DaDiDroid: An Obfuscation Resilient Tool for Detecting Android Malware via Weighted Directed Call Graph Modelling

Ikram, Muhammad; Beaume, Pierrick; Kâafar, Mohamed Ali

doi:10.48550/arxiv.1905.09136

Cited by 3 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, changing the order of API calls of the app may damage the malicious activity of the app. However, several evasion attacks manipulate the flow of the app and succeed in deceiving this kind of detection system, such as [51], [63], [58], [64], [65].…”

Section: A Android Malware Detection Systemsmentioning

confidence: 99%

See 1 more Smart Citation

MaMaDroid2.0 -- The Holes of Control Flow Graphs

Berger¹,

Hajaj²,

Mariconti³

et al. 2022

Preprint

View full text Add to dashboard Cite

Android malware is a continuously expanding threat to billions of mobile users around the globe. Detection systems are updated constantly to address these threats. However, a backlash takes the form of evasion attacks, in which an adversary changes malicious samples such that those samples will be misclassified as benign. This paper fully inspects a well-known Android malware detection system, MaMaDroid, which analyzes the control flow graph of the application. Changes to the portion of benign samples in the train set and models are considered to see their effect on the classifier. The changes in the ratio between benign and malicious samples have a clear effect on each one of the models, resulting in a decrease of more than 40% in their detection rate. Moreover, adopted ML models are implemented as well, including 5-NN, Decision Tree, and Adaboost. Exploration of the six models reveals a typical behavior in different cases, of tree-based models and distance-based models. Moreover, three novel attacks that manipulate the CFG and their detection rates are described for each one of the targeted models. The attacks decrease the detection rate of most of the models to 0%, with regards to different ratios of benign to malicious apps. As a result, a new version of MaMaDroid is engineered. This model fuses the CFG of the app and static analysis of features of the app. This improved model is proved to be robust against evasion attacks targeting both CFG-based models and static analysis models, achieving a detection rate of more than 90% against each one of the attacks.

show abstract

Section: A Android Malware Detection Systemsmentioning

confidence: 99%

“…Another example of concealment is packing an app inside a fellow app. DaDidroid [63] explored a similar approach as Demontis et al [35] using packing and obfuscation.…”

Section: B Problem-based Evasion Attacksmentioning

confidence: 99%

MaMaDroid2.0 -- The Holes of Control Flow Graphs

Berger¹,

Hajaj²,

Mariconti³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Furthermore, a change to the sequence of API calls of the app may damage the functionality of the malicious app, or its maliciousness. However, evasion attacks that manipulate the flow of the app such as as [30,62,86,99,128] succeed in deceiving this kind of detection systems.…”

Section: Android Malware Ml-based Detection Systemsmentioning

confidence: 99%

“…Another example of camouflage is packing an app inside another app. DaDidroid [62] used a similar approach as found in Demontis et al [32] by adding packing to the obfuscation methods. The authors wrapped the original Android malware inside another app.…”

Section: Evasion Attacks On Ml-based Detection Systemsmentioning

confidence: 99%

See 1 more Smart Citation

When the Guard failed the Droid: A case study of Android malware

Berger¹,

Hajaj²,

Dvir³

2020

Preprint

View full text Add to dashboard Cite

Android malware is a persistent threat to billions of users around the world. As a countermeasure, Android malware detection systems are occasionally implemented. However, these systems are often vulnerable to evasion attacks, in which an adversary manipulates malicious instances so that they are misidentified as benign. In this paper, we launch various innovative evasion attacks against several Android malware detection systems. The vulnerability inherent to all of these systems is that they are part of Androguard [34], a popular open source library used in Android malware detection systems. Some of the detection systems decrease to a 0% detection rate after the attack. Therefore, the use of open source libraries in malware detection systems calls for caution.In addition, we present a novel evaluation scheme for evasion attack generation that exploits the weak spots of known Android malware detection systems. In so doing, we evaluate the functionality and maliciousness of the manipulated instances created by our evasion attacks. We found variations in both the maliciousness and functionality tests of our manipulated apps. We show that non-functional apps, while considered malicious, do not threaten users and are thus useless from an attacker's point of view. We conclude that evasion attacks must be assessed for both functionality and maliciousness to evaluate their impact, a step which is far from commonplace today.

show abstract

Do You Think You Can Hold Me? The Real Challenge of Problem-Space Evasion Attacks

Berger¹,

Dvir²,

Hajaj³

et al. 2022

Preprint

View full text Add to dashboard Cite

Android malware is a spreading disease in the virtual world. Anti-virus and detection systems continuously undergo patches and updates to defend against these threats. Most of the latest approaches in malware detection use Machine Learning (ML). Against the robustifying effort of detection systems, raise the evasion attacks, where an adversary changes its targeted samples so that they are misclassified as benign. This paper considers two kinds of evasion attacks: feature-space and problem-space. Feature-space attacks consider an adversary who manipulates ML features to evade the correct classification while minimizing or constraining the total manipulations. Problem-space attacks refer to evasion attacks that change the actual sample. Specifically, this paper analyzes the gap between these two types in the Android malware domain. The gap between the two types of evasion attacks is examined via the retraining process of classifiers using each one of the evasion attack types. The experiments show that the gap between these two types of retrained classifiers is dramatic and may increase to 96%. Retrained classifiers of feature-space evasion attacks have been found to be either less effective or completely ineffective against problem-space evasion attacks. Additionally, exploration of different problem-space evasion attacks shows that retraining of one problem-space evasion attack may be effective against other problem-space evasion attacks.

show abstract

DaDiDroid: An Obfuscation Resilient Tool for Detecting Android Malware via Weighted Directed Call Graph Modelling

Cited by 3 publications

References 0 publications

MaMaDroid2.0 -- The Holes of Control Flow Graphs

MaMaDroid2.0 -- The Holes of Control Flow Graphs

When the Guard failed the Droid: A case study of Android malware

Do You Think You Can Hold Me? The Real Challenge of Problem-Space Evasion Attacks

Contact Info

Product

Resources

About