Embed Size (px)
DESCRIPTION
Presentation at CISIS 2013 International conference of the paper: Anomaly Detection using String Analysis for Android Malware Detection
Citation preview
Anomaly Detection using String Analysis for
Android Malware Detection
Borja Sanz Igor Santos
Xabier Ugarte-PedreroCarlos Laorden
Javier NievesPablo G. Bringas
In the past 10 years
mobile phoneshave evolved
In fact, now they are called
smartphones
108 millioniPhones sold
1955Android devices activated
since I started this presentation
1972Android devices activated
since I started this presentation
2006Android devices activated
since I started this presentation
2023Android devices activated
since I started this presentation
1.5 million every day
It is a
revolution
EmailsPictures
VídeosIM
Web historyDocuments
GeopositionMovementsMicrophoneCamera
Call historyWallet
Let me ask you…
Would you
lend me your
smartphone?(no doubts)
Have you
ever lost a cellphone?(feeling?)
We carry
sensitive informationin our pockets
What about
security? is there
malware in Android?
Malware in Android
Malware is one of the most important issues in Android
But I only download apks from the market…
New
detectionmethods
are necessary
Anomaly detectionmethod for
Android malware detection
1 Dataset creation
Benign software(goodware)
Malicious software(malware)
Malware dataset
AV evaluation
Evaluation of samples based on the detected AV
Threshold defintion
Remove duplicate samples
1,938samples
333 samples
Goodware dataset
game
333 samples
2 Feature selection
Strings
const-string v6, "TEST CONSTANT"
const-string v6, "THE VARIABLE"
THE VARIABLE TEST CONSTANT( , , )
S1 ( 0 , 1 , 1 )
S2 ( 1 , 0 , 0 )
t1
t2
t3
D1
D2
D3
D9
D7
D5
D6
3 Anomaly Detection
??
Anomaly detection
d
d < threshold?
> threshold?
Manhattan distance
Euclidean distance
Cosine distance
d
d
Anomaly detection
Minimum distance
Maximum distance
Mean distance
Minimumdistance
Maximumdistance
Meandistance
Manhattandistance
EuclideanDistance
Cosine distance
10different
thresholds
Anomaly detection
d
d > threshold?
> threshold?
min
max
Minimumdistance
Maximumdistance
Meandistance
Manhattandistance
Euclideandistance
10thresholds
5-foldCross-validation
4 Results
TPR, FPR, Accuracy
Manhattan Euclidean Cosine
Area Under the Curve
Manhattan Euclidean Cosine
0.88
Only consider bening samples to measure distances
Future work
Other feature sets
Other distances and selection rules
Dynamic analysis
We still have a long way to go
References1. Androides: http://fondosbonitos.com/file/663/2560x1440/crop/androides.jpg2. Nexus phone: http://p.playserver1.
com/ProductImages/5/5/7/3/1/4/5/2/25413755_700x700min_1.jpg3. Apple Hacker: http://techbeat.com/wp-content/uploads/2012/09/Apple-Hacker-
Heads-to-Twitter.jpg4. Botnet costume: http://jon.oberheide.org/blog/wp-
content/uploads/2007/01/costume2.jpg5. Zombie bird: http://payload66.cargocollective.com/1/1/49299/3633335/an2.jpg6. Toy Story command rescue: http://img.rakuten.
com/PIC/4498966/0/1/500/4498966.jpg7. Back to the future car: http://www.wallpaperfo.
com/Abstract/High_definition/cars_high_definition_back_to_the_future_delorean_dmc12_1920x1080_wallpaper_518/download_2560x1440
8. Long way: http://hakimiyetimilliye.org/wp-content/uploads/2013/02/%D8%B7%D8%B1%D9%8A%D9%82-1.jpg
![Anomaly Detection: Principles, Benchmarking, Explanation ...web.engr.oregonstate.edu/~tgd/...anomaly-detection... · Towards a Theory of Anomaly Detection [Siddiqui, et al.; UAI 2016]](https://img.pdfslide.us/doc/110x75/5fd8992320a65f059c333c6d/anomaly-detection-principles-benchmarking-explanation-webengr-tgdanomaly-detection.jpg)
![Comparison of Unsupervised Anomaly Detection Techniques · a RapidMiner [10] Extension Anomaly Detection was developed that contains several unsupervised anomaly detection techniques](https://img.pdfslide.us/doc/110x75/5b014b8c7f8b9a952f8e25e8/comparison-of-unsupervised-anomaly-detection-rapidminer-10-extension-anomaly-detection.jpg)
