experiences of of la landing machine le learning onto
play

Experiences of of La Landing Machine Le Learning onto - PowerPoint PPT Presentation

Aug 27, 2022 •126 likes •424 views

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

  1. Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu

  2. Mobile Malware Detection ⚫ Android App Markets “lend credib ibil ilit ity ” Mobile App Markets Mobile Users ⚫ Current Mobile App Review ✓ Fingerprint-based Antivirus Checking ✓ Expert-informed API inspection ✓ User-report-driven Manual Examination ✓ API-based Dynamic Analysis

  3. Mobile Malware Detection ⚫ Android App Markets “lend credib ibil ilit ity ” Mobile App Markets Mobile Users ⚫ ML-based Mobile App Review Techniques ⚫ Fingerprint-based Antivirus Checking ⚫ Static Code Inspection ⚫ Dynamic Behavior Analysis

  4. ML-based Detection at Market Scales Real-world Widely explored in No existing report of the past decade the effectiveness Challenges? ML-based Malware ML-based Solutions Detection at Market Scales

  5. Large-scale Dataset: API-centric, Dynamic • 500K apps submitted to Tencent Market • From March to December 2017 • Containing apps’ malice labels Monkey : UI Event Steam APK APK Commodity servers Trigger api to Trigger API to output log output log App Emulation Tencent Market https://sj.qq.com/ One-hot Feature Vector

  6. API Selection: Correlation ⚫ APIs’ correlations with the ⚫ Time consumption of malice of apps Tracking APIs ▪ Using SRC ( Spearman’s rank ▪ Tracking highly correlated APIs ▪ Fitting a tri-modal distribution correlation coefficient ) to evaluate APIs’ correlation with apps’ malice ▪ 260 APIs pose non-trivial correlation (| SRC | ≥ 0.2) 0.6 0.5 0.4 |SRC| 0.3 0.2 0.1 0 0 200 400 600 800 1000 Ranking of API

  7. API Selection: Correlation ⚫ APIs’ correlations with the ⚫ Time consumption of malice of apps tracking different API sets ▪ Fitting a tri-modal distribution ▪ Using SRC ( Spearman’s rank ▪ Indicating a complex relationship correlation coefficient ) to evaluate APIs’ correlation with apps’ malice ▪ 260 APIs pose non-trivial correlation (| SRC | ≥ 0.2) 0.6 0.5 0.4 |SRC| 0.3 0.2 0.1 0 0 200 400 600 800 1000 Ranking of API

  8. API Selection: Model & Accuracy ⚫ Machine Learning Model & Detection Accuracy Model Precision Recall Training Time Tracking top-490 correlated APIs achieves the highest Naive Bayes 60.4% 59.6% 3.6 min precision/recall LR 81.2% 70.3% 10.4 min SVM 87.9% 71.6% ∼ 27K min GBDT 88.4% 74.3% 364 min kNN 86.5% 83.7% ∼ 1.8K min CART 87.6% 84.3% 11.6 min ∼ 1.2K min ANN 90.8% 89.9% DNN 91.5% 90.9% ∼ 1.9K min Random Forest 91.6% 90.2% 29.1 min

  9. API Selection: Model & Accuracy ⚫ Machine Learning Model & Detection Accuracy Model Precision Recall Training Time Tracking top-490 correlated APIs achieves the highest Naive Bayes 60.4% 59.6% 3.6 min precision/recall LR 81.2% 70.3% 10.4 min SVM 87.9% 71.6% ∼ 27K min GBDT 88.4% 74.3% 364 min kNN 86.5% 83.7% ∼ 1.8K min CART 87.6% 84.3% 11.6 min ∼ 1.2K min ANN 90.8% 89.9% DNN 91.5% 90.9% ∼ 1.9K min Random Forest 91.6% 90.2% 29.1 min

  10. Key API Selection Strategy ⚫ Step 1. Selecting APIs with the highest correlation with malware (Set-C). ⚫ Step 2. Selecting APIs that relate to restrictive permissions (Set-P). ⚫ Step 3. Selecting APIs that perform sensitive operations (Set-S). ⚫ Step 4. Combining the above. Set-C Performance: 244 ⚫ Analysis time: 4.3 minutes 12 4 ⚫ Precision/Recall: 96.8% / 93.7% Set-P Set-S 100 66 ⚫ Training time: 14.4 seconds

  11. Key API Selection Strategy ⚫ Step 1. Selecting APIs with the highest correlation with malware (Set-C). ⚫ Step 2. Selecting APIs that relate to restrictive permissions (Set-P). ⚫ Step 3. Selecting APIs that perform sensitive operations (Set-S). ⚫ Step 4. Combining the above. Set-C Performance: 244 ⚫ Analysis time: 4.3 minutes 12 4 ⚫ Precision/Recall: 96.8% / 93.7% Set-P Set-S 100 66 ⚫ Training time: 14.4 seconds

  12. Further Enriching the Feature Space ⚫ Hidden features – API invocation hidden by certain techniques Hidden and internal APIs IPC through intents triggered by special techniques leveraging other apps/services to like Java reflection perform sensitive actions Checking Permissions Checking Used Intents Key APIs alone API + Permission + Intents ⚫ Precision: 96.8% ⚫ Precision: 98.6% ⚫ Recall: 93.7% ⚫ Recall: 96.7%

  13. Further Enriching the Feature Space ⚫ Hidden features – API invocation hidden by certain techniques Hidden and internal APIs IPC through intents triggered by special techniques leveraging other apps/services to like Java reflection perform sensitive actions Checking Permissions Checking Used Intents Key APIs alone API + Permission + Intents ⚫ Precision: 96.8% ⚫ Precision: 98.6% ⚫ Recall: 93.7% ⚫ Recall: 96.7%

  14. System: Emulation Optimization ⚫ Default Google Android Emulator: full-system emulation ⚫ Result: 30% of apps require ≥ 5-minute analysis time ⚫ Solution: lightweight emulation on powerful x86 server ⚫ Architect: native x86 Android + Dynamic Binary Translation

  15. System: Emulation Optimization ⚫ Configuration: 5x4-core x86 server with CPU pinning ⚫ Compatibility: ≤ 1% incompatible apps ⚫ Roll back to the Google Emulator for incompatible apps ⚫ Performance: saving around 70% of the detection time Able to analyze an app in around 1.3 minutes

  16. System: Real-world Deployment ⚫ Integration to Tencent Market ⚫ Integration to Tencent Market ⚫ System Evoluation ▪ Running since March 2018 ⚫ Monthly updating the key APIs ▪ Checking ~10K apps per day using a with apps and SDK APIs single commodity server ⚫ Dataset ▪ Over 98%/96% online precision/recall contains the original dataset and new apps submitted ⚫ Fluctuating between 425 and 432

  17. System: Real-world Deployment ⚫ Integration to Tencent Market ⚫ System Evolution ▪ Running since March 2018 ▪ Monthly updating the key APIs ▪ Checking ~10K apps per day using a with the original dataset and single commodity server newly submitted apps ▪ Over 98%/96% online precision/recall ▪ Fluctuating between 425 and 432

  18. System: Addressing FPs & FNs ⚫ False Positives ⚫ False Negative ▪ 2% FP apps as complained by ⚫ 4% False Negative (FN) apps developers reported by end users ▪ All using a few top-ranking APIs ⚫ Most (87%) of the FN apps barely ▪ Most are quickly vetted based use the 426 key APIs on previous versions ⚫ These apps have fairly simple functionalities without posing a great security threat to end users ⚫ a small number of false negative Manual Inspection: apps in fact has little effect on the acceptable workload regular operation of T-Market Active & complete Passive mitigation of FNs avoidance of FPs

  19. System: Addressing FPs & FNs ⚫ False Positives ⚫ False Negatives ▪ ▪ 4% FN apps reported by end users 2% FP apps as complained by ▪ Hard to avoid developers ▪ All using a few top-ranking APIs ▪ Most (87%) barely use key APIs ▪ ▪ They have fairly simple Most are quickly vetted based on previous versions functionalities, posing little threat Manual Inspection: Report-driven: acceptable workload mild impact on users Active & complete Passive mitigation of FNs avoidance of FPs

  20. Revealed Important Features ⚫ Attempting to acquire privacy-sensitive information of user devices ⚫ Tracking or intercepting system-level events ⚫ Enabling certain types of attacks such as overlay-based attacks Gini Importance 0 0.02 0.04 0.06 0.08 0.1 API: SmsManager_sendTextMessage Permission: SEND_SMS Intent: SMS_RECEIVED Intent: wifi.STATE_CHANGE Permission: RECEIVE_SMS Intent: DEVICE_ADMIN_ENABLED Intent: buluetooth.STATE_CHANGED Permission: RECEIVE_MMS Intent: ACTION_BATTERY_OKAY API: TelephonyManager_getLine1Number Permission: RECEIVE_WAP_PUSH API: WifiInfo_getMacAddress Permission: READ_SMS API: View_setBackgroundColor Permission: ACCESS_NETWORK_STATE Permission: SYSTEM_ALERT_WINDOW API: SQLiteDatabase_insertWithOnConflict Permission: RECEIVE_BOOT_COMPLETED API: HttpURLConnection_connect API: ActivityManager_getRunningTasks

  21. Experiences of APIC HECKER Feature Engineering Feature Selection Adversary’s Principled, perspective data-driven Benign Malicious Analysis Speed Model Evolution Efficient app Monthly emulation on update with powerful x86 novel apps & servers Developer Engagement SDK APIs Active & complete avoidance of FPs vs. Passive mitigation of FNs

  22. Conclusion & Dataset ⚫ We conduct a large-scale study to understand and overcome real-world challenges of developing ML- based malware detection solutions at market scales. ⚫ We showcase several key design decisions we make towards implementing, deploying, and operating a production market-scale mobile malware detection system – APIC HECKER . ⚫ Our system has been operational at Tencent Market since March 2018, vetting around 10K apps per day on a single commodity server. Dataset & tool release: https://apichecker.github.io/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences Microsoft Research The typical machine learning problem ,

560 views • 45 slides
Experiences with Charm++ and NAMD on Knights Landing Supercomputers 15 th Annual Workshop on

Experiences with Charm++ and NAMD on Knights Landing Supercomputers 15 th Annual Workshop on

Experiences with Charm++ and NAMD on Knights Landing Supercomputers 15 th Annual Workshop on Charm++ and its Applica7ons James Phillips Beckman InsCtute, University of Illinois hIp://www.ks.uiuc.edu/Research/namd/ NAMD Mission Statement:

578 views • 33 slides
LANDING ACCOUNT PROCEDURES. LANDING ACCOUNT The Landing Account is a report of all the cargo that

LANDING ACCOUNT PROCEDURES. LANDING ACCOUNT The Landing Account is a report of all the cargo that

LANDING ACCOUNT PROCEDURES. LANDING ACCOUNT The Landing Account is a report of all the cargo that was actually discharge from a vessel/aircraft. All Agents/Cargo Reporters are required under section 74(1) of the Customs Act to submit a landing

176 views • 14 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

556 views • 17 slides
GLOBEVILLE LANDING OUTFALL Globeville Landing Park Globeville Landing Park Part of the DPR

GLOBEVILLE LANDING OUTFALL Globeville Landing Park Globeville Landing Park Part of the DPR

Globeville Landing Park GLOBEVILLE LANDING OUTFALL Globeville Landing Park Globeville Landing Park Part of the DPR system of open space along the South Platte River Gateway into the National Western Center Community park for

207 views • 8 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

872 views • 29 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

398 views • 26 slides
CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

1/22/19 CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine Learning? A Simple Task: Recognize Obama How do you program a computer to Recognize faces? Recommend movies? Decide which web

581 views • 5 slides
Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their performance We use machine learning in situations where it is very challenging (or impossible) to define the rules by hand: e.g. face detection

1.04k views • 28 slides
Valid and Reliable Assessment of Uncommon Learning Experiences Kim Carter

Valid and Reliable Assessment of Uncommon Learning Experiences Kim Carter

Valid and Reliable Assessment of Uncommon Learning Experiences Kim Carter kcarter@qedfoundation.org Extended Learning Opportunities Small learning environments Hands-on learning Real world, relevant learning experiences Extended

370 views • 12 slides
Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine

Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine

Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Introduction to Machine Learning 1 / 12 Outline 1 Nearest Neighbor Prediction 2 Complexity Considerations 3 The Voronoi Diagram 4 Overfitting

564 views • 12 slides
Apollo 11: Lunar Landing INST 154 Apollo at 50 Lunar Landing Apollo 11 Landing Site Selection

Apollo 11: Lunar Landing INST 154 Apollo at 50 Lunar Landing Apollo 11 Landing Site Selection

Apollo 11: Lunar Landing INST 154 Apollo at 50 Lunar Landing Apollo 11 Landing Site Selection Criteria Smoothness : The sites should have relatively few craters Slope: The general slope of the landing area must be less than 2 degrees

279 views • 16 slides
1 Why Study Machine Learning? Why Study Machine Learning? Cognitive Science The Time is Ripe

1 Why Study Machine Learning? Why Study Machine Learning? Cognitive Science The Time is Ripe

What is Learning? Herbert Simon: Learning is any process by which a system improves performance from CS 391L: Machine Learning experience. Introduction What is the task? Classification Problem solving / planning /

603 views • 6 slides
MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING

MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING

JACOPO DI IORIO, MATTEO FONTANA, DANIELE OCCHIUTO, CLAUDIA VOLPETTI MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING STATISTICAL LEARNING Separate evolutions, but with shared methodologies MERGE

565 views • 55 slides
Image Blob Detection: A Machine Learning Approach Andrew Colello Undergraduate Thesis 2016

Image Blob Detection: A Machine Learning Approach Andrew Colello Undergraduate Thesis 2016

Image Blob Detection: A Machine Learning Approach Andrew Colello Undergraduate Thesis 2016 Union College Department of Computer Science Faculty Advisor: Valerie Barr Background: Golf Ball Problem Photo of landing location Finding bright

429 views • 17 slides
and Evaluation CMSC 678 UMBC Central Question: How Well Are We Doing? Precision, Recall,

and Evaluation CMSC 678 UMBC Central Question: How Well Are We Doing? Precision, Recall,

Experimental Setup, Multi-class vs. Multi-label classification, and Evaluation CMSC 678 UMBC Central Question: How Well Are We Doing? Precision, Recall, F1 Accuracy Log-loss Classification ROC-AUC

982 views • 74 slides
Optimizing unit test execution in large software programs using dependency analysis Taesoo Kim,

Optimizing unit test execution in large software programs using dependency analysis Taesoo Kim,

Optimizing unit test execution in large software programs using dependency analysis Taesoo Kim, Ramesh Chandra and Nickolai Zeldovich MIT CSAIL Running unit tests takes too long Its our policy to make sure all tests pass at all times .

967 views • 51 slides
Intrus ntrusion ion Det Detection, ection, Fi Fire rewalls, alls, an and d Intr ntrusion

Intrus ntrusion ion Det Detection, ection, Fi Fire rewalls, alls, an and d Intr ntrusion

Intrus ntrusion ion Det Detection, ection, Fi Fire rewalls, alls, an and d Intr ntrusion usion Pr Prevention ention Professor Patrick McDaniel ECE 590 03 (Guest lecture) Intrusion Detection Systems Authorized eavesdropper

607 views • 23 slides
CSI5180. MachineLearningfor BioinformaticsApplications Fundamentals of Machine Learning tasks

CSI5180. MachineLearningfor BioinformaticsApplications Fundamentals of Machine Learning tasks

CSI5180. MachineLearningfor BioinformaticsApplications Fundamentals of Machine Learning tasks and performance metrics by Marcel Turcotte Version November 6, 2019 Preamble Preamble 2/47 Preamble Fundamentals of Machine Learning tasks

823 views • 65 slides
MA162: Finite mathematics . Jack Schmidt University of Kentucky December 3, 2012 Schedule:

MA162: Finite mathematics . Jack Schmidt University of Kentucky December 3, 2012 Schedule:

. MA162: Finite mathematics . Jack Schmidt University of Kentucky December 3, 2012 Schedule: Exam 4 is Thursday, December 13th, 6pm to 8pm in: CB110 (Sec 001, 002), CB114 (Sec 003, 004), FB200 (Sec 005, 006) HW 7C is due Friday, December

334 views • 9 slides
Bayesian Updating: Discrete Priors: 18.05 Spring 2014 http://xkcd.com/1236/ January 1, 2017

Bayesian Updating: Discrete Priors: 18.05 Spring 2014 http://xkcd.com/1236/ January 1, 2017

Bayesian Updating: Discrete Priors: 18.05 Spring 2014 http://xkcd.com/1236/ January 1, 2017 1 / 22 Learning from experience Which treatment would you choose? 1. Treatment 1: cured 100% of patients in a trial. 2. Treatment 2: cured 95% of

535 views • 22 slides
Introduction to Machine Learning Evaluation: Measures for Binary Classification: ROC

Introduction to Machine Learning Evaluation: Measures for Binary Classification: ROC

Introduction to Machine Learning Evaluation: Measures for Binary Classification: ROC visualization compstat-lmu.github.io/lecture_i2ml LABELS: ROC SPACE Plot True Positive Rate and False Positive Rate: 1.00 True Class y C2 +

596 views • 17 slides
Concept Drift Albert Bifet March 2012 COMP423A/COMP523A Data Stream Mining Outline 1.

Concept Drift Albert Bifet March 2012 COMP423A/COMP523A Data Stream Mining Outline 1.

Concept Drift Albert Bifet March 2012 COMP423A/COMP523A Data Stream Mining Outline 1. Introduction 2. Stream Algorithmics 3. Concept drift 4. Evaluation 5. Classification 6. Ensemble Methods 7. Regression 8. Clustering 9. Frequent

633 views • 26 slides

More recommend