Android Malware Fingerprinting Using Dynamic Analysis

Abstract

AbstractIn this chapter, we elaborate a data driven framework for detecting Android malware using automatically engineered features derived from dynamic analyses. The state-of-the-art solutions, such as Chen et al., (Stormdroid: A streaminglized machine learning-based system for detecting android malware, in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, May 30–June 3, 2016 (2016), pp. 377–388), Kharraz et al. (UNVEIL: A large-scale, automated approach to detecting ransomware, in 25th USENIX Security Symposium, USENIX Security 16, Austin, August 10–12, 2016 (2016), pp. 757–772) and Sgandurra et al. (CoRR abs/1609.03020, 2016), rely on manual feature engineering in malware detection. For example, StormDroid (Chen, et al., (Stormdroid: A streaminglized machine learning-based system for detecting android malware, in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, May 30–June 3, 2016 (2016), pp. 377–388)) uses Sendsms and Recvnet dynamic features, which are chosen based on statistical analysis, for Android malware detection. As another example, the authors in Kolbitsch et al. (Effective and efficient malware detection at the end host, in USENIX Security Symposium (2009), pp. 351–366) used specific features to build behavioral graphs for Win32 malware detection. The security features may change based on the execution environment despite the target platform. For instance, the authors in Chen et al. (Stormdroid: A streaminglized machine learning-based system for detecting android malware, in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, May 30–June 3, 2016 (2016), pp. 377–388) and in Alzaylaee et al. (CoRR abs/1607.08166, 2016) used different security features due to the difference between the execution environments. In the context of a security application, we are looking for a portable framework for malware detection based on the behavioral reports across a variety of platforms, architectures, and execution environments. The security analyst would be able to rely on this plug-and-play framework with a minimum effort in terms of feature engineerning. We plug the behavioral analysis reports for the training. Afterward, we employ the produced classification model on new reports without an explicit security feature engineering as in Chen et al. (Stormdroid: A streaminglized machine learning-based system for detecting android malware, in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, Xi’an, May 30–June 3, 2016 (2016), pp. 377–388), Kolbitsch et al. (Effective and efficient malware detection at the end host, in USENIX Security Symposium (2009), pp. 351–366) and Chen et al. (POSTER: semi-supervised classification for dynamic android malware detection, in Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, October 30–November 03, 2017 (2017), pp. 2479–2481). This previous process works virtually on any behavioral reports.