Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013
-
Upload
carlos-laorden -
Category
Technology
-
view
303 -
download
0
description
Transcript of Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013
![Page 1: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/1.jpg)
Anomaly Detection using String Analysis for
Android Malware Detection
Borja Sanz Igor Santos
Xabier Ugarte-PedreroCarlos Laorden
Javier NievesPablo G. Bringas
![Page 2: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/2.jpg)
In the past 10 years
mobile phoneshave evolved
![Page 3: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/3.jpg)
In fact, now they are called
smartphones
![Page 4: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/4.jpg)
108 millioniPhones sold
![Page 5: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/5.jpg)
1955Android devices activated
since I started this presentation
![Page 6: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/6.jpg)
1972Android devices activated
since I started this presentation
![Page 7: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/7.jpg)
2006Android devices activated
since I started this presentation
![Page 8: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/8.jpg)
2023Android devices activated
since I started this presentation
![Page 9: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/9.jpg)
1.5 million every day
![Page 10: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/10.jpg)
![Page 11: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/11.jpg)
It is a
revolution
![Page 12: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/12.jpg)
EmailsPictures
VídeosIM
Web historyDocuments
GeopositionMovementsMicrophoneCamera
Call historyWallet
![Page 13: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/13.jpg)
Let me ask you…
![Page 14: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/14.jpg)
Would you
lend me your
smartphone?(no doubts)
Have you
ever lost a cellphone?(feeling?)
![Page 15: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/15.jpg)
We carry
sensitive informationin our pockets
![Page 16: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/16.jpg)
What about
security? is there
malware in Android?
![Page 17: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/17.jpg)
Malware in Android
![Page 18: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/18.jpg)
Malware is one of the most important issues in Android
![Page 19: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/19.jpg)
But I only download apks from the market…
![Page 20: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/20.jpg)
![Page 21: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/21.jpg)
New
detectionmethods
are necessary
![Page 22: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/22.jpg)
Anomaly detectionmethod for
Android malware detection
![Page 23: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/23.jpg)
1 Dataset creation
![Page 24: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/24.jpg)
Benign software(goodware)
Malicious software(malware)
![Page 25: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/25.jpg)
![Page 26: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/26.jpg)
Malware dataset
AV evaluation
Evaluation of samples based on the detected AV
Threshold defintion
Remove duplicate samples
1,938samples
333 samples
![Page 27: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/27.jpg)
Goodware dataset
game
333 samples
![Page 28: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/28.jpg)
2 Feature selection
![Page 29: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/29.jpg)
Strings
const-string v6, "TEST CONSTANT"
const-string v6, "THE VARIABLE"
![Page 30: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/30.jpg)
THE VARIABLE TEST CONSTANT( , , )
S1 ( 0 , 1 , 1 )
S2 ( 1 , 0 , 0 )
![Page 31: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/31.jpg)
t1
t2
t3
D1
D2
D3
D9
D7
D5
D6
![Page 32: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/32.jpg)
3 Anomaly Detection
![Page 33: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/33.jpg)
??
Anomaly detection
d
d < threshold?
> threshold?
![Page 34: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/34.jpg)
Manhattan distance
Euclidean distance
Cosine distance
![Page 35: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/35.jpg)
d
d
Anomaly detection
![Page 36: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/36.jpg)
Minimum distance
Maximum distance
Mean distance
![Page 37: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/37.jpg)
Minimumdistance
Maximumdistance
Meandistance
Manhattandistance
EuclideanDistance
Cosine distance
![Page 38: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/38.jpg)
10different
thresholds
![Page 39: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/39.jpg)
Anomaly detection
d
d > threshold?
> threshold?
![Page 40: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/40.jpg)
min
max
![Page 41: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/41.jpg)
Minimumdistance
Maximumdistance
Meandistance
Manhattandistance
Euclideandistance
10thresholds
![Page 42: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/42.jpg)
5-foldCross-validation
![Page 43: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/43.jpg)
4 Results
![Page 44: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/44.jpg)
TPR, FPR, Accuracy
Manhattan Euclidean Cosine
![Page 45: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/45.jpg)
Area Under the Curve
Manhattan Euclidean Cosine
0.88
![Page 46: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/46.jpg)
Only consider bening samples to measure distances
![Page 47: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/47.jpg)
Future work
![Page 48: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/48.jpg)
Other feature sets
![Page 49: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/49.jpg)
Other distances and selection rules
![Page 50: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/50.jpg)
Dynamic analysis
![Page 51: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/51.jpg)
We still have a long way to go
![Page 52: Anomaly Detection using String Analysis for Android Malware Detection - CISIS 2013](https://reader033.fdocuments.in/reader033/viewer/2022051818/5497a334b47959744d8b52f9/html5/thumbnails/52.jpg)
References1. Androides: http://fondosbonitos.com/file/663/2560x1440/crop/androides.jpg2. Nexus phone: http://p.playserver1.
com/ProductImages/5/5/7/3/1/4/5/2/25413755_700x700min_1.jpg3. Apple Hacker: http://techbeat.com/wp-content/uploads/2012/09/Apple-Hacker-
Heads-to-Twitter.jpg4. Botnet costume: http://jon.oberheide.org/blog/wp-
content/uploads/2007/01/costume2.jpg5. Zombie bird: http://payload66.cargocollective.com/1/1/49299/3633335/an2.jpg6. Toy Story command rescue: http://img.rakuten.
com/PIC/4498966/0/1/500/4498966.jpg7. Back to the future car: http://www.wallpaperfo.
com/Abstract/High_definition/cars_high_definition_back_to_the_future_delorean_dmc12_1920x1080_wallpaper_518/download_2560x1440
8. Long way: http://hakimiyetimilliye.org/wp-content/uploads/2013/02/%D8%B7%D8%B1%D9%8A%D9%82-1.jpg