DroidLegacy: Android恶意软件的自动家族分类

PPREW'14 Pub Date : 2014-01-22 DOI:10.1145/2556464.2556467
Luke Deshotels, Vivek Notani, Arun Lakhotia
{"title":"DroidLegacy: Android恶意软件的自动家族分类","authors":"Luke Deshotels, Vivek Notani, Arun Lakhotia","doi":"10.1145/2556464.2556467","DOIUrl":null,"url":null,"abstract":"We present an automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. The APK classes that constitute malware code in a repackaged application are separated from the benign code and the Android API calls used by the malicious modules are extracted to create a signature. A piggybacked malicious app can be detected by first decomposing it into loosely coupled modules and then matching the Android API calls called by each of the modules against the signatures of the known malware families. Since the signatures are based on Android API calls, they are related to the core malware behavior, and thus are more resilient to obfuscations.\n In triage, AV companies need to automatically classify large number of samples so as to optimize assignment of human analysts. They need a system that gives low false negatives even if it is at the cost of higher false positives. Keeping this goal in mind, we fine tuned our system and used standard 10 fold cross validation over a dataset of 1,052 malicious APKs and 48 benign APKs to verify our algorithm. Results show that we have 94% accuracy, 97% precision, and 93% recall when separating benign from malware. We successfully classified our entire malware dataset into 11 families with 98% accuracy, 87% precision, and 94% recall.","PeriodicalId":326045,"journal":{"name":"PPREW'14","volume":"5 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-01-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"141","resultStr":"{\"title\":\"DroidLegacy: Automated Familial Classification of Android Malware\",\"authors\":\"Luke Deshotels, Vivek Notani, Arun Lakhotia\",\"doi\":\"10.1145/2556464.2556467\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"We present an automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. The APK classes that constitute malware code in a repackaged application are separated from the benign code and the Android API calls used by the malicious modules are extracted to create a signature. A piggybacked malicious app can be detected by first decomposing it into loosely coupled modules and then matching the Android API calls called by each of the modules against the signatures of the known malware families. Since the signatures are based on Android API calls, they are related to the core malware behavior, and thus are more resilient to obfuscations.\\n In triage, AV companies need to automatically classify large number of samples so as to optimize assignment of human analysts. They need a system that gives low false negatives even if it is at the cost of higher false positives. Keeping this goal in mind, we fine tuned our system and used standard 10 fold cross validation over a dataset of 1,052 malicious APKs and 48 benign APKs to verify our algorithm. Results show that we have 94% accuracy, 97% precision, and 93% recall when separating benign from malware. We successfully classified our entire malware dataset into 11 families with 98% accuracy, 87% precision, and 94% recall.\",\"PeriodicalId\":326045,\"journal\":{\"name\":\"PPREW'14\",\"volume\":\"5 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-01-22\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"141\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"PPREW'14\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/2556464.2556467\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"PPREW'14","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/2556464.2556467","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 141

摘要

我们提出了一种自动提取Android恶意软件家族签名的方法,即识别恶意软件的签名,这些恶意软件是由搭载具有相同(或类似)恶意代码的潜在不同良性应用程序产生的。在重新打包的应用程序中,构成恶意代码的APK类与良性代码分离,恶意模块使用的Android API调用被提取以创建签名。可以通过首先将其分解为松散耦合的模块,然后将每个模块调用的Android API调用与已知恶意软件家族的签名进行匹配来检测搭载的恶意应用程序。由于签名基于Android API调用,因此它们与核心恶意软件行为相关,因此对混淆更具弹性。在分诊中,AV公司需要对大量样本进行自动分类,以优化人工分析人员的分配。他们需要一个低假阴性的系统,即使这是以更高的假阳性为代价。牢记这一目标,我们对系统进行了微调,并对1,052个恶意apk和48个良性apk的数据集使用了标准的10倍交叉验证来验证我们的算法。结果表明,我们在区分良性和恶意软件时准确率为94%,精密度为97%,召回率为93%。我们成功地将整个恶意软件数据集分为11个家族,准确率为98%,准确率为87%,召回率为94%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
DroidLegacy: Automated Familial Classification of Android Malware
We present an automated method for extracting familial signatures for Android malware, i.e., signatures that identify malware produced by piggybacking potentially different benign applications with the same (or similar) malicious code. The APK classes that constitute malware code in a repackaged application are separated from the benign code and the Android API calls used by the malicious modules are extracted to create a signature. A piggybacked malicious app can be detected by first decomposing it into loosely coupled modules and then matching the Android API calls called by each of the modules against the signatures of the known malware families. Since the signatures are based on Android API calls, they are related to the core malware behavior, and thus are more resilient to obfuscations. In triage, AV companies need to automatically classify large number of samples so as to optimize assignment of human analysts. They need a system that gives low false negatives even if it is at the cost of higher false positives. Keeping this goal in mind, we fine tuned our system and used standard 10 fold cross validation over a dataset of 1,052 malicious APKs and 48 benign APKs to verify our algorithm. Results show that we have 94% accuracy, 97% precision, and 93% recall when separating benign from malware. We successfully classified our entire malware dataset into 11 families with 98% accuracy, 87% precision, and 94% recall.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
Recovering C++ Objects From Binaries Using Inter-Procedural Data-Flow Analysis The GDSL toolkit: Generating Frontends for the Analysis of Machine Code TDVMP: Improved Virtual Machine-Based Software Protection with Time Diversity DroidLegacy: Automated Familial Classification of Android Malware Analyzing program dependencies for malware detection
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1