Using Loops For Malware Classification Resilient to Feature-unaware Perturbations

Machiry, Aravind; Redini, Nilo; Gustafson, Eric; Fratantonio, Yanick; Choe, Yung Ryn; Kruegel, Christopher; Vigna, Giovanni

doi:10.1145/3274694.3274731

Cited by 18 publications

(10 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In order to maintain high effectiveness on detecting Android malware, researchers [18,22,25,29,31,36,38,41,42,54,[57][58][59][60][61] conduct program analysis to extract different types of app semantics. For example, MaMaDroid [42] first performs static analysis to obtain the graph representation of an app, then all the sequences are obtained from the graph and are abstracted into the corresponding packages to model the app's invocation behaviors.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

HomDroid: detecting Android covert malware by social-network homophily analysis

Zou

Yang³

et al. 2021

Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

Android has become the most popular mobile operating system. Correspondingly, an increasing number of Android malware has been developed and spread to steal users' private information. There exists one type of malware whose benign behaviors are developed to camouflage malicious behaviors. The malicious component occupies a small part of the entire code of the application (app for short), and the malicious part is strongly coupled with the benign part. In this case, the malware may cause false negatives when malware detectors extract features from the entire apps to conduct classification because the malicious features of these apps may be hidden among benign features. Moreover, some previous work aims to divide the entire app into several parts to discover the malicious part. However, the premise of these methods to commence app partition is that the connections between the normal part and the malicious part are weak (e.g., repackaged malware).In this paper, we call this type of malware as Android covert malware and generate the first dataset of covert malware. To detect covert malware samples, we first conduct static analysis to extract the function call graphs. Through the deep analysis on call graphs, we observe that although the correlations between the normal part and the malicious part in these graphs are high, the degree of these correlations has a unique range of distribution. Based on the

show abstract

Section: Related Workmentioning

confidence: 99%

“…In general, existing mobile malware detection approaches can be classified into two categories, namely syntax-based approaches [17,20,46,51,55,62] and semantics-based systems [18,22,31,41,42,[58][59][60]. As for syntax-based methods, they ignore the program semantics of apps to achieve high efficient Android malware detection.…”

Section: Introductionmentioning

confidence: 99%

HomDroid: detecting Android covert malware by social-network homophily analysis

Zou

Yang³

et al. 2021

Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis

View full text Add to dashboard Cite

show abstract

“…Further, even organic workers tend to use their devices in a manner that distinguishes them from regular users. Related efforts also include extensive work to detect malware Android apps, e.g., [29,41,54,60,61,[69][70][71]95]. Notably, Yang et al [91] differentiate malware from benign apps based on the contexts that trigger security-sensitive behaviors.…”

Section: Related Workmentioning

confidence: 99%

RacketStore: Measurements of ASO Deception in Google Play via Mobile and App Usage

Hernandez,

Recabarren,

Carbunar

et al. 2021

Preprint

View full text Add to dashboard Cite

Online app search optimization (ASO) platforms that provide bulk installs and fake reviews for paying app developers in order to fraudulently boost their search rank in app stores, were shown to employ diverse and complex strategies that successfully evade state-of-theart detection methods. In this paper we introduce RacketStore, a platform to collect data from Android devices of participating ASO providers and regular users, on their interactions with apps which they install from the Google Play Store. We present measurements from a study of 943 installs of RacketStore on 803 unique devices controlled by ASO providers and regular users, that consists of 58,362,249 data snapshots collected from these devices, the 12,341 apps installed on them and their 110,511,637 Google Play reviews. We reveal significant differences between ASO providers and regular users in terms of the number and types of user accounts registered on their devices, the number of apps they review, and the intervals between the installation times of apps and their review times. We leverage these insights to introduce features that model the usage of apps and devices, and show that they can train supervised learning algorithms to detect paid app installs and fake reviews with an F1-measure of 99.72% (AUC above 0.99), and detect devices controlled by ASO providers with an F1-measure of 95.29% (AUC = 0.95). We discuss the costs associated with evading detection by our classifiers and also the potential for app stores to use our approach to detect ASO work with privacy. CCS CONCEPTS• Security and privacy → Social network security and privacy; Social aspects of security and privacy;

show abstract

“…DeepRefiner [46] employs LSTM units to analyse Android bytecode, however there may be a complexity issue in that approach with the model containing at least 18 million parameters. [25] uses semantic labels for classification determined from API methods specifically invoked within loops from an app's code. This is tested against control flow graph obfuscation and reflection.…”

Section: Obfuscation Resiliencementioning

confidence: 99%

“…Similarly, authors in [25] use expert-derived loop features and a conventional Random Forest (RF) classifier. Furthermore, they conduct an obfuscation test across their whole dataset by using reflection on all their malicious and benign apps.…”

Section: State-of-the-art Comparisonmentioning

confidence: 99%

DANdroid

Millar

McLaughlin

Rincón

et al. 2020

Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy

View full text Add to dashboard Cite

We present DANdroid, a novel Android malware detection model using a deep learning Discriminative Adversarial Network (DAN) that classifies both obfuscated and unobfuscated apps as either malicious or benign. Our method, which we empirically demonstrate is robust against a selection of four prevalent and real-world obfuscation techniques, makes three contributions. Firstly, an innovative application of discriminative adversarial learning results in malware feature representations with a strong degree of resilience to the four obfuscation techniques. Secondly, the use of three feature sets; raw opcodes, permissions and API calls, that are combined in a multi-view deep learning architecture to increase this obfuscation resilience. Thirdly, we demonstrate the potential of our model to generalize over rare and future obfuscation methods not seen in training. With an overall dataset of 68,880 obfuscated and unobfuscated malicious and benign samples, our multi-view DAN model achieves an average F-score of 0.973 that compares favourably with the state-of-the-art, despite being exposed to the selected obfuscation methods applied both individually and in combination. CCS CONCEPTS • Security and privacy → Malware and its mitigation; • Computing methodologies → Adversarial learning; Multi-task learning; Neural networks;

show abstract

Using Loops For Malware Classification Resilient to Feature-unaware Perturbations

Cited by 18 publications

References 30 publications

HomDroid: detecting Android covert malware by social-network homophily analysis

HomDroid: detecting Android covert malware by social-network homophily analysis

RacketStore: Measurements of ASO Deception in Google Play via Mobile and App Usage

DANdroid

Contact Info

Product

Resources

About