Widespread growth in Android malware stimulates security researchers to propose different methods for analyzing and detecting malicious behaviors in applications. Nevertheless, current solutions are ill-suited to extract the fine-grained behavior of Android applications accurately and efficiently. In this paper, we propose ServiceMonitor, a lightweight host-based detection system that dynamically detects malicious applications directly on mobile devices. ServiceMonitor reconstructs the fine-grained behavior of applications based on their interaction with system services (i.e. SMS manager, camera, wifi networking, etc). ServiceMonitor monitors the way applications request system services in order to build a statistical Markov chain model to represent what and how system services are used. Afterwards, we use this Markov chain as a feature vector to classify the application behavior into either malicious or benign using the Random Forests classification algorithm. We evaluated ServiceMonitor using a dataset of 8034 malware and 10024 benign applications and obtaining 96.7% of accuracy rate and negligible overhead and performance penalty.
Detecting malicious applications using system services request behavior / Salehi, M.; Amini, M.; Crispo, B.. - (2019), pp. 200-209. (Intervento presentato al convegno 16th EAI International Conference on Mobile and Ubiquitous Systems: Computing, Networking and Services, MobiQuitous 2019 tenutosi a usa nel 2019) [10.1145/3360774.3360805].
Detecting malicious applications using system services request behavior
Crispo B.
2019-01-01
Abstract
Widespread growth in Android malware stimulates security researchers to propose different methods for analyzing and detecting malicious behaviors in applications. Nevertheless, current solutions are ill-suited to extract the fine-grained behavior of Android applications accurately and efficiently. In this paper, we propose ServiceMonitor, a lightweight host-based detection system that dynamically detects malicious applications directly on mobile devices. ServiceMonitor reconstructs the fine-grained behavior of applications based on their interaction with system services (i.e. SMS manager, camera, wifi networking, etc). ServiceMonitor monitors the way applications request system services in order to build a statistical Markov chain model to represent what and how system services are used. Afterwards, we use this Markov chain as a feature vector to classify the application behavior into either malicious or benign using the Random Forests classification algorithm. We evaluated ServiceMonitor using a dataset of 8034 malware and 10024 benign applications and obtaining 96.7% of accuracy rate and negligible overhead and performance penalty.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
