Abstract
Current smartphones are based upon the concept of apps, which are lightweight applications that are distributed through on-line marketplaces, such as Google Play (for Android devices). Unfortunately, this market-centric model is affected by several major security and trust issues, due to the fact that anyone can easily create, and deploy through the market, a malicious app that could potentially lead to a massive malware spread.
In this paper, we propose a framework to classify Android malware based upon the concept of common patterns of actions executed by malicious applications. The basic idea is to extract, from known malware, a subset of frequent subgraphs of system calls that are executed by most of the malware. This set of subgraphs constitutes a database of known malicious features. Then, when a new application is downloaded from a market, it is first run in a sandbox to monitor its behavior. This will result in an execution trace that may contain some of the subgraphs previously found in malware. The resulting vector of the found subgraphs is given to a classifier that returns its decision in terms of a likely malware or not. Preliminary tests executed both on known good apps and malware confirm the effectiveness and quality of our proposal.
The research leading to these results has received funding from the EU Seventh Framework Programme (FP7/2007-2013) under grant n. 256980 (NESSoS), n. 257930 (Aniketos), from PRIN Security Horizons funded by MIUR with D.D. 23.10.2012 n. 719, and EIT ICT Labs activity 13077.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Found at http://contagiominidump.blogspot.it/.
References
Dini, G., Martinelli, F., Saracino, A., Sgandurra, D.: MADAM: a multi-level anomaly detector for android malware. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 240–253. Springer, Heidelberg (2012)
Aldini, A., Martinelli, F., Saracino, A., Sgandurra, D.: A collaborative framework for generating probabilistic contracts. In: Smari, W.W., Fox, G.C. (eds.): Proceedings of the 2013 IEEE International Conference on Collaboration Technologies and Systems, SECOTS 2013, pp. 139–143. IEEE Computer Society (2013)
Philippsen, M.: Parsemis: the parallel and sequential mining suite. http://www2.informatik.uni-erlangen.de/EN/research/ParSeMiS
Burguera, I., Zurutuza, U., Nadijm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: SPSM ’11, October 2011. ACM (2011)
Mutz, D., Valeur, F., Vigna, G.: Anomalous system call detection. ACM Trans. Inf. Syst. Secur. 9(1), 61–93 (2006)
Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38(1), 161–190 (2012)
Blasing, T., Batyuk, L., Schmidt, A.D., Camtepe, S., Albayrak, S.: An android application sandbox system for suspicious software detection. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 55–62 (2010)
Reina, A., Fattori, A., Cavallaro, L.: A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors. In: Proceedings of the 6th European Workshop on System Security (EUROSEC), Prague, Czech Republic, April 2013 (2013)
Zheng, M., Sun, M., Lui, J.C.: Droidanalytics: a signature based analytic system to collect, extract, analyze and associate android malware. In: 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 13), Melbourne, Australia, July 2013 (2013)
Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, pp. 73–84. ACM, New York (2010)
Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P.: On the automatic categorisation of android applications. In: 2012 IEEE Consumer Communications and Networking Conference (CCNC), pp. 149–153 (2012)
Damopoulos, D., Kambourakis, G., Gritzalis, S., Park, S.: Peer-to-Peer Netw. Appl. 5, 1–11 (2012)
Enck, W., Ongtang, M., McDaniel, P.: On lightweight mobile phone application certification. In: CCS ’09: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 235–245. ACM, New York (2009)
Ongtang, M., McLaughlin, S., Enck, W., McDaniel, P.: Semantically rich application-centric security in android. In: Proceedings of the 2009 Annual Computer Security Applications Conference, ACSAC ’09, December 2009, pp. 340–349 (2009)
Schmidt, A.D., Bye, R., Schmidt, H.G., Clausen, J.H., Kiraz, O., Yüksel, K.A., Çamtepe, S.A., Albayrak, S.: Static analysis of executables for collaborative malware detection on android. In: Proceedings of IEEE International Conference on Communications, ICC 2009, Dresden, Germany, 14–18 June 2009, pp. 1–5. IEEE (2009)
La Polla, M., Martinelli, F., Sgandurra, D.: A survey on security for mobile devices. IEEE Commun. Surv. Tutorials 15(1), 446–471 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Martinelli, F., Saracino, A., Sgandurra, D. (2014). Classifying Android Malware through Subgraph Mining. In: Garcia-Alfaro, J., Lioudakis, G., Cuppens-Boulahia, N., Foley, S., Fitzgerald, W. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2013 2013. Lecture Notes in Computer Science(), vol 8247. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-54568-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-54568-9_17
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-54567-2
Online ISBN: 978-3-642-54568-9
eBook Packages: Computer ScienceComputer Science (R0)