A Framework for Employing MultipleReal-Time Malware Detectors
Android has become the leading operating systemfor next-generation smart devices. Consequently, the number ofAndroid malware has also skyrocketed. Many dynamic analysistechniques have been proposed to detect Android malware.However, very few of these techniques use real-time monitoringon user devices as Android does not provide low-level informa-tion to third-party apps. Moreover, some techniques detect aspecific malware class more effectively than others. Therefore,end users can be benefited by installing multiple malwaredetection techniques. In this paper, we propose SpyDroid, areal-time malware detection framework that can accommodatemultiple detectors from third-parties (e.g., researchers and an-tivirus vendors) and allows efficient and controlled real-timemonitoring. SpyDroid consists of two operating system modules(monitoring and detection) and supports application layer sub-detectors. Sub-detectors are regular Android applications thatmonitor and analyze different runtime information using themonitoring module and they report the detection module abouttheir findings. The detection module decides when to mark an appas malware. Researchers and antivirus vendors can now publishtheir techniques via app markets and end users can install anynumber of sub-detectors as they require. We have implementedSpyDroid using the Android Open Source Project (AOSP) andour experiments with a dataset containing 4,965 apps show thatdecisions from multiple sub-detectors can increase the malwaredetection rate significantly on a real device. Code Shoppy
Among all smartphone operating systems, Android occupiesover 85% market share in 2017 [1]. Moreover, Android-powered devices such as cars, fridges, televisions, point ofsale (POS) terminals, and ATM booths are expected to flooduser markets within a few years. Due to the popularity ofthe Android ecosystem, malware writers are targeting Androiddevices exclusively and the number of malware for Androidsurged exponentially in 2017. Android implements a num-ber of security mechanisms to ensure the safety of deviceresources, e.g., the permission mechanism.The permission mechanism of Android is coarse-grainedand users are usually ignorant about the sought permissions.Researchers also proposed attacks that can bypass the per-mission mechanism [2], [3]. As a result, effective detectionof malware is very important to mitigate security threats inthe Android ecosystem. Unfortunately, antiviruses are not veryeffective due to the restrictive security model of Android thatdoes not let any app scan the runtime behavior of others.Researchers have made great efforts to improve the securityof Android and proposed a number of static and dynamicanalysis techniques. In static analysis, the Android applicationfile (apk) is decompiled to perform analysis, such as data flowanalysis, control flow analysis, API call analysis, byte N-gram,and fingerprinting. Studies [4] have shown that static analysisis becoming less effective day by day due to powerful trans-formation techniques (call graph obfuscation, dynamic codeloading, manifest cheating, metamorphism, polymorphism,etc.). They concluded that dynamic analysis is a necessarycomplement to static analysis as it is less vulnerable to codetransformations.Dynamic analysis is more effective as it can extract featuresthat represent unique patterns of execution. Interestingly, ac-cording to this study [5], over 98% of the new malware arein fact variants of an existing malware family. Google usesa dynamic analysis system called Google Bouncer that ana-lyzes apks submitted to them. Unfortunately, dynamic analysistechniques that execute Android apps inside an emulator alsosuffer from the fact that malware writers can detect emulatorsand thus evade detection. Hence, real-time monitoring onuser devices becomes necessary. In addition, end users arenot benefiting from these research as it is very difficult forthem to integrate the techniques into their devices. Moreover,sometimes a specific class of malware can only be detected bya single technique or a particular antivirus. Therefore, deviceowners can be benefited by employing multiple malwaredetectors on their devices.In this paper, we propose SpyDroid, https://codeshoppy.com/android-app-ideas-for-students-college-project.html
A real-time malwaredetection framework that can deploy multiple malware detec-tors (we call them sub-detectors) on a real device. SpyDroidis designed as a part of the operating system and has twomodules for monitoring and detection. Sub-detectors monitorruntime information using the monitoring module and performanalysis to detect malware. They report their analysis resultsto the SpyDroid detector. The detector decides when to markan app as malware. A framework like SpyDroid can help third-parties (researchers and commercial vendors) to publish theirdetection techniques via application markets and users caninstall multiple sub-detectors to improve the security of theirdevices.We implement SpyDroid using the Android Open SourceProject (AOSP) [6]. However, the concept of SpyDroid isgeneric and can be implemented in any smartphone operatingsystem. To validate the effectiveness of SpyDroid, we alsoimplement four sub-detectors to emulate the scenario where anend user installed four sub-detectors from different publishers.We use a dataset containing 4,965 apps (2,711 malwareand 2,254 benign). We show that each sub-detector detectsmalware that other sub-detectors fail to detect and SpyDroid’smalware detection rate is improved when it combines decisionsfrom multiple sub-detectors.In particular, we make the following contributions:•We design and implement a malware detection frame-work that can employ multiple malware detectors (calledsub-detectors) for Android. It provides useful low-levelinformation about the installed applications to the sub-detectors. It has a detector that collects decisions frommultiple sub-detectors and decides when to notify theuser.•SpyDroid enables antivirus vendors and independent re-searchers to detect new malware quickly as they canobtain data directly from real devices.•We validate the effectiveness of the framework by using adataset of around 5,000 apps and four sub-detectors thatmonitor different low-level information. We show thatdifferent sub-detectors may classify the same applicationdifferently and an ensemble of sub-detectors improve thedetection rate significantly.The remainder of the paper is organized as follows. Sec-tion II describes the related work. We present the designand implementation of SpyDroid in Section III. Then, wedescribe a number of sub-detectors in Section IV. We evaluateSpyDroid in Section V and conclude this paper in Section VI.
Android has become the leading operating systemfor next-generation smart devices. Consequently, the number ofAndroid malware has also skyrocketed. Many dynamic analysistechniques have been proposed to detect Android malware.However, very few of these techniques use real-time monitoringon user devices as Android does not provide low-level informa-tion to third-party apps. Moreover, some techniques detect aspecific malware class more effectively than others. Therefore,end users can be benefited by installing multiple malwaredetection techniques. In this paper, we propose SpyDroid, areal-time malware detection framework that can accommodatemultiple detectors from third-parties (e.g., researchers and an-tivirus vendors) and allows efficient and controlled real-timemonitoring. SpyDroid consists of two operating system modules(monitoring and detection) and supports application layer sub-detectors. Sub-detectors are regular Android applications thatmonitor and analyze different runtime information using themonitoring module and they report the detection module abouttheir findings. The detection module decides when to mark an appas malware. Researchers and antivirus vendors can now publishtheir techniques via app markets and end users can install anynumber of sub-detectors as they require. We have implementedSpyDroid using the Android Open Source Project (AOSP) andour experiments with a dataset containing 4,965 apps show thatdecisions from multiple sub-detectors can increase the malwaredetection rate significantly on a real device. Code Shoppy
Among all smartphone operating systems, Android occupiesover 85% market share in 2017 [1]. Moreover, Android-powered devices such as cars, fridges, televisions, point ofsale (POS) terminals, and ATM booths are expected to flooduser markets within a few years. Due to the popularity ofthe Android ecosystem, malware writers are targeting Androiddevices exclusively and the number of malware for Androidsurged exponentially in 2017. Android implements a num-ber of security mechanisms to ensure the safety of deviceresources, e.g., the permission mechanism.The permission mechanism of Android is coarse-grainedand users are usually ignorant about the sought permissions.Researchers also proposed attacks that can bypass the per-mission mechanism [2], [3]. As a result, effective detectionof malware is very important to mitigate security threats inthe Android ecosystem. Unfortunately, antiviruses are not veryeffective due to the restrictive security model of Android thatdoes not let any app scan the runtime behavior of others.Researchers have made great efforts to improve the securityof Android and proposed a number of static and dynamicanalysis techniques. In static analysis, the Android applicationfile (apk) is decompiled to perform analysis, such as data flowanalysis, control flow analysis, API call analysis, byte N-gram,and fingerprinting. Studies [4] have shown that static analysisis becoming less effective day by day due to powerful trans-formation techniques (call graph obfuscation, dynamic codeloading, manifest cheating, metamorphism, polymorphism,etc.). They concluded that dynamic analysis is a necessarycomplement to static analysis as it is less vulnerable to codetransformations.Dynamic analysis is more effective as it can extract featuresthat represent unique patterns of execution. Interestingly, ac-cording to this study [5], over 98% of the new malware arein fact variants of an existing malware family. Google usesa dynamic analysis system called Google Bouncer that ana-lyzes apks submitted to them. Unfortunately, dynamic analysistechniques that execute Android apps inside an emulator alsosuffer from the fact that malware writers can detect emulatorsand thus evade detection. Hence, real-time monitoring onuser devices becomes necessary. In addition, end users arenot benefiting from these research as it is very difficult forthem to integrate the techniques into their devices. Moreover,sometimes a specific class of malware can only be detected bya single technique or a particular antivirus. Therefore, deviceowners can be benefited by employing multiple malwaredetectors on their devices.In this paper, we propose SpyDroid, https://codeshoppy.com/android-app-ideas-for-students-college-project.html
A real-time malwaredetection framework that can deploy multiple malware detec-tors (we call them sub-detectors) on a real device. SpyDroidis designed as a part of the operating system and has twomodules for monitoring and detection. Sub-detectors monitorruntime information using the monitoring module and performanalysis to detect malware. They report their analysis resultsto the SpyDroid detector. The detector decides when to markan app as malware. A framework like SpyDroid can help third-parties (researchers and commercial vendors) to publish theirdetection techniques via application markets and users caninstall multiple sub-detectors to improve the security of theirdevices.We implement SpyDroid using the Android Open SourceProject (AOSP) [6]. However, the concept of SpyDroid isgeneric and can be implemented in any smartphone operatingsystem. To validate the effectiveness of SpyDroid, we alsoimplement four sub-detectors to emulate the scenario where anend user installed four sub-detectors from different publishers.We use a dataset containing 4,965 apps (2,711 malwareand 2,254 benign). We show that each sub-detector detectsmalware that other sub-detectors fail to detect and SpyDroid’smalware detection rate is improved when it combines decisionsfrom multiple sub-detectors.In particular, we make the following contributions:•We design and implement a malware detection frame-work that can employ multiple malware detectors (calledsub-detectors) for Android. It provides useful low-levelinformation about the installed applications to the sub-detectors. It has a detector that collects decisions frommultiple sub-detectors and decides when to notify theuser.•SpyDroid enables antivirus vendors and independent re-searchers to detect new malware quickly as they canobtain data directly from real devices.•We validate the effectiveness of the framework by using adataset of around 5,000 apps and four sub-detectors thatmonitor different low-level information. We show thatdifferent sub-detectors may classify the same applicationdifferently and an ensemble of sub-detectors improve thedetection rate significantly.The remainder of the paper is organized as follows. Sec-tion II describes the related work. We present the designand implementation of SpyDroid in Section III. Then, wedescribe a number of sub-detectors in Section IV. We evaluateSpyDroid in Section V and conclude this paper in Section VI.
No comments:
Post a Comment