malware datasets
play

Malware Datasets Aleieldin Salem and Alexander Pretschner Technische - PowerPoint PPT Presentation

Oct 26, 2022 •243 likes •590 views

Poking the Bear: Lessons Learned from Probing Three Android Malware Datasets Aleieldin Salem and Alexander Pretschner Technische Universitt Mnchen Garching bei Mnchen {salem, pretschn @in.tum.de} Montpellier, 04.09.2018 Abstract

  1. Poking the Bear: Lessons Learned from Probing Three Android Malware Datasets Aleieldin Salem and Alexander Pretschner Technische Universität München Garching bei München {salem, pretschn @in.tum.de} Montpellier, 04.09.2018

  2. Abstract • Stumbled upon some inconsistencies while experimenting with different Android malware datasets • Investigate the source of discrepancies • A series of experiments performed on three Android malware datasets • Some (interesting) findings 2 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  3. Background • Working on a solution based on “Active Learning” • Evaluating on Malgenome vs. Piggybacking • Datasets of Repackaged/Piggybacked Malware • Malgenome = great results! • Piggybacking = mediocre results? • Trying on AMD and Drebin • Works like a charm! • What the .. ? 3 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  4. Research Questions 4 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  5. Dissection Experiments • Infer some information about the malicious instances found in: • Malgenome (Zhou et al. 2012) • Piggybacking (Li et al. 2017) • AMD (Wei et al. 2017) • VirusTotal detection rates, involved marketplaces, malware types, etc. • Backed up by information in Euphony (Hurier et al. 2017) 5 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  6. Dissection Experiments • Backed up by information in Euphony (Hurier et al. 2017) around 50 More information: https://androidmalwareinsights.github.io 7 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  7. Dissection Experiments • Backed up by information in Euphony (Hurier et al. 2017) around 50 More information: https://androidmalwareinsights.github.io 8 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  8. Dissection Experiments • Backed up by information in Euphony (Hurier et al. 2017) More information: https://androidmalwareinsights.github.io 9 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  9. Dissection Experiments (cont'd) • What about repackaging? • What is in fact the definition of repackaging? • E.g. must the app be decompiled/disassembled? • Wei et al. [authors of AMD] claim it has been declining • How to quickly infer whether an app is repackaged? • Simple technique using compiler fingerprinting (with APKiD 1 ) 1 https://rednaga.io/2016/07/31/detecting_pirated_and_malicious_android_apps_with_apkid/ 10 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  10. Dissection Experiments (cont'd) • Simple technique using compiler fingerprinting (with APKiD 1 ) • Legitimate developer = access to source code = using IDE • Compile app using Android SDK’s dx and dexmerge compilers • If app compiled using other compilers (e.g., dexlib ) = repackaged = no access to source code != legitimate developer? • Different compilers leave unique marks on the compiled code 1 https://rednaga.io/2016/07/31/detecting_pirated_and_malicious_android_apps_with_apkid/ 11 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  11. Dissection Experiments (cont'd) • What about repackaging? • What is in fact the definition of repackaging? 12 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  12. Dissection Experiments (cont'd) • What about repackaging? • What is in fact the definition of repackaging? lazy developers? wrong labeling? 13 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  13. Dissection Experiments (cont'd) • What about repackaging? • What is in fact the definition of repackaging? 86% repackaged?! declining? 14 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  14. Detection Experiments • How do conventional detection techniques fare against different datasets? • Conventional: • Machine learning classifiers • Trained with static/dynamic features • Validated using K-fold CV 15 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  15. Detection Experiments • How do conventional detection techniques fare against different datasets? • Ensemble classifier • KNN, with K = {10, 25, 50, 100, 250, 500} • Random Forests with estimators = {10, 25, 50, 75, 100} • Support Vector machine with linear kernel • 10-Fold CV • Trained with static/dynamic features • Static: Extracted from APK using androguard • Dynamic: Running apps within VM + recording issued API calls 16 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  16. Detection Experiments • How do conventional detection techniques fare against different datasets? 17 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  17. Detection Experiments • How do conventional detection techniques fare against different datasets? • But why? • Piggybacking = original, benign apps + repackaged, malicious versions • Majority = Adware • ~70% of misclassified apps = Adware 18 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  18. Detection Experiments (cont'd) • What is the lifespan of malware datasets? • Can we use an old/new dataset to detect newer/older datasets? • Train voting classifier using dataset A, and test using dataset B 19 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  19. Detection Experiments (cont'd) • What is the lifespan of malware datasets? • Can we use an old/new dataset to detect newer/older datasets? • Train voting classifier using dataset A, and test using dataset B 20 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  20. Adversarial Experiments • How can an adversary make use of this? • Consider a marketplace using a ML classifier as its “bouncer” • The classifier is trained using malicious + benign apps • If I [adversary] figure out one (or more) of the benign apps • Repackage benign apps + upload to marketplace • Classifier will be confused!! 21 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  21. Adversarial Experiments (cont'd) • How can an adversary make use of this? • If I [adversary] figure out one (or more) of the benign apps • Many people presume apps on Google Play to be benign • Use Google Play apps as benchmark/reference for benign behaviors • Adversary make the same assumption! 22 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  22. Adversarial Experiments (cont'd) • Piggybacking dataset = benign apps + repackaged versions • Train voting classifier with dataset A, and test with dataset B • Observe the effect of adding “Original” segment of Piggybacking on classification accuracy 23 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  23. Adversarial Experiments • Observe the effect of adding “Original” segment of Piggybacking on classification accuracy 24 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  24. Adversarial Experiments • Observe the effect of adding “Original” segment of Piggybacking on classification accuracy 25 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  25. Conclusion • Trojans appear to be most popular malware type • Adware is the go-to model for repackaging • Repackaging is losing popularity • Malicious apps continue to bypass Google Play’s safeguards 27 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  26. Conclusion (cont'd) • AMD is 5-6 years younger than Malgenome • Yet, apps from Malgenome are still out there! • Malware authors prefer re-using/building on older malware • Five years to use a dataset for training? 28 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  27. Conclusion (cont'd) • Already answered that in the detection experiments. • Adware most challenging to detect = Ambiguous nature • Binary-labeling problem? What are the alternatives? 29 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  28. Conclusion (cont'd) • In what we called as “adversarial setting” • Effectively circumvent app vetting safeguards (especially ML-based ones) • Repackaging benign apps used during training 30 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  29. Thank You Any questions? 31

  30. How it all began • Working on a solution based on “Active Learning” 32 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  31. How it all began • Working on a solution based on “Active Learning” 33 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  32. How it all began • Working on a solution based on “Active Learning” 34 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  33. How it all began • Working on a solution based on “Active Learning” 35 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

  34. How it all began • Working on a solution based on “Active Learning” 36 Alei Salem (TUM) | A-Mobile 2018 | Montpellier, France

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Examples The ETH-80 Dataset (Bastian Leibe and Bernt Schiele) The Caltech 101 average image

1 Examples The ETH-80 Dataset (Bastian Leibe and Bernt Schiele) The Caltech 101 average image

Outline Datasets and Dataset Creation Importance of datasets Existing datasets Issues with current datasets New ways of acquiring large and diverse datasets Visual Recognition and Search LabelMe: a database and web-based tool

461 views • 5 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
The 4 th Competition on Syntax-Guided Synthesis Rajeev Alur, Dana Fisman, Rishabh Singh and

The 4 th Competition on Syntax-Guided Synthesis Rajeev Alur, Dana Fisman, Rishabh Singh and

The 4 th Competition on Syntax-Guided Synthesis Rajeev Alur, Dana Fisman, Rishabh Singh and Armando Solar-Lezama SyGuS Idea and Definition in a Nutshell New Trends in Synthesis Syntactic restrictions Specification S R on the High Level

562 views • 25 slides
Why Im NOT Why Im NOT Why Im NOT a Jew... Or Am I? Why Im NOT a Jew... Or Am

Why Im NOT Why Im NOT Why Im NOT a Jew... Or Am I? Why Im NOT a Jew... Or Am

Why Im NOT Why Im NOT Why Im NOT a Jew... Or Am I? Why Im NOT a Jew... Or Am I? The importance of definitions What is a Jew? A citizen of Israel? What is a Jew? A citizen A cultural of Israel? Jew? What

415 views • 28 slides
Compassion Fatigue, Burnout, and The Strengths-Based Workplace Robert O. Phillips, D.BH Indian

Compassion Fatigue, Burnout, and The Strengths-Based Workplace Robert O. Phillips, D.BH Indian

Compassion Fatigue, Burnout, and The Strengths-Based Workplace Robert O. Phillips, D.BH Indian Health Services Leadership Conference June 25-26, 2015 Denver, Colorado Why this workshop? Objectives for this Presentation At the conclusion of

577 views • 24 slides
Welcome to P5 Networking Session 21 Jan 2017 CHIJ Our Lady of the Nativity Outline Student

Welcome to P5 Networking Session 21 Jan 2017 CHIJ Our Lady of the Nativity Outline Student

Welcome to P5 Networking Session 21 Jan 2017 CHIJ Our Lady of the Nativity Outline Student Development @ OLN Developing the OLN Graduate Holistic Development for Pri 5 Cognitive Development Assessment Matters Home-School

1.22k views • 84 slides
Writing and Identifying Statements and Exclamations Teaching Input Types of Sentences There are

Writing and Identifying Statements and Exclamations Teaching Input Types of Sentences There are

Writing and Identifying Statements and Exclamations Teaching Input Types of Sentences There are four basic types of sentence in the English language. They are Commands Questions Let me drive your car. How much does it cost?

300 views • 18 slides
Measuring model performance or error Introduction to Machine Learning Is our model any good?

Measuring model performance or error Introduction to Machine Learning Is our model any good?

INTRODUCTION TO MACHINE LEARNING Measuring model performance or error Introduction to Machine Learning Is our model any good? Context of task Accuracy Computation time Interpretability 3 types of tasks

1.31k views • 77 slides
Around the World Unit 8 Lesson 11 What will we be learning this class? A look into a new

Around the World Unit 8 Lesson 11 What will we be learning this class? A look into a new

Around the World Unit 8 Lesson 11 What will we be learning this class? A look into a new country A review of punctuation Today we will be looking into another country. Can you guess which country it is? Here are some hints: This

479 views • 24 slides
cse 311: foundations of computing Spring 2015 Lecture 10: Functions, Modular arithmetic

cse 311: foundations of computing Spring 2015 Lecture 10: Functions, Modular arithmetic

cse 311: foundations of computing Spring 2015 Lecture 10: Functions, Modular arithmetic functions A funct unctio ion from to . Every element of is assigned to exactly one element of . We write

399 views • 19 slides

More recommend