MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models
1 like570 views
The document discusses Mamadroid, a method for detecting Android malware using Markov chains built from behavioral models of API calls. It highlights challenges with current defenses and proposes a new approach that analyzes the sequence of abstracted API calls to differentiate between benign and malicious apps. The paper outlines methodologies for feature extraction, classification, and potential evaluation strategies for improving detection accuracy.
![Evasion
Repackaging benign apps
Difficult to embed malicious code while keeping similar
Markov chain, viceversa is also hard
Imitating Markov chains
Likely ineffective
Obfuscation/Mangling
Still captured by the [obfuscated] abstraction
More in the paper…
29](https://image.slidesharecdn.com/mamadroid-170127181008/85/MaMaDroid-Detecting-Android-Malware-by-Building-Markov-Chains-of-Behavioral-Models-29-320.jpg)
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models
- 1. MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models
- 2. Android & Malware Android market share is growing… In 2016, 85% of smartphone sales …and so is the interest of cybercriminals Bypassing two-factor authentication Stealing sensitive information, etc. 2
- 3. Current Defenses Can’t use complex on-device operations Limited battery and memory resources Google’s centralized analysis Not perfect, after-the-fact Many apps installed outside Play Store Lots of research in the field! However… Permission-based models prone to false positive Relying on API calls frequently used by malware needs constant, costly retraining 3
- 4. Our Idea Rely on the sequence of abstracted calls 1. Sequence captures the behavioral model 2. Abstraction provides resilience to API changes Intuition: malware uses calls for different actions and in different order than benign apps E.g. android.media.MediaRecorder used by any app with permission to record audio Only using it after calls to getRunningTasks(), which allows to record conversations, may suggest maliciousness 4
- 5. Overview 5
- 6. Call Graph Extraction Based on static analysis Given an apk, extract call graphs Tools Soot (Java optimization and analysis framework) FlowDroid (ensures contexts & flows preserved) 6
- 7. 7
- 8. Call Graph 8
- 9. Overview 9
- 10. Sequence Extraction Soot gives the sequence of functions that are potentially called by the program, but… Each execution could take a specific branch of the graph and only execute a subset of the calls When running example multiple times… Execute() may be followed by different calls, e.g., getShell() only in try or getShell() + getMessage() in catch 10
- 11. Sequence Extraction (cnt’d) We proceed as follows… 1. Identify set of entry nodes 2. Enumerate reachable paths 3. Output set of all paths as the sequences of API calls 11
- 12. Abstraction Packages Using the list of 243 packages (as of API level 24) + 95 from the Google API Packages defined by developers à “self-defined” If we can’t tell what its class implements à “obfuscated” Families 9 families: android, google, java, javax, xml, apache, junit, json, dom Plus self-defined and obfuscated 12
- 13. Example 13
- 14. Overview 14
- 15. Markov Chain Memoryless models Prob. transitioning from a state to another only depends on the current state Represented as a set of nodes Each corresponding to a different state, and a set of edges labeled with the probability of transition. Sum of all probabilities associated to all edges from any node is exactly 1 15
- 16. Markov-chain based modeling Building the Markov Chains From the sequence of abstracted API calls, each package/family is a state, transition is the probability of moving from one to another 16
- 17. Feature Extraction For each app: Feature vector = probabilities of transitioning from one state to another in the Markov chain With families, 11 possible states à 121 possible transitions in each chain With packages, 340 states à 115,600 transitions Principal Component Analysis (PCA) Standard way to reduce/refine features 17
- 18. Overview 18
- 19. Classification Build a classifier using the extracted features Each app labeled as benign or malware Can use a few standard algorithms for this task… Random Forests 1-NN, 3-NN SVM Maybe deep learning? 19
- 20. Datasets 20
- 21. How many API calls? 21
- 23. Evaluation (1) Accuracy of classification on benign and malicious samples developed around the same time (2) Robustness to the evolution of malware as well as of the Android framework (using older datasets for training and newer ones for testing and vice-versa) 23
- 25. Training on older samples 25 family package
- 26. Training on newer samples 26 family package
- 28. Case Studies (2016/newbenign) False Positives (164 samples) Most of them “dangerous permissions” E.g., SMS permissions not clear why requested False Negatives (114 samples) Actually not classified as malware by VirusTotal, might actually be legitimate Most of them adware 28
- 29. Evasion Repackaging benign apps Difficult to embed malicious code while keeping similar Markov chain, viceversa is also hard Imitating Markov chains Likely ineffective Obfuscation/Mangling Still captured by the [obfuscated] abstraction More in the paper… 29
- 30. Limitations Classification is memory hungry Soot is buggy, we lose ~4% of the samples Limits of static analysis only methods 30
- 31. Future Work Further investigate resilience to evasion Focus on repackaged malicious apps Injection of API calls to mess with Markov chains Enhancements Fine-grained abstractions (e.g., class) Seed with dynamic analysis 31
- 32. Thank you! 32 Paper to appear at NDSS 2017: E. Mariconti, L. Onwuzurike, P. Andriotis, E. De Cristofaro, G. Ross, G. Stringhini. MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Model
- 33. Thank you! 33