Transcript Future Work

Performance Evaluation on PermissionBased Detection for Android Malware
Smart Innovation, Systems and
Technologies pp 111-120
Chun-Ying Huang , Yi-Ting Tsai
, Chung-Han Hsu
Content




Introduction
Related Work
Feature
Result
2
Introduction
 An Android application requires several permissions to work
 Before an Android Application is being installed, system prompts a list of
permissions required.
 Google announced a security check mechanism is
applied when each application is uploaded.
 Open design of the Android operating System
allows user to install any application
3
Introduction
 Android permission Categories

Normal , Dangerous, signature and signatureOrSystem

Normal : A lower-risk permission that gives requesting applications access to isolated
application-level features, with minimal risk to other applications, the system, or the user.

Dangerous : A higher-risk permission that would give a requesting application access to
private user data or control over the device

Signature : A permission that the system grants only if the requesting application is signed
with the same certificate as the application that declared the permission.

SignatureOrSystem : A permission that the system grants only to applications that are in
the Android system image or that are signed with the same certificate as the application
that declared the permission.
4
Introduction
 Requested Permission and Required Permission

Requested Permission : be declared by an android developer manually.
AndroidManifest.xml

Required Permission : actually need Permission to activate Android application.
 This study attempts to explore the possibility of detecting malicious
applications based on Permission.
5
Related Work
 A number of researches have discussed Android permissions.
 Androguard (Open source Project)

Detecting a malicious application based on control flow graph.
1.
2.
3.
Disassembling an Android application
Identified method is converted into a formatted string and make control flow graph
Predefined malware’s control flow graph compared against it.
 Static analysis of executables for collaborative malware detection on Android

Static analysis solution to detect malicious application based on the output of the
Readelf tool.
 Google Bouncer

Google uses an in-house automated antivirus system, called Google Bouncer.
6
Feature
 Selected feature from corresponding APK file.

ext.so(integer) : number of files with a “.so” extention filename
file.elf(integer) : number of executable and linking format files
file.exe(integer) : number of executable files
file.so(interger) : number of shared objects

dex.all(integer) : number of required permissions

dex.normal(integer) : number of required and normal permissions
dex.dangerous(integer) : number of required and dangerous permissions
dex.sign(integer) : number of required and signature permissions
dex.signOrSys(interger) : number of required and signatureOrSystem






7
Feature
 Selected feature from corresponding APK file.

xml.all(integer) : number of request permissions


xml.normal(integer) : number of request and normal permissions
xml.dangerous(integer) : number of request and dangerous permissions
xml.sign(integer) : number of request and signature permissions
xml.signOrSys(interger) : number of request and signatureOrSystem

List of all requested Permission(139 Booleans)


8
Feature
 Count of requested permission

READ_PHONE_STATE : Allows read only access to phone state




including the phone number of the device, current cellular network information, the status
of any ongoing calls, and a list of any PhoneAccounts registered on the device.
READ_HISTORY_BOOKMARKS : Allows the app to read the history of all URLs that the
Browser has visited, and all of the Browser's bookmarks.
ACCESS_COARSE_LOCATION : Allows an app to access approximate location.
ACCESS_FINE_LOCATION : Allows an app to access precise location.
9
Feature
 We obtain feature vectors for 125,249 applications
 Labeling

Open source ClamAV antivirus software to make decision

If an APK file is reported to be malicious, labeled as malicious.
 Machine Learning


Feed the datasets to machine learning algorithms.
Evaluate the performance of permission-based detection for malicious Android
applications
10
Result
 We then use the Weka data mining software to classify benign and malicious
applications based on permissions.
 From the table, we also find that the AdaBoost classifier does not perform well.
 The Naive Bayes classifier does not also perform well because it has a very low
precision.
 The C4.5 (J48) and the SVM would be better choices.
11
Conclusion
 This paper explores the possibility of detection malicious Android applications
based on permissions.
 Android applications based on permissions and several easy-to-retrieve
features from Android application packages.
 Our large scale experiments show that a single classifier is able to detect about
81% of malicious applications.
12
Future Work
13
Future Work
14
Future Work
15
Future Work
 Android Application 대상 유사도 비교 방법 연구
1.
2.
Effective Birthmark
How to measure Software Similarity
16