Android ransomware detection
Download as PPTX, PDF1 like210 views
This document presents a method for detecting Android ransomware using reduced opcode sequences and image similarity. It extracts opcode sequences of length 2 from APK files, constructs images representing the frequency of opcode pairs, selects features using LDA, classifies samples with a second LDA, and evaluates on ransomware families including Locker and Koler. Experimental results found 97% accuracy on a dataset containing ransomware and benign samples obtained from VirusTotal. The method aims to address problems in prior work using less features and detecting encrypted text ransomware.
![27
ICCKE 2017
References
[1] N. Andronio, S. Zanero, F. Maggi, “Heldroid: Dissecting and Detecting Mobile Ransomware”, In Research in Attacks, Intrusions, and Defenses, vol. 9404 of
Lecture Notes in Computer Science, pp. 382-404, Springer, 2015.
[2]S. Song, B. Kim, S. lee, “The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform”, Journal of Mobile Information
System, vol. 2016, p. 9, 2016.
[3]J. Sahs, L. Khan, “A Machine Learning Approach to Android Malware Detection”, Intelligence and Securoty Informatics, pp. 141-147, 2012
[4]Y. Yerima, S. Sezer, G. McWilliams, I. Muttik, “A new android malware detection approach using bayesian classification“, In Advanced Information Networking
and Applications (AINA), 2013 IEEE 27th International Conference, pp. 121-128, IEEE.
[5]Q. Jerome, K. Allix, R. State, T. Engel, “Using opcode-sequences to detect malicious Android Applications”, Proc. Of IEEE International Conference on
Communications (ICC 2014), p.2301-2306, 2014
[6]Z. Xiaoyan, F. Juan, W. Xiujuan, “An Android Malware Detection based on permissions”, 2014 International Conference on Information and Comminicatons
Technologies (ICT 2014), pp. 2.63-2.063, 2014.
[7]B. Kang, S. Y. Yerima, K. McIaughlin, S. Sezer, ”N-opcode Analysis for Android Malware Classification and Categorization”, 2016 International Conference on
Cyber Security And Protection of Digital Services (Cyber Security), 2016.
[8]J. Zhang, Z. Qin, H. Yin, L. Ou, S. Xiao, Y. Hu, ”Malware Variant Detection Using Opcode Image Recognition with Small Training Sets”, 2016 25th International
Conference on Computer Communication and Networks (ICCCN), 2016.
[9]L. Nataraj, S. Karthikeyan, G. Jacob, B. S. Manjunath, ”Malware image: Visualization and Automatic Classification”, Proceedings of the 8th International
Symposium on Visualization for Cyber Security, p.1-7, 2011.
[10]K.Han,B.Kang,E.G.Im,”Malwareimage:VisualizationandAutomatic Classification”, The Scientific World Journal, vol. 2014.
[11]Androguard.https://www.github.com/androguard/androguard
[12]AndroTotal, http://www.andrototal.org
[13]VirusTotal, https://www.virustotal.com
[14]R.Lipovsky,L.Stefanko,G.Branisa,”TrendsInAndroidRansomware”, welivesecurity, 2017
[15]T. Yang, Y. Yang, K. Qian, D. Lo, Y. Qian, L. Tao, “Automated Detection and Analysis for Android Ransomware”, 17th International Conference on Heigh
Performance Computing and Communication (HPCC).](https://image.slidesharecdn.com/androidransomwaredetection1-171205075413/85/Android-ransomware-detection-27-320.jpg)
Android ransomware detection
- 1. Alireza Karimi alireza.karimi.67@gmail.com Android Ransomware Detection Using Reduces Opcode Sequence And Image Similarity Mohammad Hosein Moattar moattat@mshdiau.ac.ir ICCKE 2017
- 2. 2 ICCKE 2017 •Overview •Ransomware on Android •Background •Our Approach •Experimenta l
- 3. 3 ICCKE 2017 Ransomware is a type of malware that block access to user data unless pay the Ransom
- 4. 4 ICCKE 2017 There are two type of ransomware
- 5. 5 ICCKE 2017 • COUNTERY : 150 • COMPUTER : 300,000 • PAYMENT : 33,319$(AS OF 14 MAY 2017)
- 7. 7 ICCKE 2017 Android Defender First Spotted in 2013 First actual Ransomware targeting Android
- 8. 8 ICCKE 2017 SimpLocker First Spotted in 2014 First file encrypting for android Use AES Jpeg,Jpg,Mp3,Doc,MKV,….
- 9. 9 ICCKE 2017 N. Andronio, S. Zanero, F.Maggi, “Heldroid:Dissectiong and Detecting Mobile Ransomware”-2015 1. Lock 2. Encryption 3. Treating Text
- 10. 10 ICCKE 2017 m, S. Lee, “The effective Ransomware Prevention technique Using Process Monitoring on Android
- 12. 12 ICCKE 2017 DVM Vs. JVM DVM JVM Register Base Stack Base use it own byte code use java byte code Run a .dex file Run .class files Device can run multiple instances of VM efficiently. App given their own instances. Single instances of JVM share with multiple app. Support just android multi os Run APK Run .jar
- 13. 13 ICCKE 2017 Android RunTime ART Vs. Dalvik / AOT Vs. JIT
- 14. 14 ICCKE2017 • Feature Selection with aim of LDA • Classification by LDA • Convert An APK to an image • Disassemble APK File • Extract Opcode-Sequence length 2 • Decrease Image Size with opcode selected in previous step
- 15. 15 ICCKE 2017 Preprocessing Convert APK file to Smali file by Androguard Extract Opcode-sequence length 2 Iget-object v0,v5 invokde-static V0 Move-result V0 iget-object v0 (iget-object,invoke-static),(invoke-static,move-result) ,(move-result,iget-object) • Android have got 256 opcode • Dalvik is android’s VM • Dalvik Opcode is different from JVM Opcode
- 16. 16 ICCKE 2017 Image Construct 256PX 256PX (Op1, op1) (Op1, op2) (Op2, op1) (Op2, op2) Op1 Op2 Op256 Op1Op2Op256 Val(Opi,Opj)=P(Opi,Opj) Frequency of opcode-j and the Frequency of sequence (opi,opj)
- 17. 17 ICCKE 2017 Feature Selection First LDA Select Best Opcode sequence by applying LDA LDA is a generalization of Fisher linear discriminant, a method used in statistic, pattern recognition and ML to find a linear combination of feature that Characterizes or separates two or more classes of object.
- 19. 19 ICCKE 2017 Decreasing Image Size 256 256 m m atrix is creation such a way that this image only contains
- 20. 20 ICCKE 2017 Classification Seconde LDA (0,0,0,0.1,0,0.2,…) Image is converted to a vectors that each item display the value of a pixel and the ith value of all the vectors will display P(Opi,Opj).
- 21. 21 ICCKE 2017 Dataset • To get Sample Andrototal public API was used • Benign samples belong to the range from 1/1/2014-31/1/2014 • The Ransomware include two Locker and Koler families and a bunch of unknown Ransomware • VirusTotal public API has been used to labeled the samples.
- 22. 22 ICCKE 2017 Evaluation • N-fold Cross validation has been used • For each fold we evaluate the ACC • At the end total ACC calculate
- 23. 23 ICCKE 2017 Experimental Result Locker: Threshold: 39 ACC: 97.5% Koler: Threshold: 31 ACC: 95% Total Threshold: 39 ACC: 97%
- 24. 24 ICCKE 2017 Image Size Experimental Result
- 25. 25 ICCKE 2017 Compare We test our data with the n-opcode analysis method Feature number Result
- 26. 26 ICCKE 2017 Conclusion • The identification of ransomware on smart device and IOT has become a very important research area • In this paper we reduce feature and classification sample with the help of LDA • The proposed method is capable of solving the problems existed in previous investigation • in Heldroid where this method is base on LP , there are problem and in addition, the text may be encrypted • The proposed method has the ability to detect all the pre-seen sample of Ransomware
- 27. 27 ICCKE 2017 References [1] N. Andronio, S. Zanero, F. Maggi, “Heldroid: Dissecting and Detecting Mobile Ransomware”, In Research in Attacks, Intrusions, and Defenses, vol. 9404 of Lecture Notes in Computer Science, pp. 382-404, Springer, 2015. [2]S. Song, B. Kim, S. lee, “The Effective Ransomware Prevention Technique Using Process Monitoring on Android Platform”, Journal of Mobile Information System, vol. 2016, p. 9, 2016. [3]J. Sahs, L. Khan, “A Machine Learning Approach to Android Malware Detection”, Intelligence and Securoty Informatics, pp. 141-147, 2012 [4]Y. Yerima, S. Sezer, G. McWilliams, I. Muttik, “A new android malware detection approach using bayesian classification“, In Advanced Information Networking and Applications (AINA), 2013 IEEE 27th International Conference, pp. 121-128, IEEE. [5]Q. Jerome, K. Allix, R. State, T. Engel, “Using opcode-sequences to detect malicious Android Applications”, Proc. Of IEEE International Conference on Communications (ICC 2014), p.2301-2306, 2014 [6]Z. Xiaoyan, F. Juan, W. Xiujuan, “An Android Malware Detection based on permissions”, 2014 International Conference on Information and Comminicatons Technologies (ICT 2014), pp. 2.63-2.063, 2014. [7]B. Kang, S. Y. Yerima, K. McIaughlin, S. Sezer, ”N-opcode Analysis for Android Malware Classification and Categorization”, 2016 International Conference on Cyber Security And Protection of Digital Services (Cyber Security), 2016. [8]J. Zhang, Z. Qin, H. Yin, L. Ou, S. Xiao, Y. Hu, ”Malware Variant Detection Using Opcode Image Recognition with Small Training Sets”, 2016 25th International Conference on Computer Communication and Networks (ICCCN), 2016. [9]L. Nataraj, S. Karthikeyan, G. Jacob, B. S. Manjunath, ”Malware image: Visualization and Automatic Classification”, Proceedings of the 8th International Symposium on Visualization for Cyber Security, p.1-7, 2011. [10]K.Han,B.Kang,E.G.Im,”Malwareimage:VisualizationandAutomatic Classification”, The Scientific World Journal, vol. 2014. [11]Androguard.https://www.github.com/androguard/androguard [12]AndroTotal, http://www.andrototal.org [13]VirusTotal, https://www.virustotal.com [14]R.Lipovsky,L.Stefanko,G.Branisa,”TrendsInAndroidRansomware”, welivesecurity, 2017 [15]T. Yang, Y. Yang, K. Qian, D. Lo, Y. Qian, L. Tao, “Automated Detection and Analysis for Android Ransomware”, 17th International Conference on Heigh Performance Computing and Communication (HPCC).
- 29. ICCKE 2017 Q & A