Detecting Android Malware Leveraging Text Semantics of Network Flows

Wang, Shanshan; Yan, Qiben; Chen, Zhenxiang; Yang, Bo; Zhao, Chuan; Conti, Mauro

doi:10.1109/tifs.2017.2771228

Cited by 127 publications

(55 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Lu et al [15] proposed to use decision tree models trained on the n-gram features extracted from the network traffic payload to detect botnets. Wang et al [16] proposed to use lexical features of HTTP header (TCP payload) to discover malicious behaviors of Android botnets.…”

Section: Related Workmentioning

confidence: 99%

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Zhuang

Chang

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Peer-to-peer (P2P) botnets have become one of the major threats in network security for serving as the fundamental infrastructure for various cyber-crimes. More challenges are involved in the problem of detecting P2P botnets, despite a few work claimed to detect centralized botnets effectively. We propose Enhanced PeerHunter, a network-flow level community behavior analysis based system, to detect P2P botnets. Our system starts from a P2P network flow detection component. Then, it uses "mutual contacts" to cluster bots into communities. Finally, it uses network-flow level community behavior analysis to detect potential botnets. In the experimental evaluation, we propose two evasion attacks, where we assume the adversaries know our techniques in advance and attempt to evade our system by making the P2P bots mimic the behavior of legitimate P2P applications. Our results showed that Enhanced PeerHunter can obtain high detection rate with few false positives, and high robustness against the proposed attacks. Index Terms-P2P Botnet, intrusion detection, network security, community detection. J. Morris Chang (SM'08) is a professor in the Department of Electrical Engineering at the University of South Florida. He received the Ph.D. degree from the North Carolina State University. His past industrial experiences include positions at Texas Instruments, Microelectronic Center of North Carolina and AT&T Bell Labs. He received the University Excellence in Teaching Award at Illinois Institute of Technology in 1999. His research interests include: cyber security, wireless networks, and energy efficient computer systems. In the last six years, his research projects on cyber security have been funded by DARPA. Currently, he is leading a DARPA project under Brandeis program focusing on privacy-preserving computation over Internet. He is a handling editor of Journal of Microprocessors and Microsystems and an editor of IEEE IT Professional. He is a senior member of IEEE.

show abstract

Section: Related Workmentioning

confidence: 99%

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Zhuang

Chang

2019

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…DroidScribe [18] Runtime behaviors Machine learning 2016 DroidCat [10] Application execution traces Machine learning 2016 CSCdroid [58] Determinate system calls Markov chain and SVM 2017 Monet [52] Runtime behavior signature Signature matching 2017 Wang et al [55] HTTP proposed DroidMat, a system that extracts the information from each application's manifest file, and regards components as entry points to trace API calls related to permissions [56]. MAMA extracts permission and uses-feature tags from the application's manifest content and uses machine learning methods to distinguish benign applications from malwares [46].…”

Section: Literature Reviewmentioning

confidence: 99%

“…Sun et al proposed Monet framework that includes both client and server modules and uses both runtime behavior and static structures to detect malware variants [52]. Wang et al proposed a dynamic method which uses text semantic features of mobile traffic for malware detection [55]. This method considers every HTTP flow as a document and then uses n-grams to generate candidate features for machine learning model.…”

Section: Dynamic Analysismentioning

confidence: 99%

“…Our system is based on static malware detection approach by using text mining methods. Currently, some of the existing works that apply the static approach also use text mining methods by generally considering static data (e.g., permissions, manifest content, meta-data, and source code) of applications [33,37,40,44,51,55]. However, differently from existing works, our framework adopts text categorization for this purpose and extracts different features directly from the manifest content of each application to detect malware.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Adapting Text Categorization for Manifest based Android Malware Detection

Çoban¹,

Özel²

2019

csci

View full text Add to dashboard Cite

Malware is a shorthand of malicious software that are created with the intent of damaging hardware systems, stealing data, and causing a mess to make money, protest something, or even make war between governments. Malware is often spread by downloading some applications for your hardware from some download platforms. It is highly probable to face with a malware while you try to load some applications for your smart phones nowadays. Therefore it is very important that some tools are needed to detect malware before loading them to the hardware systems. There are mainly three different approaches to detect malware: i) static, ii) dynamic, and iii) hybrid. Static approach analyzes the suspicious program without executing it. Dynamic approach, on the other hand, executes the program in a controlled environment and obtains information from operating system during runtime. Hybrid approach, as its name implies, is the combination of these two approaches. Although static approach may seem to have some disadvantages, it is highly preferred because of its lower cost. In this paper, our aim is to develop a static malware detection system by using text categorization techniques. To reach our goal, we apply text mining techniques like feature extraction by using bag-of-words, n-grams, etc. from manifest content of suspicious programs, then apply text classification methods to detect malware. Our experimental results revealed that our approach is capable of detecting malicious applications with an accuracy between 94.0% and 99.3%.

show abstract

“…In addition to malware as a general concept, there are novel systems to deal with particular types of malware [49,50]. In both cases, learning-based systems show very promising results [51,52,53,54].…”

Section: Related Workmentioning

confidence: 99%

Malytics: A Malware Detection Scheme

et al. 2018

View full text Add to dashboard Cite

An important problem of cyber-security is malware analysis. Besides good precision and recognition rate, a malware detection scheme needs to be able to generalize well for novel malware families (a.k.a zero-day attacks). It is important that the system does not require excessive computation particularly for deployment on the mobile devices.In this paper, we propose a novel scheme to detect malware which we call Malytics. It is not dependent on any particular tool or operating system. It extracts static features of any given binary file to distinguish malware from benign. Malytics consists of three stages: feature extraction, similarity measurement and classification. The three phases are implemented by a neural network with two hidden layers and an output layer. We show feature extraction, which is performed by tf -simhashing, is equivalent to the first layer of a particular neural network. We evaluate Malytics performance on both Android and Windows platforms. Malytics outperforms a wide range of learning-based techniques and also individual state-of-the-art models on both platforms. We also show Malytics is resilient and robust in addressing zero-day malware samples. The F1-score of Malytics is 97.21% and 99.45% on Android dex file and Windows PE files respectively, in the applied datasets. The speed and efficiency of Malytics are also evaluated.

show abstract

Detecting Android Malware Leveraging Text Semantics of Network Flows

Cited by 127 publications

References 20 publications

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Enhanced PeerHunter: Detecting Peer-to-Peer Botnets Through Network-Flow Level Community Behavior Analysis

Adapting Text Categorization for Manifest based Android Malware Detection

Malytics: A Malware Detection Scheme

Contact Info

Product

Resources

About