CHABADA: Checking App Behavior Against App Descriptions Alessandra - - PowerPoint PPT Presentation

chabada checking app behavior against app descriptions
SMART_READER_LITE
LIVE PREVIEW

CHABADA: Checking App Behavior Against App Descriptions Alessandra - - PowerPoint PPT Presentation

Jun 24, 2023 160 likes •1.05k views

CHABADA: Checking App Behavior Against App Descriptions Alessandra Gorla Saarland University, Germany joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller London Restaurants Looking for a restaurant, a bar,

slide-1
SLIDE 1

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

slide-2
SLIDE 2
slide-3
SLIDE 3
slide-4
SLIDE 4
slide-5
SLIDE 5
slide-6
SLIDE 6

Looking for a restaurant, a bar, a pub or just to have fun in London? Search no more! This application has all the information you need:

  • You can search for every type of food you want:

french, british, chinese, indian etc.

  • You can use it if you are in a car, on a bicycle or

walking

  • You can view all objectives on the map
  • You can search objectives
  • You can view objectives near you
  • You can view directions (visual route, distance and

duration)

  • You can use it with Street View
  • You can use it with Navigation

Keywords: london, restaurants, bars, pubs, food, breakfast, lunch, dinner, meal, eat, supper, street view, navigation

London Restaurants

slide-7
SLIDE 7

Looking for a restaurant, a bar, a pub or just to have fun in London? Search no more! This application has all the information you need:

  • You can search for every type of food you want:

french, british, chinese, indian etc.

  • You can use it if you are in a car, on a bicycle or

walking

  • You can view all objectives on the map
  • You can search objectives
  • You can view objectives near you
  • You can view directions (visual route, distance and

duration)

  • You can use it with Street View
  • You can use it with Navigation

Keywords: london, restaurants, bars, pubs, food, breakfast, lunch, dinner, meal, eat, supper, street view, navigation

Also sends out account info Also sends out mobile phone number Also sends out your device ID

London Restaurants

slide-8
SLIDE 8

London Restaurants

Also sends out account info Also sends out mobile phone number Also sends out your device ID

What is malicious?

slide-9
SLIDE 9

WhatsApp messenger London Restaurants

Also sends out account info Also sends out mobile phone number Also sends out your device ID

What is malicious?

slide-10
SLIDE 10

Also sends out account info Also sends out mobile phone number Also sends out your device ID

WhatsApp messenger London Restaurants

Also sends out account info Also sends out mobile phone number Also sends out your device ID

What is malicious?

slide-11
SLIDE 11

London Restaurants

  • “London Restaurants” is a

“travel” app

  • For “travel” apps, sending

account infos is abnormal

  • For “messaging” apps,


this is far more likely

What is normal?

slide-12
SLIDE 12
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes

CHABADA

slide-13
SLIDE 13
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-14
SLIDE 14
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-15
SLIDE 15

Apps collection

slide-16
SLIDE 16

Apps collection

Winter 2013 Summer 2013

slide-17
SLIDE 17

Apps collection

Total Android apps: 32,136 Winter 2013 Summer 2013

slide-18
SLIDE 18

looking for a restaurant, a bar, a pub or just to have fun in london? search no more! this application has all the information you need:

  • you can search for every type of food you want:

french, british, chinese, indian etc.

  • you can use it if you are in a car, on a bicycle or

walking

  • you can view all objectives on the map
  • you can search objectives
  • you can view objectives near you
  • you can view directions (visual route, distance and

duration)

  • you can use it with street view
  • you can use it with navigation

keywords: london, restaurants, bars, pubs, food, breakfast, lunch, dinner, meal, eat, supper, street view, navigation

Stemming

slide-19
SLIDE 19

looking for a restaurant, a bar, a pub or just to have fun in london? search no more! this application has all the information you need:

  • you can search for everi type of food you want:

french, british, chinese, indian etc.

  • you can use it if you are in a car, on a bicycle or

walking

  • you can view all objectives on the map
  • you can search objectives
  • you can view objectives near you
  • you can view directions (visual route, distance and

duration)

  • you can use it with street view
  • you can use it with navigation

keywords: london, restaurants, bars, pubs, food, breakfast, lunch, dinner, meal, eat, supper, street view, navigation

Stemming

slide-20
SLIDE 20

Topic Analysis

slide-21
SLIDE 21

Topic Analysis

LDA

slide-22
SLIDE 22

Topic Analysis

LDA

T1: [map, navigation, street,tour, …] T2: [weight, body, exercise,run …]

slide-23
SLIDE 23

Topic Analysis

LDA

T1: 80%, T2: 20% T2:90%, T1: 10% T1: [map, navigation, street,tour, …] T1: 70%, T2: 30% T2:80%, T1: 20% T2: [weight, body, exercise,run …]

slide-24
SLIDE 24

Table 1: Topics mined from Android Apps

Id Assigned Name Most Representative Words (stemmed) “personalize” galaxi, nexu, device, screen, effect, instal, customis 1 “game and cheat sheets” game, video, page, cheat, link, tip, trick 2 “money” slot, machine, money, poker, currenc, market, trade, stock, casino coin, finance 3 “tv” tv, channel, countri, live, watch, germani, na- tion, bbc, newspap 4 “music” music, song, radio, play, player, listen 5 “holidays” and religion christmas, halloween, santa, year, holiday, is- lam, god 6 “navigation and travel” map, inform, track, gps, navig, travel 7 “language” language, word, english, learn, german, translat 8 “share” email, ad, support, facebook, share, twitter, rate, suggest 9 “weather and stars” weather, forecast, locate, temperatur, map, city, light 10 “files and video” file, download, video, media, support, man- age, share, view, search

Topics

slide-25
SLIDE 25

12 “cars” car, race, speed, drive, vehicl, bike, track 13 “design and art” life, peopl, natur, form, feel, learn, art, design, uniqu, effect, modern 14 “food and recipes” recip, cake, chicken, cook, food 15 “personalize” theme, launcher, download, install, icon, menu 16 “health” weight, bodi, exercise, diet, workout, medic 17 “travel” citi, guid, map, travel, flag, countri, attract 18 “kids and bodies” kid, anim, color, girl, babi, pictur, fun, draw, design, learn 19 “ringtones and sound” sound, rington, alarm, notif, music 20 “game” game, plai, graphic, fun, jump, level, ball, 3d, score 21 “search and browse” search, icon, delet, bookmark, link, homepag, shortcut, browser 22 “battle games” story, game, monster, zombi, war, battle 23 “settings and utils” screen, set, widget, phone, batteri 24 “sports” team, football, leagu, player, sport, basketbal 25 “wallpapers” wallpap, live, home, screen, background, menu 26 “connection” device, connect, network, wifi, blootooth, in- ternet, remot, server 27 “policies and ads” live, ad, home, applovin, notif, data, polici, pri- vacy, share, airpush, advertis 28 “popular media” seri, video, film, album, movi, music, award, star, fan, show, gangnam, top, bieber 29 “puzzle and card games” game, plai, level, puzzl, player, score, chal- leng, card

slide-26
SLIDE 26

London Restaurant Topics

look restaur bar pub just fun london search applic inform need can search everi type food want french british chines indian etc car bicycl walk can can us view object map visual rout search can can search object view distanc can

  • bject

view near direct durat can can us us street view navig food keyword london restaur bar pub view breakfast lunch dinner meal eat supper street navig

slide-27
SLIDE 27

“navigation and travel” (59.8%)
 “food and recipes” (19.9%)
 “travel” (14.0%)

London Restaurant Topics

look restaur bar pub just fun london search applic inform need can search everi type food want french british chines indian etc car bicycl walk can can us view object map visual rout search can can search object view distanc can

  • bject

view near direct durat can can us us street view navig food keyword london restaur bar pub view breakfast lunch dinner meal eat supper street navig

slide-28
SLIDE 28
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-29
SLIDE 29
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-30
SLIDE 30

Clustering

T1: 80%, T2: 20% T2:90%, T1: 10% T1: 70%, T2: 30% T2:80%, T1: 20%

slide-31
SLIDE 31

Clustering

T1: 80%, T2: 20% T2:90%, T1: 10% T1: 70%, T2: 30% T2:80%, T1: 20%

K-means

slide-32
SLIDE 32

Clustering

T1: 80%, T2: 20% T2:90%, T1: 10% T1: 70%, T2: 30% T2:80%, T1: 20%

K-means

T1: 80%, T2: 20% T1: 70%, T2: 30% T2:90%, T1: 10% T2:80%, T1: 20%

slide-33
SLIDE 33

Id Assigned Name Size Most Important Topics 1 “sharing” 1,453 share (53%), settings and utils, navigation and travel 2 “puzzle and card games” 953 puzzle and card games (78%), share, game 3 “memory puzzles” 1,069 puzzle and card games (40%), game (12%), share 4 “music” 714 music (58%), share, settings and utils 5 “music videos” 773 popular media (44%), holidays and religion (20%), share 6 “religious wallpapers” 367 holidays and religion (56%), de- sign and art, wallpapers 7 “language” 602 language (67%), share, settings and utils 8 “cheat sheets” 785 game and cheat sheets (76%), share, popular media 9 “utils” 1,300 settings and utils (62%), share, connection 10 “sports game” 1,306 game (63%), battle games, puzzle and card games 11 “battle games” 953 battle games (60%), game

Clusters

slide-34
SLIDE 34

and travel 19 “sports” 580 sports (62%), share, popular me- dia 20 “files and videos” 679 files and videos (63%), share, settings and utils 21 “search and browse” 363 search and browse (64%), game, puzzle and card games 22 “advertisements” 380 policies and ads (97%) 23 “design and art” 978 design and art (48%), share, game 24 “car games” 449 cars (51%), game, puzzle and card games 25 “tv live” 500 tv (57%), share, navigation and travel 26 “adult photo” 828 photo and social (59%), share, settings and utils 27 “adult wallpapers” 543 wallpapers (51%), share, kids and bodies 28 “ad wallpapers” 180 policies and ads (46%), wallpa- pers, settings and utils 29 “ringtones and sound” 662 ringtones and sound (68%), share, settings and utils 30 “theme wallpapers” 593 wallpapers (90%), holidays and religion, share 31 “personalize” 402 personalize (86%), share, set- tings and utils 32 “settings and wallpapers” 251 settings and utils (37%), wallpa- pers (37%), personalize

slide-35
SLIDE 35
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-36
SLIDE 36
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-37
SLIDE 37

API Analysis

slide-38
SLIDE 38

API Analysis

slide-39
SLIDE 39

API Analysis

slide-40
SLIDE 40

API Analysis

slide-41
SLIDE 41

API Analysis

slide-42
SLIDE 42

API Analysis

slide-43
SLIDE 43

Description Permissions of
 APIs used

“Travel” cluster

slide-44
SLIDE 44

Description Permissions of
 APIs used

“Personalize” cluster

slide-45
SLIDE 45

London Restaurants

slide-46
SLIDE 46

android.net.ConnectivityManager.getActiveNetworkInfo() android.webkit.WebView() java.net.HttpURLConnection.connect() android.app.NotificationManager.notify() java.net.URL.openConnection() android.telephony.TelephonyManager.getDeviceId()

  • rg.apache.http.impl.client.DefaultHttpClient()
  • rg.apache.http.impl.client.DefaultHttpClient.execute()

android.location.LocationManager.getBestProvider() android.telephony.TelephonyManager.getLine1Number() android.net.wifi.WifiManager.isWifiEnabled() android.accounts.AccountManager.getAccountsByType() android.net.wifi.WifiManager.getConnectionInfo() android.location.LocationManager.getLastKnownLocation() android.location.LocationManager.isProviderEnabled() android.location.LocationManager.requestLocationUpdates() android.net.NetworkInfo.isConnectedOrConnecting() android.net.ConnectivityManager.getAllNetworkInfo()

London Restaurants

slide-47
SLIDE 47
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-48
SLIDE 48
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-49
SLIDE 49

Anomaly detection

slide-50
SLIDE 50

Anomaly detection

slide-51
SLIDE 51
  • In each cluster, identified anomalies through
  • ne-class support vector machine (OC-SVM)
  • Features of each app: a vector of


(sensitive APIs, binary value)

Anomaly detection

slide-52
SLIDE 52
  • In each cluster, identified anomalies through
  • ne-class support vector machine (OC-SVM)
  • Features of each app: a vector of


(sensitive APIs, binary value)

Anomaly detection

slide-53
SLIDE 53
  • In each cluster, identified anomalies through
  • ne-class support vector machine (OC-SVM)
  • Features of each app: a vector of


(sensitive APIs, binary value)

Anomaly detection

slide-54
SLIDE 54
  • In each cluster, identified anomalies through
  • ne-class support vector machine (OC-SVM)
  • Features of each app: a vector of


(sensitive APIs, binary value)

Anomaly detection

slide-55
SLIDE 55
  • In each cluster, identified anomalies through
  • ne-class support vector machine (OC-SVM)
  • Features of each app: a vector of


(sensitive APIs, binary value)

Anomaly detection

slide-56
SLIDE 56
  • In each cluster, identified anomalies through
  • ne-class support vector machine (OC-SVM)
  • Features of each app: a vector of


(sensitive APIs, binary value)

Anomaly detection

slide-57
SLIDE 57

android.net.ConnectivityManager.getActiveNetworkInfo() android.webkit.WebView() java.net.HttpURLConnection.connect() android.app.NotificationManager.notify() java.net.URL.openConnection() android.telephony.TelephonyManager.getDeviceId()

  • rg.apache.http.impl.client.DefaultHttpClient()
  • rg.apache.http.impl.client.DefaultHttpClient.execute()

android.location.LocationManager.getBestProvider() android.telephony.TelephonyManager.getLine1Number() android.net.wifi.WifiManager.isWifiEnabled() android.accounts.AccountManager.getAccountsByType() android.net.wifi.WifiManager.getConnectionInfo() android.location.LocationManager.getLastKnownLocation() android.location.LocationManager.isProviderEnabled() android.location.LocationManager.requestLocationUpdates() android.net.NetworkInfo.isConnectedOrConnecting() android.net.ConnectivityManager.getAllNetworkInfo()

London Restaurants

slide-58
SLIDE 58

android.net.ConnectivityManager.getActiveNetworkInfo() android.webkit.WebView() java.net.HttpURLConnection.connect() android.app.NotificationManager.notify() java.net.URL.openConnection() android.telephony.TelephonyManager.getDeviceId()

  • rg.apache.http.impl.client.DefaultHttpClient()
  • rg.apache.http.impl.client.DefaultHttpClient.execute()

android.location.LocationManager.getBestProvider() android.telephony.TelephonyManager.getLine1Number() android.net.wifi.WifiManager.isWifiEnabled() android.accounts.AccountManager.getAccountsByType() android.net.wifi.WifiManager.getConnectionInfo() android.location.LocationManager.getLastKnownLocation() android.location.LocationManager.isProviderEnabled() android.location.LocationManager.requestLocationUpdates() android.net.NetworkInfo.isConnectedOrConnecting() android.net.ConnectivityManager.getAllNetworkInfo()

→ Identified as Anomaly

London Restaurants

slide-59
SLIDE 59
  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-60
SLIDE 60

Can CHABADA effectively identify anomalous(*) Android apps?

Evaluation: Anomalies

slide-61
SLIDE 61

Can CHABADA effectively identify anomalous(*) Android apps?

Evaluation: Anomalies

(*) i.e., mismatches between description and behavior

slide-62
SLIDE 62

Can CHABADA effectively identify anomalous(*) Android apps?

Evaluation: Anomalies

(*) i.e., mismatches between description and behavior

160 apps

slide-63
SLIDE 63

Can CHABADA effectively identify anomalous(*) Android apps?

Evaluation: Anomalies

(*) i.e., mismatches between description and behavior

160 apps 26% covert behavior

slide-64
SLIDE 64

What makes an anomaly?

slide-65
SLIDE 65

What makes an anomaly?

apploving airpush

slide-66
SLIDE 66

What makes an anomaly?

apploving airpush dubious behaviour

slide-67
SLIDE 67

What makes an anomaly?

apploving airpush dubious behaviour uncommon behaviour

slide-68
SLIDE 68

What makes an anomaly?

apploving airpush dubious behaviour uncommon behaviour benign outliers

slide-69
SLIDE 69

Can our technique be used to identify malicious Android applications?

Evaluation: Malware

slide-70
SLIDE 70

Can our technique be used to identify malicious Android applications?

Evaluation: Malware

slide-71
SLIDE 71

Can our technique be used to identify malicious Android applications?

Evaluation: Malware

173

slide-72
SLIDE 72

Predicted as Malicious Predicted as Benign Malicious
 Apps 56% 44% Benign
 Apps 16% 84%

Classification with Clusters

(our approach)

slide-73
SLIDE 73

Correct Classification

With Clusters (our approach)

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

84% 56%

slide-74
SLIDE 74

Correct Classification

Without Clusters

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

85% 24%

slide-75
SLIDE 75

Correct Classification

With Clusters (our approach)

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

84% 56%

slide-76
SLIDE 76

Correct Classification

Given Categories from Google Play Store

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

84% 47%

slide-77
SLIDE 77

Correct Classification

With Clusters (our approach)

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

84% 56%

slide-78
SLIDE 78

Better anomaly detection

K-nearest neighbours OC-SVM

slide-79
SLIDE 79

Better anomaly detection - API weight

5 10 5 10 15 Dimension 1 Dimension 2

  • ● ●
  • 5

10 5 10 15 Dimension 1 Dimension 2

No weight Weight with TF-IDF cluster 29

slide-80
SLIDE 80

Better anomaly detection

Previous results

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

84% 56%

slide-81
SLIDE 81

Better anomaly detection

Current results

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

81% 81%

slide-82
SLIDE 82

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

slide-83
SLIDE 83

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

slide-84
SLIDE 84

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

Description Permissions of
 APIs used

“Travel” cluster

slide-85
SLIDE 85

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

Description Permissions of
 APIs used

“Travel” cluster Anomaly detection

slide-86
SLIDE 86

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

Description Permissions of
 APIs used

“Travel” cluster Anomaly detection Better anomaly detection

Current results

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

81% 81%

slide-87
SLIDE 87

CHABADA: Checking App Behavior Against App Descriptions

Alessandra Gorla Saarland University, Germany

joint work with Konstantin Kuznetsov, Ilaria Tavecchia, Florian Gross and Andreas Zeller

  • 1. App collection
  • 2. Topics

"Weather", "Map"… "Travel", "Map"… "Theme"

  • 3. Clusters

Weather + Travel Themes Access-Location Internet Access-Location Internet Send-SMS

  • 4. APIs
  • 5. Outliers

CHABADA

Description Permissions of
 APIs used

“Travel” cluster Anomaly detection Better anomaly detection

Current results

Malicious Apps Benign Apps

0% 25% 50% 75% 100%

81% 81%

www.st.cs.uni-saarland.de/chabada