research-article

Active Android malware analysis: an approach based on stochastic games

Authors:

Riccardo Sartea,

Mila Dalla Preda,

Alessandro Farinelli,

Roberto Giacobazzi,

Isabella MastroeniAuthors Info & Claims

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

Article No.: 5, Pages 1 - 10

https://doi.org/10.1145/3015135.3015140

Published: 05 December 2016 Publication History

Abstract

Active Malware Analysis focuses on learning the behaviors and the intentions of a malicious piece of software by interacting with it in a safe environment. The process can be formalized as a stochastic game involving two agents, a malware sample and an analyzer, that interact with opposite objectives: the malware sample tries to hide its behavior, while the analyzer aims at gaining as much information on the malware sample as possible.

Our goal is to design a software agent that interacts with malware and extracts information on the behavior, learning a policy. We can then analyze different malware policies by using standard clustering approaches. In more detail, we propose a novel method to build malware models that can be used as an input to the stochastic game formulation. We empirically evaluate our method on real malware for the Android systems, showing that our approach can group malware belonging to the same families and identify the presence of possible sub-groups within such families.

References

[1]

C. C. Aggarwal and C. K. Reddy. Data Clustering: Algorithms and Applications. Chapman & Hall/CRC, 1st edition, 2013.

Digital Library

[2]

E. Amigó, J. Gonzalo, J. Artiles, and F. Verdejo. A comparison of extrinsic clustering evaluation metrics based on formal constraints. Information Retrieval, 12(4):461--486, 2008.

Digital Library

[3]

M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Recent Advances in Intrusion Detection: 10th International Symposium, RAID 2007, Gold Goast, Australia. Proceedings, chapter Automated Classification and Analysis of Internet Malware, pages 178--197. Springer Berlin Heidelberg, 2007.

Digital Library

[4]

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS 2009), 1 2009.

[5]

U. Bayer, A. Moser, C. Kruegel, and E. Kirda. Dynamic analysis of malicious code. Journal in Computer Virology, 2(1):67--77, 2006.

[6]

F. Bellini, R. Chiodi, and I. Mastroeni. MIME: A formal approach to (android) emulation malware analysis. In Foundations and Practice of Security - 8th International Symposium, FPS 2015, pages 259--267, 2015.

[7]

R. I. Brafman and M. Tennenholtz. R-max - a general polynomial time algorithm for near-optimal reinforcement learning. J. Mach. Learn. Res., 3:213--231, mar 2003.

Digital Library

[8]

Cuckoo-Foundation. Cuckoo sandbox. https://www.cuckoosandbox.org/.

[9]

M. Dalla Preda, R. Giacobazzi, and S. K. Debray. Unveiling metamorphism by abstract interpretation of code properties. Theor. Comput. Sci., 577:74--97, 2015.

Digital Library

[10]

D. Gao, M. K. Reiter, and D. Song. Binhunt: Automatically finding semantic differences in binary programs. In Proceedings of the 10th International Conference on Information and Communications Security, ICICS '08, pages 238--255, Berlin, Heidelberg, 2008. Springer-Verlag.

Digital Library

[11]

M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating emulation-resistant malware. In Proceedings of the 1st ACM Workshop on Virtual Machine Security, VMSec '09, pages 11--22, New York, NY, USA, 2009. ACM.

Digital Library

[12]

L. Kaufman and P. J. Rousseeuw. Clustering by means of medoids. Statistical Data Analysis Based on the L1-Norm and Related Methods, pages 405--416, 1987.

[13]

A. Lakhotia, M. Dalla Preda, and R. Giacobazzi. Fast location of similar code fragments using semantic 'juice'. In 2nd Workshop on Program Protection and Reverse Engineering PPREW 2013. ACM, 2013.

Digital Library

[14]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In 2007 IEEE Symposium on Security and Privacy, pages 231--245, May 2007.

Digital Library

[15]

J. Rutkowska. Red pill, or how to detect vmm using one cpu instruction, 2004.

[16]

M. Sharif, V. Yegneswaran, H. Saidi, P. Porras, and W. Lee. Computer Security - ESORICS 2008: 13th European Symposium on Research in Computer Security, Málaga, Spain, October 6--8, 2008. Proceedings, chapter Eureka: A Framework for Enabling Static Malware Analysis, pages 481--500. Springer Berlin Heidelberg, 2008.

Digital Library

[17]

G. Suarez-Tangil, M. Conti, J. E. Tapiador, and P. Peris-Lopez. Computer Security - ESORICS 2014: 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7--11, 2014. Proceedings, Part I, chapter Detecting Targeted Smartphone Malware with Behavior-Triggering Stochastic Models, pages 183--201. Springer International Publishing, Cham, 2014.

[18]

G. Wagener, R. State, and A. Dulaunoy. Malware behaviour analysis. Journal in Computer Virology, 4(4):279--287, 2007.

[19]

S. A. Williamson, P. Varakantham, O. C. Hui, and D. Gao. Active malware analysis using stochastic games. In Proceedings of the 11th International Conference on Autonomous Agents and Multiagent Systems - Volume 1, AAMAS '12, pages 29--36. International Foundation for Autonomous Agents and Multiagent Systems, 2012.

Digital Library

[20]

Xi'an Jiaotong University. Androidmalshare. http://sanddroid.xjtu.edu.cn:8080.

[21]

C. Yang, Z. Xu, G. Gu, V. Yegneswaran, and P. Porras. Computer Security - ESORICS 2014: 19th European Symposium on Research in Computer Security, Wroclaw, Poland, September 7--11, 2014. Proceedings, Part I, chapter DroidMiner: Automated Mining and Characterization of Fine-grained Malicious Behaviors in Android Applications, pages 163--182. Springer International Publishing, Cham, 2014.

Cited By

Pimenta TCeschin FGregio A(2024)ANDROIDGYNY: Reviewing Clustering Techniques for Android Malware Family ClassificationDigital Threats: Research and Practice10.1145/35874715:1(1-35)Online publication date: 21-Mar-2024
https://dl.acm.org/doi/10.1145/3587471
Sartea RFarinelli AMurari M(2020)SECUR-AMAEngineering Applications of Artificial Intelligence10.1016/j.engappai.2019.10330387:COnline publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1016/j.engappai.2019.103303
Sartea RFarinelli AMurari MElkind EVeloso MAgmon NTaylor M(2019)Agent Behavioral Analysis Based on Absorbing Markov ChainsProceedings of the 18th International Conference on Autonomous Agents and MultiAgent Systems10.5555/3306127.3331752(647-655)Online publication date: 8-May-2019
https://dl.acm.org/doi/10.5555/3306127.3331752
Show More Cited By

Index Terms

Active Android malware analysis: an approach based on stochastic games
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Reinforcement learning
        Adversarial learning
        Multi-agent reinforcement learning
    2. Machine learning approaches
      1. Stochastic games
2. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

The Detection of 8 Type Malware botnet using Hybrid Malware Analysis in Executable File Windows Operating Systems
ICEC '15: Proceedings of the 17th International Conference on Electronic Commerce 2015

Nowadays a lot of botnet are being used for the purpose of cybercrime such as distributed denial of services (DDos) or information stealing. Botnet is a collection of computers connected through Internet that has been taken over by an attacker using ...
Malware Detection by Static Checking and Dynamic Analysis of Executables

The advanced malware continue to be a challenge in digital world that signature-based detection techniques fail to conquer. The malware use many anti-detection techniques to mutate. Thus no virus scanner can claim complete malware detection even for ...
A framework for metamorphic malware analysis and real-time detection

Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

SSPREW '16: Proceedings of the 6th Workshop on Software Security, Protection, and Reverse Engineering

December 2016

85 pages

ISBN:9781450348416

DOI:10.1145/3015135

General Chair:
J. Todd McDonald
University of South Alabama
,
Program Chairs:
Mila Dalla Preda
University of Verona, Italy
,
Natalia Stakhanova
University of New Brunswick, Canada

Copyright © 2016 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2016

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SSPREW '16

SSPREW '16: Software Security, Protection, and Reverse Engineering Workshop

December 5 - 6, 2016

California, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 6 of 13 submissions, 46%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

5
Total Citations
View Citations
164
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)2

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pimenta TCeschin FGregio A(2024)ANDROIDGYNY: Reviewing Clustering Techniques for Android Malware Family ClassificationDigital Threats: Research and Practice10.1145/35874715:1(1-35)Online publication date: 21-Mar-2024
https://dl.acm.org/doi/10.1145/3587471
Sartea RFarinelli AMurari M(2020)SECUR-AMAEngineering Applications of Artificial Intelligence10.1016/j.engappai.2019.10330387:COnline publication date: 1-Jan-2020
https://dl.acm.org/doi/10.1016/j.engappai.2019.103303
Sartea RFarinelli AMurari MElkind EVeloso MAgmon NTaylor M(2019)Agent Behavioral Analysis Based on Absorbing Markov ChainsProceedings of the 18th International Conference on Autonomous Agents and MultiAgent Systems10.5555/3306127.3331752(647-655)Online publication date: 8-May-2019
https://dl.acm.org/doi/10.5555/3306127.3331752
Sartea RFarinelli AAndre EKoenig SDastani MSukthankar G(2018)Detection of Intelligent Agent Behaviors Using Markov ChainsProceedings of the 17th International Conference on Autonomous Agents and MultiAgent Systems10.5555/3237383.3238073(2064-2066)Online publication date: 9-Jul-2018
https://dl.acm.org/doi/10.5555/3237383.3238073
Sartea RFarinelli A(2017)A Monte Carlo tree search approach to active malware analysisProceedings of the 26th International Joint Conference on Artificial Intelligence10.5555/3172077.3172424(3831-3837)Online publication date: 19-Aug-2017
https://dl.acm.org/doi/10.5555/3172077.3172424

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten