Soteria: Detecting Adversarial Examples in Control Flow Graph-based Malware Classifiers

Alasmary, Hisham; Abusnaina, Ahmed; Jang, Rhongho; Abuhamad, Mohammed; Anwar, Afsah; Nyang, DaeHun; Mohaisen, Aziz

doi:10.1109/icdcs47774.2020.00089

Cited by 29 publications

(13 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Soteria [ 10 ] is a static analyzer using the model-checking technique (MCT), that extracts a state model from the code of an IoT application to verify if an application or multi-app system respects security, safety, and functional properties. Another version is Soteria2 [ 42 ], a static analyzer using the convolutional neural network (CNN). It is a random walk-based traversal method for feature extraction that employs both density-based and level-based CFG labels to achieve consistent representation.…”

Section: Related Work and Research Goalsmentioning

confidence: 99%

HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps

Hamza

Halim

Sobh

et al. 2022

Sensors

View full text Add to dashboard Cite

Established Internet of Things (IoT) platforms suffer from their inability to determine whether an IoT app is secure or not. A security analysis system (SAS) is a protective shield against any attack that breaks down data privacy and security. Its main task focuses on detecting malware and verifying app behavior. There are many SASs implemented in various IoT applications. Most of them build on utilizing static or dynamic analysis separately. However, the hybrid analysis is the best for obtaining accurate results. The SAS provides an effective outcome according to many criteria related to the analysis process, such as analysis type, characteristics, sensitivity, and analysis techniques. This paper proposes a new hybrid (static and dynamic) SAS based on the model-checking technique and deep learning, called an HSAS-MD analyzer, which focuses on the holistic analysis perspective of IoT apps. It aims to analyze the data of IoT apps by (1) converting the source code of the target applications to the format of a model checker that can deal with it; (2) detecting any abnormal behavior in the IoT application; (3) extracting the main static features from it to be tested and classified using a deep-learning CNN algorithm; (4) verifying app behavior by using the model-checking technique. HSAS-MD gives the best results in detecting malware from malicious smart Things applications compared to other SASs. The experimental results of HSAS-MD show that it provides 95%, 94%, 91%, and 93% for accuracy, precision, recall, and F-measure, respectively. It also gives the best results compared with other analyzers from various criteria.

show abstract

Section: Related Work and Research Goalsmentioning

confidence: 99%

HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps

Hamza

Halim

Sobh

et al. 2022

Sensors

View full text Add to dashboard Cite

show abstract

“…Despite the work in CV and NLP, there is a growing number of research ib the adversarial attack in cyber security domains, including malware detection [32][33][34], intrusion detection [35,36], etc. Such facts suggest that the vulnerability of neural network models widely exists.…”

Section: Related Workmentioning

confidence: 99%

CRank: Reusable Word Importance Ranking for Text Adversarial Attack

Chen

Liu

2021

Applied Sciences

View full text Add to dashboard Cite

Deep learning models have been widely used in natural language processing tasks, yet researchers have recently proposed several methods to fool the state-of-the-art neural network models. Among these methods, word importance ranking is an essential part that generates text adversarial examples, but suffers from low efficiency for practical attacks. To address this issue, we aim to improve the efficiency of word importance ranking, making steps towards realistic text adversarial attacks. In this paper, we propose CRank, a black box method utilized by our innovated masking and ranking strategy. CRank improves efficiency by 75% at the ’cost’ of only a 1% drop of the success rate when compared to the classic method. Moreover, we explore a new greedy search strategy and Unicode perturbation methods.

show abstract

“…This manipulation enables benign applications to inject their block of bytes into malicious binary. According to [25], some code-level malware applies perturbation and then modifies the original code structure. When malware attack the CFG of an Android-based device, it causes structural modification of the code's feature space.…”

Section: Api Callsmentioning

confidence: 99%

Modeling Correlation between Android Permissions Based on Threat and Protection Level Using Exploratory Factor Plane Analysis

Ashawa

Morris

2021

JCP

View full text Add to dashboard Cite

The evolution of mobile technology has increased correspondingly with the number of attacks on mobile devices. Malware attack on mobile devices is one of the top security challenges the mobile community faces daily. While malware classification and detection tools are being developed to fight malware infection, hackers keep deploying different infection strategies, including permissions usage. Among mobile platforms, Android is the most targeted by malware because of its open OS and popularity. Permissions is one of the major security techniques used by Android and other mobile platforms to control device resources and enhance access control. In this study, we used the t-Distribution stochastic neighbor embedding (t-SNE) and Self-Organizing Map techniques to produce a visualization method using exploratory factor plane analysis to visualize permissions correlation in Android applications. Two categories of datasets were used for this study: the benign and malicious datasets. Dataset was obtained from Contagio, VirusShare, VirusTotal, and Androzoo repositories. A total of 12,267 malicious and 10,837 benign applications with different categories were used. We demonstrate that our method can identify the correlation between permissions and classify Android applications based on their protection and threat level. Our results show that every permission has a threat level. This signifies those permissions with the same protection level have the same threat level.

show abstract

Soteria: Detecting Adversarial Examples in Control Flow Graph-based Malware Classifiers

Cited by 29 publications

References 20 publications

HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps

HSAS-MD Analyzer: A Hybrid Security Analysis System Using Model-Checking Technique and Deep Learning for Malware Detection in IoT Apps

CRank: Reusable Word Importance Ranking for Text Adversarial Attack

Modeling Correlation between Android Permissions Based on Threat and Protection Level Using Exploratory Factor Plane Analysis

Contact Info

Product

Resources

About