Andro-Dumpsys

Anti-malware system based on the similarity of malware creator and malware centric information

Jae Wook Jang, Hyunjae Kang, Jiyoung Woo, Aziz Mohaisen, Huy Kang Kim

Research output: Contribution to journalArticle

22 Citations (Scopus)

Abstract

With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

Original languageEnglish
Pages (from-to)125-138
Number of pages14
JournalComputers and Security
Volume58
DOIs
Publication statusPublished - 2016 May 1

Fingerprint

Computer systems
threat
everyday life
Malware
Group
Cryptography
Data storage equipment
literature

Keywords

  • Android
  • Malware creator centric information
  • Mobile malware
  • Similarity
  • Volatile memory acquisition

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Cite this

Andro-Dumpsys : Anti-malware system based on the similarity of malware creator and malware centric information. / Jang, Jae Wook; Kang, Hyunjae; Woo, Jiyoung; Mohaisen, Aziz; Kim, Huy Kang.

In: Computers and Security, Vol. 58, 01.05.2016, p. 125-138.

Research output: Contribution to journalArticle

Jang, Jae Wook ; Kang, Hyunjae ; Woo, Jiyoung ; Mohaisen, Aziz ; Kim, Huy Kang. / Andro-Dumpsys : Anti-malware system based on the similarity of malware creator and malware centric information. In: Computers and Security. 2016 ; Vol. 58. pp. 125-138.
@article{aedc68de14604b6e9acf3ac3e2eaedee,
title = "Andro-Dumpsys: Anti-malware system based on the similarity of malware creator and malware centric information",
abstract = "With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.",
keywords = "Android, Malware creator centric information, Mobile malware, Similarity, Volatile memory acquisition",
author = "Jang, {Jae Wook} and Hyunjae Kang and Jiyoung Woo and Aziz Mohaisen and Kim, {Huy Kang}",
year = "2016",
month = "5",
day = "1",
doi = "10.1016/j.cose.2015.12.005",
language = "English",
volume = "58",
pages = "125--138",
journal = "Computers and Security",
issn = "0167-4048",
publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Andro-Dumpsys

T2 - Anti-malware system based on the similarity of malware creator and malware centric information

AU - Jang, Jae Wook

AU - Kang, Hyunjae

AU - Woo, Jiyoung

AU - Mohaisen, Aziz

AU - Kim, Huy Kang

PY - 2016/5/1

Y1 - 2016/5/1

N2 - With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

AB - With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

KW - Android

KW - Malware creator centric information

KW - Mobile malware

KW - Similarity

KW - Volatile memory acquisition

UR - http://www.scopus.com/inward/record.url?scp=84954211474&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84954211474&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2015.12.005

DO - 10.1016/j.cose.2015.12.005

M3 - Article

VL - 58

SP - 125

EP - 138

JO - Computers and Security

JF - Computers and Security

SN - 0167-4048

ER -