Screening smartphone applications using behavioral signatures

Suyeon Lee; Jehyun Lee; Heejo Lee

doi:10.1007/978-3-642-39218-4_2

Screening smartphone applications using behavioral signatures

Suyeon Lee, Jehyun Lee, Heejo Lee

Department of Computer and Radio Communications Engineering

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

6 Citations (Scopus)

Abstract

The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.

Original language	English
Title of host publication	Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings
Editors	Lech J. Janczewski, Henry B. Wolfe, Sujeet Shenoi
Publisher	Springer New York LLC
Pages	14-27
Number of pages	14
ISBN (Electronic)	9783642392177
DOIs	https://doi.org/10.1007/978-3-642-39218-4_2
Publication status	Published - 2013
Event	28th IFIP TC 11 International Conference, SEC 2013 - Auckland, New Zealand Duration: 2013 Jul 8 → 2013 Jul 12

Publication series

Name	IFIP Advances in Information and Communication Technology
Volume	405
ISSN (Print)	1868-4238
ISSN (Electronic)	1868-422X

Conference

Conference	28th IFIP TC 11 International Conference, SEC 2013
Country	New Zealand
City	Auckland
Period	13/7/8 → 13/7/12

Keywords

Android
Malware
Runtime semantic signature
Smartphone security

ASJC Scopus subject areas

Information Systems
Computer Networks and Communications
Information Systems and Management

Access to Document

10.1007/978-3-642-39218-4_2

Fingerprint Dive into the research topics of 'Screening smartphone applications using behavioral signatures'. Together they form a unique fingerprint.

Cite this

Lee, S., Lee, J., & Lee, H. (2013). Screening smartphone applications using behavioral signatures. In L. J. Janczewski, H. B. Wolfe, & S. Shenoi (Eds.), Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings (pp. 14-27). (IFIP Advances in Information and Communication Technology; Vol. 405). Springer New York LLC. https://doi.org/10.1007/978-3-642-39218-4_2

Screening smartphone applications using behavioral signatures. / Lee, Suyeon; Lee, Jehyun; Lee, Heejo.

Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings. ed. / Lech J. Janczewski; Henry B. Wolfe; Sujeet Shenoi. Springer New York LLC, 2013. p. 14-27 (IFIP Advances in Information and Communication Technology; Vol. 405).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Lee, S, Lee, J & Lee, H 2013, Screening smartphone applications using behavioral signatures. in LJ Janczewski, HB Wolfe & S Shenoi (eds), Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings. IFIP Advances in Information and Communication Technology, vol. 405, Springer New York LLC, pp. 14-27, 28th IFIP TC 11 International Conference, SEC 2013, Auckland, New Zealand, 13/7/8. https://doi.org/10.1007/978-3-642-39218-4_2

Lee S, Lee J, Lee H. Screening smartphone applications using behavioral signatures. In Janczewski LJ, Wolfe HB, Shenoi S, editors, Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings. Springer New York LLC. 2013. p. 14-27. (IFIP Advances in Information and Communication Technology). https://doi.org/10.1007/978-3-642-39218-4_2

Lee, Suyeon ; Lee, Jehyun ; Lee, Heejo. / Screening smartphone applications using behavioral signatures. Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings. editor / Lech J. Janczewski ; Henry B. Wolfe ; Sujeet Shenoi. Springer New York LLC, 2013. pp. 14-27 (IFIP Advances in Information and Communication Technology).

@inproceedings{1c5c9fc9244b47c5a85db561f2838f34,

title = "Screening smartphone applications using behavioral signatures",

abstract = "The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.",

keywords = "Android, Malware, Runtime semantic signature, Smartphone security",

author = "Suyeon Lee and Jehyun Lee and Heejo Lee",

note = "Publisher Copyright: {\textcopyright} IFIP International Federation for Information Processing 2013. Copyright: Copyright 2020 Elsevier B.V., All rights reserved.; 28th IFIP TC 11 International Conference, SEC 2013 ; Conference date: 08-07-2013 Through 12-07-2013",

year = "2013",

doi = "10.1007/978-3-642-39218-4_2",

language = "English",

series = "IFIP Advances in Information and Communication Technology",

publisher = "Springer New York LLC",

pages = "14--27",

editor = "Janczewski, {Lech J.} and Wolfe, {Henry B.} and Sujeet Shenoi",

booktitle = "Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings",

}

TY - GEN

T1 - Screening smartphone applications using behavioral signatures

AU - Lee, Suyeon

AU - Lee, Jehyun

AU - Lee, Heejo

PY - 2013

Y1 - 2013

N2 - The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.

AB - The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.

KW - Android

KW - Malware

KW - Runtime semantic signature

KW - Smartphone security

UR - http://www.scopus.com/inward/record.url?scp=84920923406&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84920923406&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-39218-4_2

DO - 10.1007/978-3-642-39218-4_2

M3 - Conference contribution

AN - SCOPUS:84920923406

T3 - IFIP Advances in Information and Communication Technology

SP - 14

EP - 27

BT - Security and Privacy Protection in Information Processing Systems - 28th IFIP TC 11 International Conference, SEC 2013, Proceedings

A2 - Janczewski, Lech J.

A2 - Wolfe, Henry B.

A2 - Shenoi, Sujeet

PB - Springer New York LLC

T2 - 28th IFIP TC 11 International Conference, SEC 2013

Y2 - 8 July 2013 through 12 July 2013

ER -