A Probabilistic Logic of Cyber Deception

Jajodia, Sushil; Park, Noseong; Pierazzi, Fabio; Pugliese, Andrea; Serra, Edoardo; Simari, Gerardo I.; Subrahmanian, V. S.

doi:10.1109/tifs.2017.2710945

Cited by 42 publications

(20 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Several efforts focus on detecting exfiltration of sensitive information by Android applications through two major techniques: taint data flow tracking [11,26,35,61,78] and-more recentlynetwork traffic analysis [18,38,46,50,51,65,71,82]. Taint data flow tracking systems (e.g.…”

Section: Information Leakage Detectionmentioning

confidence: 99%

A Data-driven Characterization of Modern Android Spyware

Pierazzi

Mezzour

Han

et al. 2020

ACM Trans. Manage. Inf. Syst.

Self Cite

View full text Add to dashboard Cite

According to Nokia’s 2017 Threat Intelligence Report, 68.5% of malware targets the Android platform; Windows is second with 28%, followed by iOS and other platforms with 3.5%. The Android spyware family U A P USH was responsible for the most infections, and several of the top 20 most common Android malware were spyware. Simply put, modern spyware steals the basic information needed to fuel more deadly attacks such as ransomware and banking fraud. Not surprisingly, some forms of spyware are also classified as banking trojans (e.g., A CE C ARD ). We present a data-driven characterization of the principal factors that distinguish modern Android spyware (July 2016–July 2017) both from goodware and other Android malware, using both traditional and deep ML. First, we propose an Ensemble Late Fusion (ELF) architecture that combines the results of multiple classifiers’ predicted probabilities to generate a final prediction. We show that ELF outperforms several of the best-known traditional and deep learning classifiers. Second, we automatically identify key features that distinguish spyware both from goodware and from other malware. Finally we present a detailed analysis of the factors distinguishing five important families of Android spyware: U A P USH , P INCER , H E H E , USBC LEAVER , and A CE C ARD (the last is a hybrid spyware-banking trojan).

show abstract

Section: Information Leakage Detectionmentioning

confidence: 99%

A Data-driven Characterization of Modern Android Spyware

Pierazzi

Mezzour

Han

et al. 2020

ACM Trans. Manage. Inf. Syst.

Self Cite

View full text Add to dashboard Cite

show abstract

“…The group significantly contributes to the formation of CSA [4,7], to models underlying CSA [5,40,50], and to CSA measurement [35]. Further, the group investigated the concept of attack graphs and their application in CSA [74][75][76], network hardening [94] along with relevant strategies [6], and cyber deception [3,51,52]. The group has also developed a framework for cyber situational awareness that integrates an array of techniques and automated tools [48,71].…”

Section: Research Groupsmentioning

confidence: 99%

SoK

Husák

Jirsík

Yang

2020

Proceedings of the 15th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Cyber situational awareness is an essential part of cyber defense that allows the cybersecurity operators to cope with the complexity of today's networks and threat landscape. Perceiving and comprehending the situation allow the operator to project upcoming events and make strategic decisions. In this paper, we recapitulate the fundamentals of cyber situational awareness and highlight its unique characteristics in comparison to generic situational awareness known from other fields. Subsequently, we provide an overview of existing research and trends in publishing on the topic, introduce front research groups, and highlight the impact of cyber situational awareness research. Further, we propose an updated taxonomy and enumeration of the components used for achieving cyber situational awareness. The updated taxonomy conforms to the widely-accepted three-level definition of cyber situational awareness and newly includes the projection level. Finally, we identify and discuss contemporary research and operational challenges, such as the need to cope with rising volume, velocity, and variety of cybersecurity data and the need to provide cybersecurity operators with the right data at the right time and increase their value through visualization. CCS CONCEPTS • Security and privacy → Formal security models; • Networks → Network security.

show abstract

“…We also report AUC and show that it remains high in the different scenarios even when 20% or 30% of the training set is used. This allows the defender to use a moving defense surface [19], [20] by changing the specific training set over time while maintaining good predictive accuracy (AUC) performance.…”

Section: Accuracy-robustness Trade-off Of Dbank's Tsg Vs Traditional mentioning

confidence: 99%

DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans

Bai

Han

Mezzour

et al. 2019

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Using a novel dataset of Android banking trojans (ABTs), other Android malware, and goodware, we develop the DBank system to predict whether a given Android APK is a banking trojan or not. We introduce the novel concept of a Triadic Suspicion Graph (TSG for short) which contains three kinds of nodes: goodware, banking trojans, and API packages. We develop a novel feature space based on two classes of scores derived from TSGs: suspicion scores (SUS) and suspicion ranks (SR)-the latter yields a family of features that generalize PageRank. While TSG features (based on SUS/SR scores) provide very high predictive accuracy on their own in predicting recent (2016-2017) ABTs, we show that the combination of TSG features with previously studied lightweight static and dynamic features in the literature yields the highest accuracy in distinguishing ABTs from goodware, while preserving the same accuracy of prior feature combinations in distinguishing ABTs from other Android malware. In particular, DBank's overall accuracy in predicting whether an APK is a banking trojan or not is up to 99.9% AUC with 0.3% false positive rate. Moreover, we have already reported two unlabeled APKs from VirusTotal (which DBank has detected as ABTs) to the Google Android Security Team-in one case, we discovered it before any of the 63 anti-virus products on VirusTotal did, and in the other case, we beat 62 of 63 anti-viruses on VirusTotal. This suggests that DBank is capable of making new discoveries in the wild before other established vendors. We also show that our novel TSG features have some interesting defensive properties as they are robust to knowledge of the training set by an adversary: even if the adversary uses 90% of our training set and uses the exact TSG features that we use, it is difficult for him to infer DBank's predictions on APKs. We additionally identify the features that best separate and characterize ABTs from goodware as well as from other Android malware. Finally, we develop a detailed data-driven analysis of five major recent ABT families: FakeToken, Svpeng, Asacub, BankBot, and Marcher, and identify the features that best separate them from goodware and other malware.

show abstract

A Probabilistic Logic of Cyber Deception

Cited by 42 publications

References 38 publications

A Data-driven Characterization of Modern Android Spyware

A Data-driven Characterization of Modern Android Spyware

SoK

DBank: Predictive Behavioral Analysis of Recent Android Banking Trojans

Contact Info

Product

Resources

About