Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Jian Xu

DOI: https://doi.org/10.1007/978-3-030-12981-1_23

2018-01-01

Abstract:Nowadays people save a lot of privacy information in mobile devices. These information can be theft by adversaries through suspicious apps installed in smartphones, and protecting users’ privacy has become a great challenge. So developing a method to identify if there are apps thieving users’ personal information in smartphones is important and necessary. Through the analysis of apps’ network traffic data, we observe that general apps generate regular network flows with the users’ normal operations. But information theft apps’ network flows have no relationship with users’ operations. In this paper we propose a model MUI-defender (Mobile Users’ Information defender), which is based on analyzing the relationship between users’ operation patterns and network flows with CNN (Convolutional Neural Network), can efficiently detect information theft. Because of Cu0026C (Command-and-Control) server invalidation [33] and system version incompatibility [25], etc., most of the collected information theft apps can’t run properly in reality. So we extract information theft code modules from some of these apps, and then recode and compile them into the ITM-capsule (Information Theft Modules capsule) for verification. Finally, we run the ITM-capsule and several normal apps to detect the network flows, which shows our detection model can achieve an accuracy higher than 94%. Therefore, MUI-defender is suitable for detecting the network flows of information theft.

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Jian Xu

DOI: https://doi.org/10.1109/trustcom/bigdatase.2019.00039

2019-01-01

Abstract:The emergence of information theft apps poses a serious threat to smartphone users. Most of information theft apps rely on network interfaces to steal users' privacy and use short message service (SMS) to implement command and control. In this paper, we propose an available and effective user-role identification model, MURITE-detector (Mobile User-Role in Information Theft Events detector), by using network flows and call detail records (CDRs) with convolutional neural network (CNN) algorithm. Firstly, we generate network flow vectors and CDR vectors from raw data sets, and then match them into node vectors. Subsequently, we use CNN to classify user-roles into: Sourcer, Transferer, Victim and Other. Because of command-and-control server invalidation and system version incompatibility, etc., most of the collected information theft apps can't run properly in reality. So we extract code modules from some of these apps, and then recode and compile them into ITM-capsule (Information Theft Modules capsule) to generate information theft network traffic. Finally, we obtain 37,384 information theft network flows, 61,635 benign network flows and 200,522 short message CDRs. We match these data through labels and construct two node vector sets A and B randomly. In addition, we also compare CNN with other machine learning algorithms, and the result shows that CNN performs better. In an evaluation of MURITE-detector, it gets an accuracy of 92.17%, a precision of 93.18% and a recall of 94.68%. Therefore, our model is suitable for identifying user-role in mobile network information theft events.

Long Chen,Chunhe Xia,Shengwei Lei,Tianbo Wang

DOI: https://doi.org/10.1109/access.2021.3049819

IF: 3.9

2021-01-01

IEEE Access

Abstract:In recent years, the application of smartphones, Android operating systems and mobile applications have become more prevalent worldwide. To study the traceability, propagation, and detection of the threats, we perform research on all aspects of the end-to-end environment. With machine learning based on the mobile malware detection algorithms that integrate the dynamic and static research of the identification algorithm, application software samples are collected to study sentences. Through knowledge labeling and knowledge construction, the association relationship of knowledge is extracted to realize the research of knowledge map construction. Flooding is closely correlated with the complexity of the Android mobile version of the kernel and malicious programs. A static dynamic analysis of the mobile malicious program is carried out, and the social network social diagram is constructed to model the propagation of the mobile malicious program. We extended the approach of deriving common malware behavior through graph clustering. On this basis, Android behavior analysis is performed through our virtual machine execution engine. We extend the family characteristics to the concept of DNA race genes. By studying SMS/MMS, Bluetooth, 5G base station networks, metropolitan area networks, social networks, homogeneous communities, telecommunication networks, and application market ecosystem propagation scenarios, we discovered the law of propagation. In addition, we studied the construction of the mobile Internet big data knowledge graph. Quantitative data for the main family chronology of mobile malware are obtained. We conducted detailed research and comprehensive analysis of Android application package (APK) details and behavior, relationship, resource-centric, and syntactic aspects. Furthermore, we summarized the architecture of mobile malware security analysis. We also discuss encryption of malware traffic discrimination. These precise modeling and quantified research re-ults constitute the architecture of mobile malware analysis.

computer science, information systems,telecommunications,engineering, electrical & electronic

Zhaoxuan Li,Ziming Zhao,Rui Zhang,Haoyang Lu,Wenhao Li,Fan Zhang,Siqi Lu,Rui Xue

DOI: https://doi.org/10.1016/j.comnet.2024.110563

IF: 5.493

2024-01-01

Computer Networks

Abstract:The continuous emergence of malware has threatened to the Android platform and user privacy. With the evolution of the Android system and malware, it is challenging to design a method that can accurately identify the categories of sophisticated malware, including known and unknown families, as well as their obfuscated variants, given that they may be newly emerging and lack available detection knowledge. Although some methods try to use anomaly detection and zero-shot technology to identify unseen applications, they are limited to binary classification or lack the robustness, stability, universality, and interpretability in multi-class identification. To this end, we first propose a generic meta-features mining algorithm, which can discover the potential relationships between samples belonging to the same category. Then we present metaNet, a novel method leveraging meta-features to identify sophisticated Android malware. Specifically, metaNet is mainly powered by four components: (i) mExtractor is a feature collector to obtain the static and dynamic features. (ii) mProcessor is taking unique meta-features of each category from extracted features. (iii) mLearner is a machine learning suite that leverages features and meta-features to design and train a classifier called HSU-Net. (iv) mEnforcer is a flexible deployer that identifies categories of malware families in the real world. We implement a prototype of metaNet with 15K lines of Python code and compare it with state-of-the-art (SOTA) methods. The results show that it can not only achieve superior performance in terms of known families (99.52% of accuracy) and unknown families (99.31% of accuracy trained with 80% known families) for binary classification, but also perform well in multi-class identification, i.e., 99.05% and 93.45% of accuracy for known and unknown families, respectively. Furthermore, we deploy and evaluate metaNet in the real world. It can identify applications over an acceptable time and memory overheads, i.e., average of 11.8s and 56MB per sample with a size of 8MB. Also, the few-shot detection and feature perturbation experiments reflect its robustness and stability benefiting from meta-features. Finally, we collect the traffic of 112 decentralized applications (DApps) belonging to 16 categories, such as finance and health, and evaluated metaNet in DApp identification. The results illustrate its applicability across various tasks. That is, it can accurately classify 94.6% and 81.36% of DApp flows in all-known and 80%-known DApp scenarios, respectively, outperforming the SOTA methods.

Anran Liu,Zhenxiang Chen,Shanshan Wang,Lizhi Peng,Chuan Zhao,Yuliang Shi

DOI: https://doi.org/10.1007/978-3-030-05063-4_10

2018-01-01

Abstract:Android platform has become the most popular smartphone system due to its openness and flexibility. Similarly, it has also become the target of numerous attackers because of these. Various types of malware are thus designed to attack Android devices. All these cases prompted amounts of researchers to start studying malware detection technologies and some of the groups applied network traffic analysis to their detection models. The majority of these models have considered the detection primarily on network traffic statistical features which can distinguish malicious network traffic from normal one. However, when faces a large amount of network traffic on the detection stage, especially some of the network flows are quite huge as a result of containing too many packets, feature extraction can be extremely time consuming. Therefore, we propose a malware detection approach based on TCP traffic, which can quickly and effectively detect malware behavior. We first employ the traffic collection platform to collect network traffic generated by various apps. After preprocessing (filtering and aggregating) the collected network traffic data, we get a large number of TCP flows. Next we extract early packets’ sizes as features from each TCP flow and then send it to detection model to get the detection result. In our method, the time it takes to extract features from 53108 network flows is reduced from 39321 s to 18041 s, which is a reduction of 54%. Meanwhile, our method achieves a detection rate of 97%.

Zhenyu Ni,Ming Yang,Zhen Ling,Jianan Wu,Junzhou Luo

DOI: https://doi.org/10.1109/CBD.2016.046

2016-01-01

Abstract:In recent years, with the growing popularity of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and money from mobile and bank accounts, it's important to detect potential malicious behavior in real time. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection in Android apps. A customized Android system is built to record apps' API (Application Programming Interface) calls, permission uses, and some other runtime features such as user operations. We also develop an automated testing platform to test massive samples so as to collect dynamic app behavior records. Then we exploit these records to extract apps' runtime features of both user interaction and app dynamic behavior for benign and malicious behavior classification. The experimental results show that the app behavior classification can reach an accuracy of 99.0%, identifying 71.8% instances of malware samples by running each app for only 18 minutes.

Hongbing Yan,Yan Xiong,Wenchao Huang,Jianmeng Huang,Zhaoyi Meng

DOI: https://doi.org/10.1109/BIGCOM.2018.00023

2018-01-01

Abstract:Android devices have increased rapidly in recent years. Because sensitive data of users can bring huge profits, there are so many malicious Android applications (apps) which aim at users' sensitive data in Android markets. Malicious apps may collect sensitive data of users, such as phone number, location, contact information, and send them to advertisers or attackers. To prevent malicious apps from stealing user information, a simple solution is not to grant corresponding permissions to apps. But if we don't give corresponding permissions, the apps may exit directly. This affect the normal use of apps. In order to solve the above problems, we design a system which uses machine-learning technology to detect malicious behaviours. Our system is based on the observation that apps in the same category usually use sensitive data in the same or similar way. The system implements automatic detection of malicious behaviours. The true positive rate of our system can be over 90% and the false positive rate can be below 8%.

Dahai Yao,Hailong Sun,Xudong Liu

DOI: https://doi.org/10.1145/2875913.2875941

2015-01-01

Abstract:Android is undoubtedly becoming the most popular smartphone platform. The popularity of Android, unfortunately, has also made the devices become the target of malware. Most of existing malicious mobile apps feature stealthy operations such as collecting user privacy, sending premium SMS messages and making unauthorized http connections with no legal notice to the affected user. However, transmission of sensitive data cannot indicate malicious behavior because some benign applications also need sensitive data to improve the user experience. Existing malware detection approaches focus on static or dynamic analysis without crowd user contributions. In this paper, we propose a novel technique which combining crowd contributions with machine learning to detect malicious mobile apps. We model privacy transmission as user-determined and undetermined with the help of real user decisions based on crowdsourcing. We apply static analysis to extract application basic information such as permissions and suspicious API calls. Then we use dynamic instrumentation technique to trace real API calls at runtime and collect the crowd user decisions to the prompted sensitive data transmission. Finally, we employ several different learning-based algorithms, such as SVM, Bayesian Network, Decision Tree and KNN to detect malicious apps. Experiments with 100 real application samples show that our system was capable of detecting malicious mobile apps: our system can detect 85% to 97% of the malware with low false positive rate.

Ming Yang,Shan Wang,Zhen Ling,Yaowen Liu,Zhenyu Ni

DOI: https://doi.org/10.1002/cpe.4172

2017-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryIn recent years, with the prevalence of smartphones, the number of Android malware shows explosive growth. As malicious apps may steal users' sensitive data and even money from mobile and bank accounts, it is important to detect potential malicious behaviors so as to block them. To achieve this goal, we propose a dynamic behavior inspection and analysis framework for malicious behavior detection. A customized Android system is built to record apps' API calls, permission uses, and some other runtime features. We also develop an automated app behavior inspection platform to install and inspect massive samples so as to collect apps' dynamic behavior records. Then these records are exploited to train a string subsequence kernel–based Support Vector Machine (SVM) model, which can be used to classify benign and malicious behaviors offline. To realize online detection, we further extract apps' runtime features including sensitive permission combination uses, sensitive behavior sequences, and user interactions for behavior classification. The classification results can reach an accuracy of 84.9% in offline phase and 99.0% in online phase. Besides, we verify our scheme for identifying malicious apps, and the results show that 71.8% instances of malware samples are identified by running each app for only 18 minutes.

Qingguo Zhou,Fang Feng,Zebang Shen,Rui Zhou,Meng-Yen Hsieh,Kuan-Ching Li

DOI: https://doi.org/10.1007/s11042-018-6498-z

IF: 2.577

2018-01-01

Multimedia Tools and Applications

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy, true-positive rate, false-positive rate, precision, recall, f-measure in comparison to other methods as K-Nearest Neighbor (KNN), Naive Bayesian (NB), Support Vector Machine (SVM), Random Forest (RF), Logistic Regression (LR), Decision tree (DT), Linear Discriminant Analysis (LDA) and Back Propagation (BP). The proposed detection model is promising and can effectively be applied to Android malware detection, providing early detection and the prospect of warning users of threatens ahead.

Ruihai Ge,Yongzheng Zhang,Shuhao Li,GuoQiao Zhou

DOI: https://doi.org/10.1109/ijcnn55064.2022.9892476

2022-01-01

Abstract:The desperate increase of mobile malware has constituted a severe threat to user privacy, economic life, and cyberspace security. Existing anti-malware solutions have notice-able weaknesses due to the adoption of content analysisbased approaches. The main limitation of these approaches is that they rely on careful expert engineering and professional handcrafted input features. Some researchers have tried to solve this limitation by using deep learning models to automatically learn feature representations from raw traffic. In this paper, we explore a deep learning detection framework based on self-attention to discriminate between malicious and benign network traffic. As a major advantage with respect to the state-of-the-art methods, we point out that the attention mechanism can better learn the underlying features of malicious traffic in terms of flows and bytes. We design a dual-branch deep learning method that consists of a flow importance-discrimination branch and a byte importance-discrimination branch. The flow importance-discrimination branch calculates the attentions between flows to obtain the feature contributions of different flows, and the byte importance-discrimination branch builds the feature contributions of diverse bytes by considering the connections among all bytes of network payload. Both flow features and byte features are combined to enhance the representation ability of network traffic behaviors generated by mobile applications (apps). We evaluate proposed method using a publicly available dataset including 55,992 malicious traffic traces and 47,779 benign traffic traces. The experimental results demonstrate that our method is able to identify malicious apps with high accuracy, outperforming the baseline methods and the popular deep-learning models.

Meilin Liu,Songjie Wei,Pengfei Jiang

DOI: https://doi.org/10.1155/2021/9994588

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The popularity of smart phones has brought significant convenience to people’s lives, but also there are many security problems. In recent years, malicious applications are increasingly rampant, which threaten users and society as security challenges to network reliability and management. However, due to neglecting the sequential features between network flows, existing malicious application recognition methods based on network traffic analysis have low recognition accuracy. Based on the network traffic characteristics of Android applications, this paper firstly applies Long Short-Term Memory network-based variational Auto-Encoder to extract the sequential feature of the application running time. Then, we design the BP neural network for initial classification and connect the class vector output of the BP neural network with the original data. The output is fed into the cascade forest for further feature learning and classification. The integrated methods are easy to implement with data independency and efficiency. We conduct experiments to evaluate the proposed with Android malware dataset CICAndMal2017, with a 97.29% high accuracy, comparatively significant precision and recall rates when benchmarked against other methods.

Xin Jin,Yan Xiong,Wenchao Huang,Zhaoyi Meng

DOI: https://doi.org/10.1109/BIGCOM.2017.44

2017-01-01

Abstract:Android smartphones have been playing an important role in people's daily life. Unfortunately, the widespread of Android devices raises high security concerns. The sensitive information of users, such as contact list, SMS, location information, may be stolen by various malware. State-of-the-art approaches can detect most of the malware based on known rules or patterns but remain unprotected from novel privacy leaking behaviors. Our observation is that in same category most of applications contain same or similar sensitive data usage behaviors, so the abnormal data usage behaviors can be judged as malicious cases with high probability. Based on this observation, we propose and implement a system to identify malicious sensitive data usage behaviors and novel malware. We give a detailed analysis about abnormal data usage behavoirs, and our experiment results show our approach can identify 92.7% of all malicious data usage behaviors.

L. Chekina,D. Mimran,L. Rokach,Y. Elovici,B. Shapira

DOI: https://doi.org/10.48550/arXiv.1208.0564

2012-08-05

Abstract:In this paper a novel system for detecting meaningful deviations in a mobile application's network behavior is proposed. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications. The new system is capable of: (1) identifying malicious attacks or masquerading applications installed on a mobile device, and (2) identifying republishing of popular applications injected with a malicious code. The detection is performed based on the application's network traffic patterns only. For each application two types of models are learned. The first model, local, represents the personal traffic pattern for each user using an application and is learned on the device. The second model, collaborative, represents traffic patterns of numerous users using an application and is learned on the system server. Machine-learning methods are used for learning and detection purposes. This paper focuses on methods utilized for local (i.e., on mobile device) learning and detection of deviations from the normal application's behavior. These methods were implemented and evaluated on Android devices. The evaluation experiments demonstrate that: (1) various applications have specific network traffic patterns and certain application categories can be distinguishable by their network patterns, (2) different levels of deviations from normal behavior can be detected accurately, and (3) local learning is feasible and has a low performance overhead on mobile devices.

Cryptography and Security,Machine Learning

Fei Tong,Zheng Yan

DOI: https://doi.org/10.1016/j.jpdc.2016.10.012

IF: 4.542

2017-01-01

Journal of Parallel and Distributed Computing

Abstract:Android security incidents occurred frequently in recent years. This motivates us to study mobile app security, especially in Android open mobile operating system. In this paper, we propose a novel hybrid approach for mobile malware detection by adopting both dynamic analysis and static analysis. We collect execution data of sample malware and benign apps using a net_link technology to generate patterns of system calls related to file and network access. Furthermore, we build up a malicious pattern set and a normal pattern set by comparing the patterns of malware and benign apps with each other. For detecting an unknown app, we use a dynamic method to collect its system calling data. We then compare them with both the malicious and normal pattern sets offline in order to judge the unknown app. Based on the test on a set of mobile malware and benign apps, we found that our approach achieves better detection success rate than some methods using either static analysis or dynamic analysis. What is more, the proposed approach is generic, which can detect different types of malware effectively. Its detection accuracy can be further improved since the pattern sets can be automatically optimized through self-learning.

Linfeng Wei,Weiqi Luo,Jian Weng,Yanjun Zhong,Xiaoqian zhang,Zheng Yan

DOI: https://doi.org/10.1109/access.2017.2771470

IF: 3.9

2017-01-01

IEEE Access

Abstract:In this paper, we propose a machine learning-based approach to detect malicious mobile malware in Android applications. This paper is able to capture instantaneous attacks that cannot be effectively detected in the past work. Based on the proposed approach, we implemented a malicious app detection tool, named Androidetect. First, we analyze the relationship between system functions, sensitive permissions, and sensitive application programming interfaces. The combination of system functions has been used to describe the application behaviors and construct eigenvectors. Subsequently, based on the eigenvectors, we compare the methodologies of naive Bayesian, J48 decision tree, and application functions decision algorithm regarding effective detection of malicious Android applications. Androidetect is then applied to test sample programs and real-world applications. The experimental results prove that Androidetect can better detect malicious applications of Android by using a combination of system functions compared with the previous work.

Qingguo Zhou, Fang Feng, Zebang Shen, Rui Zhou, Meng-Yen Hsieh, Kuan-Ching Li

2019-02-01

Abstract:With the increasing number of malicious attacks, the way how to detect malicious Apps has drawn attention in mobile technology market. In this paper, we proposed a detection model to seek and track malware Apps actions in such devices. To characterize the behaviors of Apps, dynamic features of each App were constrained in 166-dimension and a novel machine learning classifier is employed to detect malware Apps, and alarm will be triggered if an Android-based App is detected as malicious. With such, we can avoid a detected malware spreading out in larger scale, affecting extensively our society. Detailed description of the detection model is provided, as well the core technologies of this novel machine learning classifier are presented. From experiments performed on a set of Android-based malware and benign Apps, we observe that the proposed classification algorithm achieves highest accuracy …

Songjie Wei,Gaoxiang Wu,Ziyang Zhou,Ling Yang

DOI: https://doi.org/10.1109/pic.2015.7489879

2015-01-01

Abstract:Signature-based static mobile malware detection is fragile when facing code obfuscation and transformation attacks. Behavior based malware detection mechanisms have been widely studied and experimented. So far only the application's running behaviors, such as API calls and resource consumption are used, which can also be easily concealed and obfuscated with various coding tricks. Most mobile malware need either cellular or network connection to conduct their malicious activities. We propose to monitor an application's network behavior and interaction to characterize application behaviors. An integrated testbed system has been designed and prototyped for such network behavior collection. Statistical features are derived from application network traffic, which are further fed to a machine-learning based classifier to build one general model for each typical category of mobile applications. Experiments show that applications in each category with identical functionality exhibit similar network behaviors, which makes it possible to use the derived category model of network behaviors to evaluate future unknown application for its trustworthiness.

Rong Chen,Yangyang Li,Weiwei Fang

DOI: https://doi.org/10.1007/978-3-030-24274-9_26

2019-01-01

Abstract:As numerous new techniques for Android malware attacks have growingly emerged and evolved, Android malware identification is extremely crucial to prevent mobile applications from being hacked. Machine learning techniques have shown extraordinary capabilities in various fields. A common problem with existing research of malware traffic identification based on machine learning approaches is the need to design a set of features that accurately reflect network traffic characteristics. Obtaining a high accuracy for identifying Android malware traffic is also a challenging problem. This paper analyses the Android malware traffic and extract 15 features which is a combination of time-related network flow feature and packets feature. We then use three supervised machine learning methods to identify Android malware traffic. Experimental results show that the feature set we proposed can accurately characterize the traffic and all three classifiers achieve high accuracy.

Sai Vishwanath Venkatesh,Prasanna D. Kumaran,Joish J Bosco,Pravin R. Kumaar,Vineeth Vijayaraghavan

DOI: https://doi.org/10.48550/arXiv.2102.06511

2021-02-12

Cryptography and Security

Abstract:Smartphones contain information that is more sensitive and personal than those found on computers and laptops. With an increase in the versatility of smartphone functionality, more data has become vulnerable and exposed to attackers. Successful mobile malware attacks could steal a user's location, photos, or even banking information. Due to a lack of post-attack strategies firms also risk going out of business due to data theft. Thus, there is a need besides just detecting malware intrusion in smartphones but to also identify the data that has been stolen to assess, aid in recovery and prevent future attacks. In this paper, we propose an accessible, non-intrusive machine learning solution to not only detect malware intrusion but also identify the type of data stolen for any app under supervision. We do this with Android usage data obtained by utilising publicly available data collection framework- SherLock. We test the performance of our architecture for multiple users on real-world data collected using the same framework. Our architecture exhibits less than 9% inaccuracy in detecting malware and can classify with 83% certainty on the type of data that is being stolen.