Screening smartphone applications using behavioral signatures

Suyeon Lee, Jehyun Lee, Heejo Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

5 Citations (Scopus)

Abstract

The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.

Original languageEnglish
Title of host publicationIFIP Advances in Information and Communication Technology
PublisherSpringer New York LLC
Pages14-27
Number of pages14
Volume405
ISBN (Print)9783642392177
Publication statusPublished - 2013 Jan 1
Event28th IFIP TC 11 International Conference on Information Security and privacy conference, SEC 2013 - Auckland, New Zealand
Duration: 2013 Jul 82013 Jul 10

Publication series

NameIFIP Advances in Information and Communication Technology
Volume405
ISSN (Print)18684238

Other

Other28th IFIP TC 11 International Conference on Information Security and privacy conference, SEC 2013
CountryNew Zealand
CityAuckland
Period13/7/813/7/10

Fingerprint

Screening
Data flow
Behavior analysis
Information flow
Robustness
Resources

Keywords

  • Android
  • Malware
  • Runtime semantic signature
  • Smartphone security

ASJC Scopus subject areas

  • Information Systems and Management

Cite this

Lee, S., Lee, J., & Lee, H. (2013). Screening smartphone applications using behavioral signatures. In IFIP Advances in Information and Communication Technology (Vol. 405, pp. 14-27). (IFIP Advances in Information and Communication Technology; Vol. 405). Springer New York LLC.

Screening smartphone applications using behavioral signatures. / Lee, Suyeon; Lee, Jehyun; Lee, Heejo.

IFIP Advances in Information and Communication Technology. Vol. 405 Springer New York LLC, 2013. p. 14-27 (IFIP Advances in Information and Communication Technology; Vol. 405).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Lee, S, Lee, J & Lee, H 2013, Screening smartphone applications using behavioral signatures. in IFIP Advances in Information and Communication Technology. vol. 405, IFIP Advances in Information and Communication Technology, vol. 405, Springer New York LLC, pp. 14-27, 28th IFIP TC 11 International Conference on Information Security and privacy conference, SEC 2013, Auckland, New Zealand, 13/7/8.
Lee S, Lee J, Lee H. Screening smartphone applications using behavioral signatures. In IFIP Advances in Information and Communication Technology. Vol. 405. Springer New York LLC. 2013. p. 14-27. (IFIP Advances in Information and Communication Technology).
Lee, Suyeon ; Lee, Jehyun ; Lee, Heejo. / Screening smartphone applications using behavioral signatures. IFIP Advances in Information and Communication Technology. Vol. 405 Springer New York LLC, 2013. pp. 14-27 (IFIP Advances in Information and Communication Technology).
@inproceedings{1c5c9fc9244b47c5a85db561f2838f34,
title = "Screening smartphone applications using behavioral signatures",
abstract = "The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89{\%} of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.",
keywords = "Android, Malware, Runtime semantic signature, Smartphone security",
author = "Suyeon Lee and Jehyun Lee and Heejo Lee",
year = "2013",
month = "1",
day = "1",
language = "English",
isbn = "9783642392177",
volume = "405",
series = "IFIP Advances in Information and Communication Technology",
publisher = "Springer New York LLC",
pages = "14--27",
booktitle = "IFIP Advances in Information and Communication Technology",

}

TY - GEN

T1 - Screening smartphone applications using behavioral signatures

AU - Lee, Suyeon

AU - Lee, Jehyun

AU - Lee, Heejo

PY - 2013/1/1

Y1 - 2013/1/1

N2 - The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.

AB - The sharp increase of smartphone malwares has become one of the most serious security problems. The most significant part of the growth is the variants of existing malwares. A legacy approach for malware, the signature matching, is efficient in temporal dimension, but it is not practical because of its lack of robustness against the variants. A counter approach, the behavior analysis to handle the variant issue, takes too much time and resources. We propose a variant detection mechanism using runtime semantic signature. Our key idea is to reduce the control and data flow analysis overhead by using binary patterns for the control and data flow of critical actions as a signature. The flow information is a significant part of behavior analysis but takes high analysis overhead. In contrast to the previous behavioral signatures, the runtime semantic signature has higher family classification accuracy without the flow analysis overhead, because the binary patterns of flow parts is hardly shared by the out of family members. Using the proposed signature, we detect the new variants of known malwares by static matching efficiently and accurately. We evaluated our mechanism with 1,759 randomly collected real-world Android applications including 79 variants of 4 malware families. As the experimental result, our mechanism showed 99.89% of accuracy on variant detection. We also showed that the mechanism has a linear time complexity as the number of target applications. It is fully practical and advanced performance than the previous works in both of accuracy and efficiency.

KW - Android

KW - Malware

KW - Runtime semantic signature

KW - Smartphone security

UR - http://www.scopus.com/inward/record.url?scp=84920923406&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84920923406&partnerID=8YFLogxK

M3 - Conference contribution

SN - 9783642392177

VL - 405

T3 - IFIP Advances in Information and Communication Technology

SP - 14

EP - 27

BT - IFIP Advances in Information and Communication Technology

PB - Springer New York LLC

ER -