Mining Apps for Abnormal Usage of Sensitive Data

Avdiienko, Vitalii; Kuznetsov, Konstantin; Gorla, Alessandra; Zeller, Andreas; Arzt, Steven; Rasthofer, Siegfried; Bodden, Eric

doi:10.1109/icse.2015.61

Cited by 184 publications

(216 citation statements)

References 21 publications

Supporting

Mentioning

210

Contrasting

Unclassified

Order By: Relevance

“…Recently, Avdiienko et al presented an approach [6] closely related to ours. Both their approach and ours take sensitive data flows as features for machine learning-based malware detection, and both rely on FlowDroid to extract sensitive data flows.…”

Section: Related Workmentioning

confidence: 99%

“…However, the potential component leaks (flows) introduced by advertisement libraries are separate from the actual app code. As shown in MUDFLOW [6], advertisement libraries are frequently used and their flows (PCLs) thus become "normal", diluting the impact of actual app flows. Therefore, we follow MUDFLOW's assumption that advertisement libraries are trustworthy and ignore all the PCLs taking place in advertisement libraries, allowing our study to focus on the actual app PCLs.…”

Section: A Pcleaks Settingsmentioning

confidence: 99%

“…Because FlowDroid analyzes a whole Android app and aims to provide highly precise results, it usually takes a lot of time and resources to analyze an app. In favor of a faster analysis, we use the same FlowDroid settings as MUDFLOW [6] chooses (Explicit flow only, Disable flowsensitive alias search, Maximum access of path length of 3, No-Layout mode and No static fields 4 ) , which sacrifices some amount of precision for speed and memory. As a result, the detected potential component leaks may have false positives as well as false negatives.…”

Section: A Pcleaks Settingsmentioning

confidence: 99%

“…Recently, MUDFLOW [6] has proposed to extract behavioral features by taking into account sensitive data flows in Android apps to identify malware. In this paper, we also study the capability of specific sensitive data-flow features to be discriminative in Android malware detection as in MUDFLOW.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Potential Component Leaks in Android Apps: An Investigation into a New Feature Set for Malware Detection

Allix

et al. 2015

2015 IEEE International Conference on Software Quality, Reliability and Security

View full text Add to dashboard Cite

Abstract-We discuss the capability of a new feature set for malware detection based on potential component leaks (PCLs). PCLs are defined as sensitive data-flows that involve Android inter-component communications. We show that PCLs are common in Android apps and that malicious applications indeed manipulate significantly more PCLs than benign apps. Then, we evaluate a machine learning-based approach relying on PCLs. Experimental validations show high performance for identifying malware, demonstrating that PCLs can be used for discriminating malicious apps from benign apps.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: A Pcleaks Settingsmentioning

confidence: 99%

Section: A Pcleaks Settingsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Potential Component Leaks in Android Apps: An Investigation into a New Feature Set for Malware Detection

Allix

et al. 2015

2015 IEEE International Conference on Software Quality, Reliability and Security

View full text Add to dashboard Cite

show abstract

“…Then, an ICC method startActivity is called, which switches the current execution from Activity1 to Activity2. Finally, in Activity2, the device id is retrieved and is eventually sent out of the device through sendTextMessage (lines [15][16][17] This privacy leak cannot be detected by intra-component analyzers such as FlowDroid [10], because the switching between Activity1 and Activity2 is unfortunately decided only by the system and it is non-trivial to obtain it directly at the code level [11], [12]. Therefore, in this work we present IccTA, a code instrumentation based approach, which modifies the code to be analyzed in a way that inter-component feature is mitigated.…”

Section: A Code Analysismentioning

confidence: 99%

Mining AndroZoo: A Retrospect

2017

2017 IEEE International Conference on Software Maintenance and Evolution (ICSME)

View full text Add to dashboard Cite

Abstract-This paper presents a retrospect of an Android app collection named AndroZoo and some research works conducted on top of the collection. AndroZoo is a growing collection of Android apps from various markets including the official Google Play. At the moment, over five million Android apps have been collected. Based on AndroZoo, we have explored several directions that mine Android apps for resolving various challenges. In this work, we summarize those resolved mining challenges in three research dimensions, including code analysis, app evolution analysis, malware analysis, and present in each dimension several case studies that experimentally demonstrate the usefulness of AndroZoo.

show abstract

Detection of malware applications from centrality measures of syscall graph

Surendran¹,

Thomas²

2022

Concurrency and Computation

View full text Add to dashboard Cite

These days it is found that malware authors tend to create new variants of existing Android malware by using various kinds of obfuscation techniques. These kinds of obfuscated malware applications can bypass all the current antimalware products which rely on static analysis techniques to detect the malicious behavior. Hence, it is essential to develop innovative dynamic analysis mechanisms for Android malware detection. It is known that, the malicious behavior of statically obfuscated malware applications can get reflected in the system call (syscall) trace generated by them. Most of the existing syscall based mechanisms depend only on the features derived from the syscall counts for malware detection. These syscall count related features are inadequate to capture many other useful characteristics related to the syscalls in a sequence.In order to overcome this limitation, we modeled the syscall trace of an application as an ordered graph which enabled to infer various kinds of features in the form of centrality measures related to that syscall trace of the application. Then, these centrality measures are fed to an ML model to predict the malicious behavior. From the implementation results, we found that our mechanism can detect malware apps with an accuracy of 0.99.

show abstract

Mining Apps for Abnormal Usage of Sensitive Data

Cited by 184 publications

References 21 publications

Potential Component Leaks in Android Apps: An Investigation into a New Feature Set for Malware Detection

Potential Component Leaks in Android Apps: An Investigation into a New Feature Set for Malware Detection

Mining AndroZoo: A Retrospect

Detection of malware applications from centrality measures of syscall graph

Contact Info

Product

Resources

About