malware collusions
play

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and - PowerPoint PPT Presentation

Nov 11, 2023 •9 likes •139 views

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

  1. On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015

  2. Problem and Motivation Malware Threat to Mobile OS [CIO Insight, 2012] • Threats • Abuse of system resources • Leak of sensitive data 2

  3. Malware Evolution: App Collusion • Collusion refers to the scenario where two or more apps interact with each other to perform malicious tasks – Directly: Android Intent-based inter-component communication (ICC) – Indirectly: shared files,…etc. • Existing solutions assume the attack model of a single malicious app, and thus cannot detect collusion An example of permissions and operations being split between colluding apps 3

  4. Existing Solutions & Limitations Solution Analysis Collusion Limitation Type Classification Policies XManDroid - Dynamic Permissions - High false alerts [NDSS’12] - Pair of apps Combinations - Scalability - Circumvented by long chain of collusion CHEX - Static No - Vulnerability analysis only [CCS’12] - Single app - Can not track data via ICC ComDroid - Static No - Vulnerability analysis only [MobiSys’11] - Can ’t track path from public component - Single app to critical operation -> false alerts Epicc - Static No - Same as ComDroid [USENIX13] - Single app Amandroid - Static No - No analysis/info on how to connect ICC [CCS’14] - Single app among apps 4

  5. Our Goal To characterize ICC and to experimentally demonstrate the difficulties and technical challenges associated with app collusion detection 5

  6. Static Characterization of ICC • We developed a static analysis tool ( ICC Map) to model the Intent-based ICC of Android apps • ICC Map captures all types of communication (internal and external) of an app – <ICCName k , sourceComponent k , targetComponent k , typeOfCommunication k >, Partial ICC map for “abc.ssd.TrafficInfoCheck” app 6

  7. Experimental Evaluation • We statically construct ICC Maps of 2,644 benign apps collected from Google Play • The objectives of the study: 1. How often do benign apps perform inter-app communications with other apps? 2. How effective is the existing collusion detection solution (namely XManDroid) in terms of false positive rate? 7

  8. Experimental Evidence 9 8 7 # of App Pairs 6 5 4 3 2 1 0 Policy # 8 Policy # 9 Policy # 10 Policy # 11 Existing collusion detection solution (XManDroid) triggers a large number of false alerts in benign app pairs (11 out of 20 benign app pairs are misclassified as collusion) Subset of XManDroid’s policy 8

  9. Collusion Detection: Challenges Challenges & Problems: • Many benign apps interacts with other apps • Analysis scalability with minimum complexity • Existing solution produces large number of false alerts Solution for detecting malware collusion needs: • To be able to characterize the context associated with communication channels with fine granularity • To define security policies to classify benign ICC flows from colluding ones with low false alerts • To be scalable to a large number of apps (e.g., tens of thousands of apps) 9

  10. Improving Collusion Detection with Deep Cross- App Data-flow Analysis • ICC involving non-sensitive data or request should NOT be alerted, despite of the sensitive permission combination (ACCESS_FINE_LOCATION and INTERNET) • We argue that there is a need for a more practical solution based on in-depth static flow analysis that captures the context associated with the ICC 10

  11. Improving Collusion Detection with Deep Cross- App Data-flow Analysis Deep static data-flow analysis in both source and destination apps (requires new program analysis algorithms and data structures) 11

  12. Conclusions & Future Work • This work demonstrates experimentally the challenges to detect malware collusion • Future work – We plan to utilize our ICC Map for app collusion detection and define more fine-grained security policies to reduce false alerts • App collusion analysis has many useful applications: – Enable app store to perform massive screening of the apps to detect possible collusion – Enable the user to check apps before installing to detect possible collusion with the pre-installed apps 12

  13. Thank You… Questions? 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Convergence of Coloring Games with Collusions Augustin Chaintreau 1 Guillaume Ducoffe 2 Dorian

Convergence of Coloring Games with Collusions Augustin Chaintreau 1 Guillaume Ducoffe 2 Dorian

Universidad Adolfo Ib` a nez 1/21 Convergence of Coloring Games with Collusions Augustin Chaintreau 1 Guillaume Ducoffe 2 Dorian Mazauric 3 1Columbia University in the City of New York 2Univ. Nice Sophia Antipolis, CNRS, I3S, UMR 7271, 06900

774 views • 44 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

567 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND &amp; CONTROL QUESTIONS &amp; ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie

AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie

AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao, Benjamin Andow, Rahul Pandita, William Enck (NCSU) Mobile App Markets Google Play

567 views • 46 slides
ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending 2016-17 the &quot;years of

976 views • 81 slides
Hyperplasia &amp; Cancer Risk Hyperplasia &amp; Cancer Risk Jim Lacey, Ph.D. City of Hope

Hyperplasia &amp; Cancer Risk Hyperplasia &amp; Cancer Risk Jim Lacey, Ph.D. City of Hope

Hyperplasia &amp; Cancer Risk Hyperplasia &amp; Cancer Risk Jim Lacey, Ph.D. City of Hope Duarte, CA NCI-Designated Comprehensive Cancer Center When EH is Diagnosed When EH is Diagnosed What is the risk of concurrent cancer?

572 views • 36 slides
Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING

Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING

5/25/2017 Disclosures I have nothing to disclose APPLICATION OF IMMUNOHISTOCHEMISTRY TO CHALLENGING UROLOGIC PATHOLOGY CASES bradley.stohr@ucsf.edu Bradley Stohr, MD, PhD Assistant Professor, UCSF Pathology Outline Bladder The

894 views • 30 slides
Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu David Evans Yanjun Qi University of Virginia Machine Learning is Solving Our Problems Fake Fake Spam IDS

1.07k views • 34 slides
Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements

Outline Usability and security CSci 5271 Introduction to Computer Security Announcements intermission Day 25: Usability and security Stephen McCamant Usable security example areas University of Minnesota, Computer Science &amp; Engineering

419 views • 4 slides
Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites

Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites

Evaluating the Long-term Effects of Parameters on the Characteristics of the Tranco Top Sites Ranking Victor Le Pochat , Tom Van Goethem, Wouter Joosen CSET 2019, 12 August 2019 Security researchers rely on top websites rankings We perform a

704 views • 27 slides
Joint Liver Lesion Segmentation and Classification via Transfer Learning Michal Heker and Hayit

Joint Liver Lesion Segmentation and Classification via Transfer Learning Michal Heker and Hayit

Joint Liver Lesion Segmentation and Classification via Transfer Learning Michal Heker and Hayit Greenspan Department of Biomedical Engineering, Tel-Aviv University, Israel July 2020 Contact : michalheker@gmail.com Medical Image Processing Lab

99 views • 6 slides

More recommend