appcontext differentiating malicious
play

AppContext: Differentiating Malicious and Benign Mobile App Behavior - PowerPoint PPT Presentation

Aug 15, 2023 •99 likes •567 views

AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao, Benjamin Andow, Rahul Pandita, William Enck (NCSU) Mobile App Markets Google Play

  1. AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao, Benjamin Andow, Rahul Pandita, William Enck (NCSU)

  2. Mobile App Markets Google Play Microsoft Windows Phone Apple App Store

  3. App Store beyond Mobile Apps!

  4. App Store within Mobile App!

  5. What If Formal Specs Are Written?! permission list , etc. informal: app description , etc. APP DEVELOPERS App App Security Functional Requirements Requirements App Code 5 User User Security Functional Requirements Requirements APP USERS

  6. Informal App Functional Requirements: App Description App App Code Permissions 6

  7. App Security Requirements: Permission List 7

  8. What If Formal Specs Are Written?! informal: app description , etc. permission list , etc. APP DEVELOPERS App App Security Functional Requirements Requirements App Code 8 User User Security Functional Requirements Requirements APP USERS

  9. Example Andriod App: Angry Birds 9

  10. What If Formal Specs Are Written?! informal: app description , etc. permission list , etc. APP DEVELOPERS App App Security Functional Requirements Requirements App Code 10 User User Security Functional Requirements Requirements APP USERS In reality, few of these requirements are (formally) specified!!  Hope?!: Bring human into the loop: user perception + judgment

  11. Our Yin-Yang View on Mobile App Security o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the User-Perceived boundary, e.g., AppContext (  ) Information o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App Security Behavior App UIs, App App Description categories, [functional] App metadata, User forums, … App App Code Permissions 11 [security]

  12. Assuring Market Security/Privacy o Apple ( Market’s Responsibility) o Apple performs manual inspection o Google ( User’s Responsibility) o Users approve permissions for security/privacy o Bouncer (static/dynamic malware analysis) o Windows Phone (Hybrid) o Permissions / manual inspection 12

  13. Program Analysis + Natural Language Processing o Previous approaches look at permissions  code (runtime behaviors) o What does the users expect? o GPS Tracker: record and send location o Phone-Call Recorder: record audio during phone call App Description App App 13 Code Permissions

  14. Vision “Bridging the gap between user expectation  app behaviors” o User expectations o user perception + user judgment o Focus on permission  app descriptions o permissions (protecting user understandable resources) should be discussed Permission App Description Sentence Linkage 14

  15. WHYPER Overview • Enhance user experience while installing apps • Enforce functionality disclosure on developers • Complement program analysis to ensure justifications DEVELOPERS Application Market WHYPER USERS 15 Pandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013 http://web.engr.illinois.edu/~taoxie/publications/usenixsec13-whyper.pdf

  16. Example Sentence in App Desc. • E.g., “ Also you can share the yoga exercise to your friends via Email and SMS. ” – Implication of using the contact permission – Permission sentences 16 Keyword-based search on application descriptions

  17. Problems with Ctrl + F • Confounding effects: – Certain keywords such as “ contact ” have a confounding meaning – E.g., “... displays user contacts , ...” vs “... contact me at abc@xyz.com ”. • Semantic inference: – Sentences often describe a sensitive operation without actually referring to keywords – E.g., “ share yoga exercises with your friends via Email and SMS” 17

  18. Natural Language Processing • Natural Language Processing (NLP) techniques help computers understand NL artifacts • In general, NLP is still difficult • NLP on domain specific sentences with specific styles is feasible – Text2Policy: extraction of security policies from use cases [FSE 12] – APIInfer: inferring contracts from API docs [ICSE 12] – WHYPER: domain knowledge from API docs [USENIX Security 13]

  19. Overview of WHYPER NLP Parser WHYPER Intermediate APP Description Preprocessor Representation Generator FOL Representation APP Permission Semantic Graphs Semantic Engine Semantic Graph API Docs Generator Annotated Description Domain Knowledge 19

  20. Evaluation • Subjects – Permissions: • READ_CONTACTS • READ_CALENDAR • RECORD_AUDIO – 581 application descriptions – 9,953 sentences • Evaluation setup – Manual annotation of the sentences – WHYPER for identifying permission sentences – Comparison to keyword-based searching 20

  21. Evaluation Results • Precision and recall of WHYPER – Average precision (82.8%) and recall (81.5%) Permission Keywords READ_CONTACTS contact, data, number, name, email READ_CALENDAR calendar, event, date, month, day, year RECORD_AUDIO record, audio, voice, capture, microphone • Comparison to keyword-based searching – Improving precision (41.6%) and recall (-1.2%) 21

  22. Result Analysis (False Positives) • Incorrect parsing • “ MyLink Advanced provides full synchronization of all Microsoft Outlook emails (inbox, sent, outbox and drafts), contacts, calendar, tasks and notes with all Android phones via USB ” • Synonym analysis • Ex non-permission sentence: “You can now turn recordings into ringtones .” • functionality that allows users to create ringtones from previously recorded sounds but NOT requiring permission to record audio • false positive due to using synonym: (turn, start ) 22

  23. Result Analysis (False Negatives) • Incorrect parsing • Incorrect identification of sentence boundaries and limitations of underlying NLP infrastructure • Limitations of Semantic Graphs • Ex. permission sentence: “ blow into the mic to extinguish the flame like a real candle” • false negative due to failing to associate “ blow into ” with “record” • Automatic mining from user comments and forums 23

  24. Our Yin-Yang View on Mobile App Security o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the User-Perceived boundary, e.g., AppContext (  ) Information o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App Security Behavior App UIs, App App Description categories, [functional] App metadata, User forums, … App App Code Permissions 24 [security]

  25. Related Work • AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction . Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. ICSE 2014. • Checking App Behavior Against App Descriptions . Alessandra Gorla and Ilaria Tavecchia and Florian Gross and Andreas Zeller. ICSE 2014.

  26. AsDroid: Detecting Stealthy Behaviors in Android Applications [ICSE’14 Huang et al.] “One -Click Register & Login ” 26

  27. CHABADA: Checking App Behavior Against App Descriptions [ICSE’14 Gorla et al.] ICSE 2012 27

  28. Our Yin-Yang View on Mobile App Security o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the User-Perceived boundary, e.g., AppContext (  ) Information o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App Security Behavior App UIs, App App Description categories, [functional] App metadata, User forums, … App App Code Permissions 28 [security]

  29. How to Define Malicious Behavior? – What makes a behavior (app) malicious? – Existing techniques • Permissions • API Method Calls • Information Flows

  30. How to Define Malicious Behavior?: Examples – Sending a text msg to a premium number to charge money Being legitimate payment method for unlocking game features in Andriod. (Same Permission, Same API) – Taking all of your contacts and sends them to some server Being done by WhatsApp upon initialization (acquired by Facebook for $19 billion in Feb 14) (Same Permission, Same API, Same Information flow) – Tracking your current position Being done by TapSnake (a clone of the Snake game, also a spyware to track a phone’s location) (Same Permission, Same API, Same Information flow)

  31. Motivation Fundamental difference between malware & benign apps: different design principles • Benign apps • Meet requirements from users (as delivering utility) • Malware • Meet requirements from users (as covering up) • Trigger executing malicious behaviors frequently to seek max benefits (as delivering “ utility” ) • Evade detection to prolong lifetime (as covering up)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International

ITS335 Malicious Software Malicious Software Propagation Payload Malicious Software Countermeasures Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 25 October

673 views • 30 slides
DIFFERENTIATING OURSELVES BY ADOPTING SUSTAINABLE BUSINESS PRACTICES THAT ARE ENVIRONMENTALLY

DIFFERENTIATING OURSELVES BY ADOPTING SUSTAINABLE BUSINESS PRACTICES THAT ARE ENVIRONMENTALLY

GROWTHPOINT PROPERTIES LIMITED DIFFERENTIATING OURSELVES BY ADOPTING SUSTAINABLE BUSINESS PRACTICES THAT ARE ENVIRONMENTALLY FRIENDLY AND SOCIALLY RESPONSIBLE THE FIRST MOVER ADVANTAGE NORBERT SASSE 18 OCTOBER 2013 AGENDA Introduction to

552 views • 37 slides
Differentiating the Flipped Classroom Eric M. Carbaugh, PhD -

Differentiating the Flipped Classroom Eric M. Carbaugh, PhD -

@flipdiff #flipdiff Differentiating the Flipped Classroom Eric M. Carbaugh, PhD - carbauem@jmu.edu Kristina J. Doubet, PhD - doubetkj@jmu.edu Department of Middle, Secondary,

787 views • 53 slides
DIFFERENTIATING ACTIVITIES TO SUPPORT AND CHALLENGE LEARNERS Please sign up or log in to

DIFFERENTIATING ACTIVITIES TO SUPPORT AND CHALLENGE LEARNERS Please sign up or log in to

USING DIGITAL TOOLS: DIFFERENTIATING ACTIVITIES TO SUPPORT AND CHALLENGE LEARNERS Please sign up or log in to https://quizlet.com to participate fully in this session. Supporting and challenging learners My groups are a mix of different

404 views • 19 slides
Differentiating proofs for programs Marie Kerjean Inria Bretagne Marie Kerjean (Inria Bretagne)

Differentiating proofs for programs Marie Kerjean Inria Bretagne Marie Kerjean (Inria Bretagne)

SYCO 3 Differentiating proofs for programs Marie Kerjean Inria Bretagne Marie Kerjean (Inria Bretagne) Differentiating proofs for programs 1 / 29 1 Linear Logic 2 Smooth classical models 3 LPDEs 4 Higher-Order Marie Kerjean (Inria Bretagne)

775 views • 46 slides
Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci

OWASP T urkey - Uygulama Gvenlii Gn Introduction to Malicious Web Sites Ktcl Web Sitelerine Bir lk Bak Ali Ikinci Siber Gvenlik Dernei ali@ikinci.info 9 June 2012 Turkey About Me Working on Malicious Web Sites

505 views • 31 slides
Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

566 views • 27 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Unifying Math Ontologies: A Tale of Two Standards Differentiating between analysis and algebra

Unifying Math Ontologies: A Tale of Two Standards Differentiating between analysis and algebra

Unifying Math Ontologies: A Tale of Two Standards Differentiating between analysis and algebra James Davenport & Michael Kohlhase University of Bath (visiting Waterloo) & Jacobs Universit at Bremen 12 July 2009 Thanks to referees,

920 views • 60 slides
Organizational Factors Differentiating VHA PTSD Outpatient Teams with High and Low Delivery of

Organizational Factors Differentiating VHA PTSD Outpatient Teams with High and Low Delivery of

Organizational Factors Differentiating VHA PTSD Outpatient Teams with High and Low Delivery of Evidence Based Psychotherapy 9 th Annual Conference on the Science of Dissemination and Implementation in Health December 15, 2016 Craig S. Rosen, PhD

350 views • 24 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain TPMPC 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

925 views • 69 slides
Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai

Two Round Information-Theoretic MPC with Malicious Security Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain EUROCRYPT 2019 Adversarial Model Adversarial Model Malicious Adversary Adversarial Model Malicious Adversary

1.11k views • 57 slides
Differentiating Psychologically Healthful and Non-healthful Doubting Divine Love A. Salvador

Differentiating Psychologically Healthful and Non-healthful Doubting Divine Love A. Salvador

Duda (Doubt) and Psychological Wellbeing: Differentiating Psychologically Healthful and Non-healthful Doubting Divine Love A. Salvador Department of Psychology University of the Philippines Diliman PAP Conference 2016 Email.

373 views • 19 slides
Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First

Loo ooking g into Ma o Malicious I Insider ers JPCERT/CC Koichiro Sparky Komiyama First Conference, Vienna Agenda Background Previous work Information leakage by malicious insider Our Research How to prevent 2 Insider

335 views • 30 slides
ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending 2016-17 the "years of

976 views • 81 slides
Hyperplasia & Cancer Risk Hyperplasia & Cancer Risk Jim Lacey, Ph.D. City of Hope

Hyperplasia & Cancer Risk Hyperplasia & Cancer Risk Jim Lacey, Ph.D. City of Hope

Hyperplasia & Cancer Risk Hyperplasia & Cancer Risk Jim Lacey, Ph.D. City of Hope Duarte, CA NCI-Designated Comprehensive Cancer Center When EH is Diagnosed When EH is Diagnosed What is the risk of concurrent cancer?

572 views • 36 slides
Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING

Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING

5/25/2017 Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING UROLOGIC PATHOLOGY CASES bradley.stohr@ucsf.edu Bradley Stohr, MD, PhD Assistant Professor, UCSF Pathology Outline Bladder The

894 views • 30 slides
Ontology-based Diagnostic Decision Support for Radiology Charles E. Kahn, Jr., MD, MS Medical

Ontology-based Diagnostic Decision Support for Radiology Charles E. Kahn, Jr., MD, MS Medical

MIE 2014 Ontology-based Diagnostic Decision Support for Radiology Charles E. Kahn, Jr., MD, MS Medical College of Wisconsin Milwaukee, Wisconsin, USA Goals Apply an ontology of disorders and associated imaging findings for differential

347 views • 23 slides
Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

139 views • 13 slides
Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu David Evans Yanjun Qi University of Virginia Machine Learning is Solving Our Problems Fake Fake Spam IDS

1.07k views • 34 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science & Engineering

419 views • 4 slides
Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites

Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites

Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites Ranking Victor Le Pochat , Tom Van Goethem, Wouter Joosen CSET 2019, 12 August 2019 Security researchers rely on top websites rankings We perform a

704 views • 27 slides

More recommend