“Mirror, Mirror on the Wall, Who is the Fairest One of All?” - Machine Learning versus Model Checking: A Comparison between Two Static Techniques for Malware Family Identification

Vittoria Nardone, Corrado Aaron Visaggio

Abstract

Malware targeting Android platforms is growing in number and complexity. Huge volumes of new variants emerge every month and this creates the need of being able to recognize timely the specific variants when encountered. Several approaches have been developed for malware detection. Recently the research community is developing approaches able to detect malware variants. Among all, two approaches demonstrated high performances in detecting malware and assigning the family it belongs to: one based on machine learning and one on formal methods. In this paper we compare the results achieved by two methods in terms of Precision, Recall and Accuracy. We highlight points of strength and weakness of two methods.

References

  1. Alam, S., Riley, R., Sogukpinar, I., and Carkaci, N. (2016). Droidclone: Detecting android malware variants by exposing code clones. In 2016 Sixth International Conference on Digital Information and Communication Technology and its Applications (DICTAP), pages 79-84.
  2. Anastasi, G., Bartoli, A., De Francesco, N., and Santone, A. (2001). Efficient verification of a multicast protocol for mobile computing. Computer Journal, 44(1):21- 30. cited By 12.
  3. Annachhatre, C., Austin, T. H., and Stamp, M. (2015). Hidden markov models for malware classification. J. Computer Virology and Hacking Techniques, 11(2):59-73.
  4. Arp, D., Spreitzenbarth, M., Huebner, M., Gascon, H., and Rieck, K. (2014). Drebin: Efficient and explainable detection of android malware in your pocket. In Proceedings of 21th Annual Network and Distributed System Security Symposium (NDSS).
  5. Battista, P., Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016). Identification of android malware families with model checking. In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,, pages 542-547.
  6. Baysa, D., Low, R. M., and Stamp, M. (2013). Structural entropy and metamorphic malware. Journal of Computer Virology and Hacking Techniques, 9(4):179- 192.
  7. Bose, A., Hu, X., Shin, K. G., and Park, T. (2008). Behavioral detection of malware on mobile handsets. In Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services, MobiSys 7808, pages 225-238, New York, NY, USA. ACM.
  8. Bruns, G. (1997). Distributed Systems Analysis with CCS. Prentice-Hall.
  9. Canfora, G., Lorenzo, A. D., Medvet, E., Mercaldo, F., and Visaggio, C. A. (2015). Effectiveness of opcode ngrams for detection of multi family android malware. In Proceedings of the 2015 10th International Conference on Availability, Reliability and Security, ARES 7815, pages 333-340, Washington, DC, USA. IEEE Computer Society.
  10. Canfora, G., Mercaldo, F., and Visaggio, C. A. (2016). An hmm and structural entropy based detector for android malware. Comput. Secur., 61(C):1-18.
  11. Cleaveland, R. and Sims, S. (1996). The ncsu concurrency workbench. In CAV. Springer.
  12. De Francesco, N., Santone, A., and Tesei, L. (2003). Abstract interpretation and model checking for checking secure information flow in concurrent systems. Fundamenta Informaticae, 54(2-3):195-211. cited By 12.
  13. De Ruvo, G., Nardone, V., Santone, A., Ceccarelli, M., and Cerulo, L. (2015). Infer gene regulatory networks from time series data with probabilistic model checking. pages 26-32. cited By 7.
  14. Faruki, P., Laxmi, V., Bharmal, A., Gaur, M., and Ganmoor, V. (2015). Androsimilar: Robust signature for detecting variants of android malware. Journal of Information Security and Applications, 22:66 - 80. Special Issue on Security of Information and Networks.
  15. Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016a). Download malware? no, thanks: How formal methods can block update attacks. In Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, FormaliSE 7816, pages 22-28, New York, NY, USA. ACM.
  16. Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016b). Hey malware, i can find you! In 2016 IEEE 25th International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pages 261-262.
  17. Mercaldo, F., Nardone, V., Santone, A., and Visaggio, C. A. (2016c). Ransomware Steals Your Phone. Formal Methods Rescue It, pages 212-221. Springer International Publishing, Cham.
  18. Milner, R. (1989). Communication and concurrency. PHI Series in computer science. Prentice Hall.
  19. Rabiner, L. R. (1989). A tutorial on hidden markov models and selected applications in speech recognition. Proceedings of the IEEE, 77(2):257-286.
  20. Santone, A. (2011). Clone detection through process algebras and java bytecode. pages 73-74. cited By 10.
  21. Spreitzenbarth, M., Echtler, F., Schreck, T., Freling, F. C., and Hoffmann, J. (2013). Mobilesandbox: Looking deeper into android applications. In 28th International ACM Symposium on Applied Computing (SAC).
  22. Stirling, C. (1989). An introduction to modal and temporal logics for ccs. In Concurrency: Theory, Language, And Architecture, pages 2-20.
  23. Suarez-Tangil, G., Tapiador, J. E., Peris-Lopez, P., and Blasco, J. (2014). Dendroid: A text mining approach to analyzing and classifying code structures in android malware families. Expert Syst. Appl., 41(4):1104- 1117.
  24. Zhang, M., Duan, Y., Yin, H., and Zhao, Z. (2014). Semantics-aware android malware classification using weighted contextual api dependency graphs. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 7814, pages 1105-1116, New York, NY, USA. ACM.
  25. Zhou, Y. and Jiang, X. (2012). Dissecting android malware: Characterization and evolution. In 2012 IEEE Symposium on Security and Privacy, pages 95-109.
Download


Paper Citation


in Harvard Style

Nardone V. and Visaggio C. (2017). “Mirror, Mirror on the Wall, Who is the Fairest One of All?” - Machine Learning versus Model Checking: A Comparison between Two Static Techniques for Malware Family Identification . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017) ISBN 978-989-758-209-7, pages 663-672. DOI: 10.5220/0006287506630672


in Bibtex Style

@conference{forse17,
author={Vittoria Nardone and Corrado Aaron Visaggio},
title={“Mirror, Mirror on the Wall, Who is the Fairest One of All?” - Machine Learning versus Model Checking: A Comparison between Two Static Techniques for Malware Family Identification},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)},
year={2017},
pages={663-672},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006287506630672},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ForSE, (ICISSP 2017)
TI - “Mirror, Mirror on the Wall, Who is the Fairest One of All?” - Machine Learning versus Model Checking: A Comparison between Two Static Techniques for Malware Family Identification
SN - 978-989-758-209-7
AU - Nardone V.
AU - Visaggio C.
PY - 2017
SP - 663
EP - 672
DO - 10.5220/0006287506630672