F. Mercaldo, Giovanni Ciaramella, A. Santone, Fabio Martinelli
{"title":"基于动态分析和可解释深度学习的模糊移动恶意软件检测","authors":"F. Mercaldo, Giovanni Ciaramella, A. Santone, Fabio Martinelli","doi":"10.1145/3600160.3605037","DOIUrl":null,"url":null,"abstract":"With the growth of the mobile market, malicious applications represent a risk to the security of the users. To mitigate this aspect, researchers proposed different techniques to spot and identify unsafe software placed on the market. On the other hand, malicious writers started to develop ever more sophisticated strategies to hide malicious payloads, in particular through the adoption of obfuscation techniques. The latter consists of hiding the behavior and purpose of malware from antimalware. In this paper, we propose and design a method aimed to detect obfuscated malware. The proposed method builds images directly from system call traces obtained from legitimate, malicious, and obfuscated Android applications. In addition, to show that dynamic analysis and deep learning can build resilient models we propose two experiments using a convolutional neural network. In the first experiment, we train and test the model using a dataset composed of malware, while in the second we train the model using the malware dataset but the model is evaluated using a dataset composed of obfuscated malware. Finally, we analyze the malware and obfuscated detection models from the point of view of explainability using two different class activation mapping algorithms, to understand whether the model predictions can be considered resilient.","PeriodicalId":107145,"journal":{"name":"Proceedings of the 18th International Conference on Availability, Reliability and Security","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2023-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Obfuscated Mobile Malware Detection by Means of Dynamic Analysis and Explainable Deep Learning\",\"authors\":\"F. Mercaldo, Giovanni Ciaramella, A. Santone, Fabio Martinelli\",\"doi\":\"10.1145/3600160.3605037\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"With the growth of the mobile market, malicious applications represent a risk to the security of the users. To mitigate this aspect, researchers proposed different techniques to spot and identify unsafe software placed on the market. On the other hand, malicious writers started to develop ever more sophisticated strategies to hide malicious payloads, in particular through the adoption of obfuscation techniques. The latter consists of hiding the behavior and purpose of malware from antimalware. In this paper, we propose and design a method aimed to detect obfuscated malware. The proposed method builds images directly from system call traces obtained from legitimate, malicious, and obfuscated Android applications. In addition, to show that dynamic analysis and deep learning can build resilient models we propose two experiments using a convolutional neural network. In the first experiment, we train and test the model using a dataset composed of malware, while in the second we train the model using the malware dataset but the model is evaluated using a dataset composed of obfuscated malware. Finally, we analyze the malware and obfuscated detection models from the point of view of explainability using two different class activation mapping algorithms, to understand whether the model predictions can be considered resilient.\",\"PeriodicalId\":107145,\"journal\":{\"name\":\"Proceedings of the 18th International Conference on Availability, Reliability and Security\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-08-29\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the 18th International Conference on Availability, Reliability and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3600160.3605037\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 18th International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3600160.3605037","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Obfuscated Mobile Malware Detection by Means of Dynamic Analysis and Explainable Deep Learning
With the growth of the mobile market, malicious applications represent a risk to the security of the users. To mitigate this aspect, researchers proposed different techniques to spot and identify unsafe software placed on the market. On the other hand, malicious writers started to develop ever more sophisticated strategies to hide malicious payloads, in particular through the adoption of obfuscation techniques. The latter consists of hiding the behavior and purpose of malware from antimalware. In this paper, we propose and design a method aimed to detect obfuscated malware. The proposed method builds images directly from system call traces obtained from legitimate, malicious, and obfuscated Android applications. In addition, to show that dynamic analysis and deep learning can build resilient models we propose two experiments using a convolutional neural network. In the first experiment, we train and test the model using a dataset composed of malware, while in the second we train the model using the malware dataset but the model is evaluated using a dataset composed of obfuscated malware. Finally, we analyze the malware and obfuscated detection models from the point of view of explainability using two different class activation mapping algorithms, to understand whether the model predictions can be considered resilient.