Malware Detection in Mobile Devices by Analyzing Sequences of System Calls
With the increase in popularity of mobile devices,
new and varied forms of malware have emerged. Consequently,
the organizations for cyberdefense have echoed the need to deploy
more effective defensive schemes adapted to the challenges posed
by these recent monitoring environments. In order to contribute to
their development, this paper presents a malware detection strategy
for mobile devices based on sequence alignment algorithms. Unlike
the previous proposals, only the system calls performed during the
startup of applications are studied. In this way, it is possible to
efficiently study in depth, the sequences of system calls executed
by the applications just downloaded from app stores, and initialize
them in a secure and isolated environment. As demonstrated in the
performed experimentation, most of the analyzed malicious activities
were successfully identified in their boot processes.
[1] ENISA (2016), “Threat Landscape 2015”. Available:
https://www.enisa.europa.eu/
[2] European Police (2015), “The Internet Organised Crime Threat
Assessment (iOCTA)”. Available: https://www.europol.europa.eu
[3] G. Suarez-Tangil, J.E Tapiador, P. Peris-Lopez, A. Ribagorda, “Evolution,
Detection and Analysis of Malware for Smart Devices”, in IEEE
Communications Surveys & Tutorials, vol. 16, no. 2, pp. 961-987, 2014.
[4] Y. Zhou, X. Jiang, “Dissecting Android Malware: Characterization and
Evolution”, in Proceedings of the 33rd IEEE Symposium on Security and
Privacy (SP), San Francisco, CA, US, 2012, pp. 95-109.
[5] D. Arp, M. Spreitzenbarth, M.H. Hubner, H. Gascon, K. Rieck, “Drebin:
Effective and Explainable Detection of Android Malware in your Pocket”,
in Proceedings of the 21th Annual Symposium on Network and Distributed
System Security (NDSS), San Diego, CA, US, 2014, pp. 1-12.
[6] M. La Polla, F. Martinelli, D. Sgandurra, “A Survey on Security for
Mobile Devices”, IEEE Communications Surveys & Tutorials, vol. 15,
no. 1, pp. 446-471, 2013.
[7] P. Faruki, A. Bharmal, V. Laxmi, “Android Security: A Survey of Issues,
Malware Penetration, and Defenses”, IEEE Communications Surveys &
Tutorials, vol. 17, no. 2, pp. 998-1022, 2015.
[8] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, E. Vzquez,
“Anomaly-based network intrusion detection: Techniques, systems and
challenges”, Computers & Security, vol. 25, no. 1-2, pp. 18-28, 2009.
[9] A. Feizollah, N. B. Anuar, R. Salleh, A.W.A. Wahab, “A Review on
Feature Selection in Mobile Malware Detection”, Digital Investigation,
vol. 13, pp. 23-37, 2015.
[10] M. Lindorfer, S. Volanis, A. Sisto, M. Neugschwandtner, E.
Athanasopoulos, F. Maggi, C. Platzer, S. Zanero, S. Ioannidis, “AndRadar:
Fast Discovery of Android Applications in Alternative Markets”, in
Proceedings of the 11th International Conference on Detection of
Intrusions and Malware, and Vulnerability Assessment (DIMVA), Egham,
UK, 2014. lecture Notes in Computer Science, vol. 8550, pp. 51-71, 2014.
[11] L. Xing, X. Pan, R. Wang, K. Yuan, X. Wang, “Upgrading your android,
elevating my malware: privilege escalation through mobile OS updating”,
in Proceedings of the 35th IEEE Symposium on Security and Privacy, San
Jose, CA, US, 2014, pp. 393-408.
[12] I. Burguera, U. Zurutuza, S. Nadjm-Tehrani,“Crowdroid:
Behavior-Based Malware Detection System for Android”, in Proceedings
of the 1st ACM Workshop on Security and Privacy in Smartphones and
Mobile Devices, Chicago, IL, US, 2011, pp. 15-26.
[13] Y.D. Lin, Y.C. Lai, C.H. Chen, H.C. Tsai, “Identifying android malicious
repackaged applications by thread-grained system call sequences”,
Computers & Security, vol. 39, pp. 340-350, 2013.
[14] Z.C. Schreuders, T. McGill, C. Payne, “The state of the art of application
restrictions and sandboxes: A survey of application-oriented access
controls and their shortfalls”, Computers & Security, vol. 32, pp. 219-241,
2013.
[15] X. wei, L. Gomez, I. Neamtiu, M. Faloutsos, “ProfileDroid:
multi-layer profiling of android applications”, in Proceedings of the 18th
annual international conference on Mobile computing and networking
(Mobicom), Istambul, Turkey, 2012, pp. 137-148.
[16] R. Pandita, X. Xiao, W. Yang, W. Enck, T. Xie, “WHYPER: Towards
Automating Risk Assessment of Mobile Applications”, in Proceedings of
the 22nd USENIX Conference on Security, Washington, D.C, US, 2013,
vol. 13, pp. 527-542.
[17] S. B. Needleman, C. D. Wunsch, “A general method applicable to
the search for similarities in the amino acid sequence of two proteins”,
Journal of Molecular Biology, vol. 48, no. 3, pp. 443-453, 1970.
[18] F. Wilcoxon, “Individual Comparisons by Ranking Methods”,
Biometrics Bulletin, pp. 80-83, 1945.
[1] ENISA (2016), “Threat Landscape 2015”. Available:
https://www.enisa.europa.eu/
[2] European Police (2015), “The Internet Organised Crime Threat
Assessment (iOCTA)”. Available: https://www.europol.europa.eu
[3] G. Suarez-Tangil, J.E Tapiador, P. Peris-Lopez, A. Ribagorda, “Evolution,
Detection and Analysis of Malware for Smart Devices”, in IEEE
Communications Surveys & Tutorials, vol. 16, no. 2, pp. 961-987, 2014.
[4] Y. Zhou, X. Jiang, “Dissecting Android Malware: Characterization and
Evolution”, in Proceedings of the 33rd IEEE Symposium on Security and
Privacy (SP), San Francisco, CA, US, 2012, pp. 95-109.
[5] D. Arp, M. Spreitzenbarth, M.H. Hubner, H. Gascon, K. Rieck, “Drebin:
Effective and Explainable Detection of Android Malware in your Pocket”,
in Proceedings of the 21th Annual Symposium on Network and Distributed
System Security (NDSS), San Diego, CA, US, 2014, pp. 1-12.
[6] M. La Polla, F. Martinelli, D. Sgandurra, “A Survey on Security for
Mobile Devices”, IEEE Communications Surveys & Tutorials, vol. 15,
no. 1, pp. 446-471, 2013.
[7] P. Faruki, A. Bharmal, V. Laxmi, “Android Security: A Survey of Issues,
Malware Penetration, and Defenses”, IEEE Communications Surveys &
Tutorials, vol. 17, no. 2, pp. 998-1022, 2015.
[8] P. Garca-Teodoro, J. Daz-Verdejo, G. Maci-Fernndez, E. Vzquez,
“Anomaly-based network intrusion detection: Techniques, systems and
challenges”, Computers & Security, vol. 25, no. 1-2, pp. 18-28, 2009.
[9] A. Feizollah, N. B. Anuar, R. Salleh, A.W.A. Wahab, “A Review on
Feature Selection in Mobile Malware Detection”, Digital Investigation,
vol. 13, pp. 23-37, 2015.
[10] M. Lindorfer, S. Volanis, A. Sisto, M. Neugschwandtner, E.
Athanasopoulos, F. Maggi, C. Platzer, S. Zanero, S. Ioannidis, “AndRadar:
Fast Discovery of Android Applications in Alternative Markets”, in
Proceedings of the 11th International Conference on Detection of
Intrusions and Malware, and Vulnerability Assessment (DIMVA), Egham,
UK, 2014. lecture Notes in Computer Science, vol. 8550, pp. 51-71, 2014.
[11] L. Xing, X. Pan, R. Wang, K. Yuan, X. Wang, “Upgrading your android,
elevating my malware: privilege escalation through mobile OS updating”,
in Proceedings of the 35th IEEE Symposium on Security and Privacy, San
Jose, CA, US, 2014, pp. 393-408.
[12] I. Burguera, U. Zurutuza, S. Nadjm-Tehrani,“Crowdroid:
Behavior-Based Malware Detection System for Android”, in Proceedings
of the 1st ACM Workshop on Security and Privacy in Smartphones and
Mobile Devices, Chicago, IL, US, 2011, pp. 15-26.
[13] Y.D. Lin, Y.C. Lai, C.H. Chen, H.C. Tsai, “Identifying android malicious
repackaged applications by thread-grained system call sequences”,
Computers & Security, vol. 39, pp. 340-350, 2013.
[14] Z.C. Schreuders, T. McGill, C. Payne, “The state of the art of application
restrictions and sandboxes: A survey of application-oriented access
controls and their shortfalls”, Computers & Security, vol. 32, pp. 219-241,
2013.
[15] X. wei, L. Gomez, I. Neamtiu, M. Faloutsos, “ProfileDroid:
multi-layer profiling of android applications”, in Proceedings of the 18th
annual international conference on Mobile computing and networking
(Mobicom), Istambul, Turkey, 2012, pp. 137-148.
[16] R. Pandita, X. Xiao, W. Yang, W. Enck, T. Xie, “WHYPER: Towards
Automating Risk Assessment of Mobile Applications”, in Proceedings of
the 22nd USENIX Conference on Security, Washington, D.C, US, 2013,
vol. 13, pp. 527-542.
[17] S. B. Needleman, C. D. Wunsch, “A general method applicable to
the search for similarities in the amino acid sequence of two proteins”,
Journal of Molecular Biology, vol. 48, no. 3, pp. 443-453, 1970.
[18] F. Wilcoxon, “Individual Comparisons by Ranking Methods”,
Biometrics Bulletin, pp. 80-83, 1945.
@article{"International Journal of Information, Control and Computer Sciences:75613", author = "Jorge Maestre Vidal and Ana Lucila Sandoval Orozco and Luis Javier García Villalba", title = "Malware Detection in Mobile Devices by Analyzing Sequences of System Calls", abstract = "With the increase in popularity of mobile devices,
new and varied forms of malware have emerged. Consequently,
the organizations for cyberdefense have echoed the need to deploy
more effective defensive schemes adapted to the challenges posed
by these recent monitoring environments. In order to contribute to
their development, this paper presents a malware detection strategy
for mobile devices based on sequence alignment algorithms. Unlike
the previous proposals, only the system calls performed during the
startup of applications are studied. In this way, it is possible to
efficiently study in depth, the sequences of system calls executed
by the applications just downloaded from app stores, and initialize
them in a secure and isolated environment. As demonstrated in the
performed experimentation, most of the analyzed malicious activities
were successfully identified in their boot processes.", keywords = "Android, information security, intrusion detection
systems, malware, mobile devices.", volume = "11", number = "5", pages = "606-5", }
