Accurate Specification for Robust Detection of Malicious Behavior in Mobile Environments

Accurate Specification for Robust Detection of Malicious Behavior in Mobile Environments
Title:
Accurate Specification for Robust Detection of Malicious Behavior in Mobile Environments
Other Titles:
20th European Symposium on Research in Computer Security, Vienna, Austria, September 21–25, 2015, Proceedings, Part II
DOI:
10.1007/978-3-319-24177-7_18
Publication Date:
21 September 2015
Citation:
Sufatrio, Tong-Wei Chua, Darell J. J. Tan, Vrizlynn L. L. Thing, "Accurate Specification for Robust Detection of Malicious Behavior in Mobile Environments", in Gnther Pernul, Peter Y. A. Ryan, Edgar Weippl (eds.), "Computer Security – ESORICS 2015", Proceedings of the 20th European Symposium on Research in Computer Security, Vienna, Austria, September 21–25, 2015, Part II, Lecture Notes in Computer Science Volume 9327, pp. 355–375, Springer, Heidelberg, 2015
Abstract:
The need to accurately specify and detect malicious behavior is widely known. This paper presents a novel and convenient way of accurately specifying malicious behavior in mobile environments by taking Android as a representative platform of analysis and implementation. Our specification takes a sequence-based approach in declaratively formulating a malicious action, whereby any two consecutive security-sensitive operations are connected by either a control or taint flow. It also captures the invocation context of an operation within an app's component type and lifecycle/callback method. Additionally, exclusion of operations that are invoked from UI-related callback methods can be specified to indicate an action's stealthy execution portions. We show how the specification is sufficiently expressive to describe malicious patterns that are commonly exhibited by mobile malware. To show the usefulness of the specification, and to demonstrate that it can derive stable and distinctive patterns of existing Android malware, we develop a static analyzer that can automatically check an app for numerous security-sensitive actions written using the specification. Given a target app's uncovered behavior, the analyzer associates it with a collection of known malware families. Experiments show that our obfuscation-resistant analyzer can associate malware samples with their correct family with an accuracy of 97.2%, while retaining the ability to differentiate benign apps from the profiled malware families with an accuracy of 97.6%. These results positively show how the specification can lend to robust mobile malware detection.
License type:
PublisherCopyrights
Funding Info:
Description:
ISSN:
0302-9743
ISBN:
978-3-319-24176-0
Files uploaded:

File Size Format Action
esorics-2015-oar.pdf 260.11 KB PDF Open