TY - JOUR
T1 - Andro-Dumpsys
T2 - Anti-malware system based on the similarity of malware creator and malware centric information
AU - Jang, Jae Wook
AU - Kang, Hyunjae
AU - Woo, Jiyoung
AU - Mohaisen, Aziz
AU - Kim, Huy Kang
PY - 2016/5/1
Y1 - 2016/5/1
N2 - With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.
AB - With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.
KW - Android
KW - Malware creator centric information
KW - Mobile malware
KW - Similarity
KW - Volatile memory acquisition
UR - http://www.scopus.com/inward/record.url?scp=84954211474&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84954211474&partnerID=8YFLogxK
U2 - 10.1016/j.cose.2015.12.005
DO - 10.1016/j.cose.2015.12.005
M3 - Article
AN - SCOPUS:84954211474
SN - 0167-4048
VL - 58
SP - 125
EP - 138
JO - Computers and Security
JF - Computers and Security
ER -