件演变的问题。安卓恶意软件是一个重大的网络安全威胁,由于恶意软件不断变异,对模糊散列技术在安卓恶意软件检测和分类中的有效性进行时间分析,有助于理解模糊散列在恶意软件进化过程中的价值。通过实验检查,本研究试图确定模糊哈希值是否始终有效、恶意软件的进化速度以及恶意软件的进化对模糊哈希值的影响。研究比较了不同模糊哈希算法的性能,以及文件和类级别的哈希值之间的区别。使用各种模糊哈希算法、文件级和段级相似性哈希算法、符号和原始操作码哈希算法,以及用于改进模糊哈希比较的优化方法,对已知恶意软件家族进行了实验,并对 4500 多个 APK 文件(包括从 2012 年到 2022 年收集的 100 个良性样本)进行了分析。使用检测率和误报率对这些方法的性能进行了评估。结果表明,模糊散列算法仍然是一种有价值的技术,它对恶意软件的演变具有很强的鲁棒性,10 年的检测率超过 80%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
CiteScore
5.90
自引率
15.00%
发文量
87
审稿时长
76 days
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信