Identification of Android Malware Families with Model Checking

Pasquale Battista, Francesco Mercaldo, Vittoria Nardone, Antonella Santone, Corrado Aaron Visaggio

Abstract

Android malware is increasing more and more in complexity. Current signature based antimalware mechanisms are not able to detect zero-day attacks, also trivial code transformations may evade detection. Malware writers usually add functionality to existing malware or merge different pieces of malware code: this is the reason why Android malware is grouped into families, i.e., every family has in common the malicious behavior. In this paper we present a model checking based approach in detecting Android malware families by means of analysing and verifying the Java Bytecode that is produced when the source code is compiled. A preliminary investigation has been also conducted to assess the validity of the proposed approach.

References

  1. Arp, D., Spreitzenbarth, M., Huebner, M., Gascon, H., and Rieck, K. (2014). Drebin: Efficient and explainable detection of android malware in your pocket. In Proceedings of 21th Annual Network and Distributed System Security Symposium (NDSS). IEEE.
  2. Bailey, U., Comparetti, P., Hlauschek, C., Kruegel, C., and Kirda, E. (2009). Scalable, behavior-based malware clustering. In Network and Distributed System Security Symposium. IEEE.
  3. Barbuti, R., Francesco, N. D., Santone, A., and Vaglini, G. (1999). Selective mu-calculus and formula-based equivalence of transition systems. Elsevier.
  4. Canfora, G., Di Sorbo, A., Mercaldo, F., and Visaggio, C. (2015). Obfuscation techniques against signaturebased detection: a case study. In Proceedings of Workshop on Mobile System Technologies. IEEE.
  5. Canfora, G., Mercaldo, F., and Visaggio, C. A. (2013). A classifier of malicious android applications. In Proceedings of the 2nd International Workshop on Security of Mobile Applications, in conjunction with the International Conference on Availability, Reliability and Security. IEEE.
  6. Clarke, E. M., Grumberg, O., and Peled, D. (2001). Model checking. MIT Press.
  7. Cleaveland, R. and Sims, S. (1996). The ncsu concurrency workbench. In Alur, R. and Henzinger, T. A., editors, CAV, volume 1102 of Lecture Notes in Computer Science. Springer.
  8. Dumitras, T. and Neamtiu, I. (2011). Experimental challenges in cyber security: A story of provenance and lineage for malware. ACM.
  9. Hu, X., Chiueh, T., Shin, K., Kruegel, C., and Kirda, E. (2009). Large-scale malware indexing using function call graphs. In ACM Conference on Computer and Communications Security. ACM.
  10. Jacob, G., Filiol, E., and Debar, H. (2010). Formalization of viruses and malware through process algebras. In International Conference on Availability, Reliability and Security (ARES 2010). IEEE.
  11. Jang, J., Brumley, D., and Venkataraman, S. (2011). Bitshred: feature hashing malware for scalable triage and semantic analysis. In ACM Conference on Computer and Communications Security. ACM.
  12. Karim, M. E., Walenstein, A., Lakhotia, A., and Parida, L. (2005). Malware phylogeny generation using permutations of code. Springer.
  13. Khoo, W. and Lio, P. (2011). Unity in diversity: Phylogenetic-inspired techniques for reverse engineering and detection of malware families. In SysSec Workshop. Springer.
  14. Kinder, J., Katzenbeisser, S., Schallhart, C., and Veith, H. (2005). Detecting malicious code by model checking. Springer.
  15. Ma, J., Dunagan, J., Wang, H. J., Savage, S., and Voelker, G. M. (2006). Finding diversity in remote code injection exploits. In Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. ACM.
  16. Milner, R. (1989). Communication and concurrency. PHI Series in computer science. Prentice Hall.
  17. Song, F. and Touili, T. (2001). Efficient malware detection using model-checking. Springer.
  18. Song, F. and Touili, T. (2013). Pommade: Pushdown model-checking for malware detection. In Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering. ACM.
  19. Song, F. and Touili, T. (2014). Model-checking for android malware detection. Springer.
  20. Spreitzenbarth, M., Echtler, F., Schreck, T., Freling, F. C., and Hoffmann, J. (2013). Mobilesandbox: Looking deeper into android applications. In 28th International ACM Symposium on Applied Computing (SAC). ACM.
  21. Stirling, C. (1989). An introduction to modal and temporal logics for ccs. In Yonezawa, A. and Ito, T., editors, Concurrency: Theory, Language, And Architecture, LNCS, pages 2-20. Springer.
  22. Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In Proceedings of 33rd IEEE Symposium on Security and Privacy (Oakland 2012). IEEE.
Download


Paper Citation


in Harvard Style

Battista P., Mercaldo F., Nardone V., Santone A. and Visaggio C. (2016). Identification of Android Malware Families with Model Checking . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 542-547. DOI: 10.5220/0005809205420547


in Bibtex Style

@conference{icissp16,
author={Pasquale Battista and Francesco Mercaldo and Vittoria Nardone and Antonella Santone and Corrado Aaron Visaggio},
title={Identification of Android Malware Families with Model Checking},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={542-547},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005809205420547},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Identification of Android Malware Families with Model Checking
SN - 978-989-758-167-0
AU - Battista P.
AU - Mercaldo F.
AU - Nardone V.
AU - Santone A.
AU - Visaggio C.
PY - 2016
SP - 542
EP - 547
DO - 10.5220/0005809205420547