Catherine Boileau, F. Gagnon, Jérémie Poisson, Simon Frenette, M. Mejri
{"title":"不同环境下Android恶意软件行为的比较研究","authors":"Catherine Boileau, F. Gagnon, Jérémie Poisson, Simon Frenette, M. Mejri","doi":"10.5220/0005997300470054","DOIUrl":null,"url":null,"abstract":"One of the numerous ways of addressing the Android malware threat is to run malicious applications in a sandbox environment while monitoring metrics. However, dynamic malware analysis is usually concerned with a one-time execution of an application, and information about behaviour in different environments is lacking in the literature. We fill this gap with a fuzzy-like approach to the problem: by running the same malware multiple times in different environments, we gain insight on the malware behaviour and his peculiarities. To implement this approach, we leverage a client-server sandbox to run experiments, based on a common suit of actions. Scenarios are executed multiple times on a malware sample, each time with a different parameter, and results are compared to determine variation in observed behaviour. In our current experiment, variation was introduced by different levels of simulation, allowing us to compare metrics such as failure rate, data leakages, sending of SMS, and the number of HTTP and DNS requests. We find the behaviour is different for data leakages, which require no simulation to leak information, while all results for other metrics were higher when simulation was used in experiments. We expect that a fuzzing approach with others parameters will further our understanding of malware behaviour, particularly for malware bound to such parameters.","PeriodicalId":172337,"journal":{"name":"International Conference on Data Communication Networking","volume":"17 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2016-07-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"A Comparative Study of Android Malware Behavior in Different Contexts\",\"authors\":\"Catherine Boileau, F. Gagnon, Jérémie Poisson, Simon Frenette, M. Mejri\",\"doi\":\"10.5220/0005997300470054\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"One of the numerous ways of addressing the Android malware threat is to run malicious applications in a sandbox environment while monitoring metrics. However, dynamic malware analysis is usually concerned with a one-time execution of an application, and information about behaviour in different environments is lacking in the literature. We fill this gap with a fuzzy-like approach to the problem: by running the same malware multiple times in different environments, we gain insight on the malware behaviour and his peculiarities. To implement this approach, we leverage a client-server sandbox to run experiments, based on a common suit of actions. Scenarios are executed multiple times on a malware sample, each time with a different parameter, and results are compared to determine variation in observed behaviour. In our current experiment, variation was introduced by different levels of simulation, allowing us to compare metrics such as failure rate, data leakages, sending of SMS, and the number of HTTP and DNS requests. We find the behaviour is different for data leakages, which require no simulation to leak information, while all results for other metrics were higher when simulation was used in experiments. We expect that a fuzzing approach with others parameters will further our understanding of malware behaviour, particularly for malware bound to such parameters.\",\"PeriodicalId\":172337,\"journal\":{\"name\":\"International Conference on Data Communication Networking\",\"volume\":\"17 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2016-07-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"International Conference on Data Communication Networking\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.5220/0005997300470054\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Conference on Data Communication Networking","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.5220/0005997300470054","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Comparative Study of Android Malware Behavior in Different Contexts
One of the numerous ways of addressing the Android malware threat is to run malicious applications in a sandbox environment while monitoring metrics. However, dynamic malware analysis is usually concerned with a one-time execution of an application, and information about behaviour in different environments is lacking in the literature. We fill this gap with a fuzzy-like approach to the problem: by running the same malware multiple times in different environments, we gain insight on the malware behaviour and his peculiarities. To implement this approach, we leverage a client-server sandbox to run experiments, based on a common suit of actions. Scenarios are executed multiple times on a malware sample, each time with a different parameter, and results are compared to determine variation in observed behaviour. In our current experiment, variation was introduced by different levels of simulation, allowing us to compare metrics such as failure rate, data leakages, sending of SMS, and the number of HTTP and DNS requests. We find the behaviour is different for data leakages, which require no simulation to leak information, while all results for other metrics were higher when simulation was used in experiments. We expect that a fuzzing approach with others parameters will further our understanding of malware behaviour, particularly for malware bound to such parameters.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
