compact explanation of why malware is bad
play

Compact Explanation of Why Malware is Bad Speaker: Wei Chen 1 Joint - PowerPoint PPT Presentation

Compact Explanation of Why Malware is Bad Speaker: Wei Chen 1 Joint Work with Charles Sutton 1 , David Aspinall 1 , Andrew D. Gordon 1 , 2 , Igor Muttik 3 , and Qi Shen 4 App Guarden Project 1 University of Edinburgh 2 Microsoft Research Cambridge


  1. Compact Explanation of Why Malware is Bad Speaker: Wei Chen 1 Joint Work with Charles Sutton 1 , David Aspinall 1 , Andrew D. Gordon 1 , 2 , Igor Muttik 3 , and Qi Shen 4 App Guarden Project 1 University of Edinburgh 2 Microsoft Research Cambridge 3 Intel Security 4 Peking University

  2. Android Applications

  3. Threats Around Android Applications Bank Trojans Premium SMS Locate Eavesdrop Root Access Botnet Control Steal Personal Information

  4. An Example: the Flashlight Application

  5. Flashlight: Some Comments from General Users “Why in the world would I want a flashlight app that collects so much info about me?” from a user. “This app is extremely bright and does its job well. I don’t know what others mean when they say that they have so many problems with it.” from another user.

  6. Flashlight: the Generated Behaviour Automaton

  7. Motivation & Goal ◮ Motivation : it is not really enough to simply identify an application as malware; we need to convince people the identification is correct and explain what it means. ◮ Goal : automatically generate compact explanations to a broad range of people by producing short paragraphs, compact behaviour automata, and statistical charts. ◮ Potential Benefits : help people get better understanding of potential threats hidden in mobile applications; provide hints for malware analysts before more expensive investigation; support automatic generation of security and anti-security policies, etc.

  8. Examples: Some Generated Explanations in Paragraphs ◮ This is a trojan which steals personal information from the infected device. It can be controlled over the web through HTTP. (an instance of Droidkungfu) ◮ It sends SMS messages to premium rated numbers. (an instance of Opfake) ◮ This application might be a Chatting application, but, after a USB massive storage is connected, it will: retrieve a class in a runnable package; read information about networks; connect to Internet. (an instance of Basebridge) ◮ This application is declared as an Anti-Virus application, but, it will: read your phone state after a phone call is made; read your phone state then connect to Internet; send SMS messages after a phone call is made. (an instance of Zitmo)

  9. � Examples: a Generated Explanation in Behaviour Automata SEND SMS, INTERNET SEND SMS, INTERNET SMS RECEIVED � q 0 � q 1 � q 2 (from instances of Ggtracker and Zitmo)

  10. Technical Challenges ◮ Formalisation : characterise and formalise an application’s behaviours precisely and efficiently. ◮ Learning : develop an effective and efficient method to learn unexpected behaviours from thousands of sample malware and benign applications. ◮ Explanation : decide whether a target application is malware, if so, automatically generate explanations from its unexpected behaviours. ◮ Evaluation : evaluate identified unexpected behaviours and generated explanations.

  11. The Approach: Formalisation ◮ We characterise an application’s behaviour by an extended B¨ uchi automaton, i.e., finite and infinite control-dependence sequences of events, actions, and annotated API calls, a behaviour automaton so-called. ◮ We have designed and implemented a static analysis tool to construct such a behaviour automaton directly from each Android application to approximate its behaviours. ◮ We have to consider a broad range of features of the Java and the Android framework, e.g., multi-threads, multi-entries, inter-procedural calls, callbacks, component life-cycles, inter-component communications, and runtime-registered listeners, etc.

  12. � � � � � � � � � The Approach: Formalisation AsyncTask: sendTextMessage AsyncTask: sendTextMessage MAIN click q 0 q 1 q 2 q 3 SMS RECEIVED Receiver: getLine1Number q 4 q 5 q 6 Receiver: getDeviceId Receiver: openConnection Receiver: openConnection (the behaviour automaton of an Android application)

  13. � � � � � � � � � The Approach: Formalisation SEND SMS MAIN click SEND SMS q 0 q 1 q 2 q 3 SMS RECEIVED READ PHONE STATE q 4 q 5 q 6 READ PHONE STATE INTERNET INTERNET (the abstract behaviour automaton of an Android application)

  14. The Approach: Learning ◮ An unexpected behaviour is a salient sub-automaton. ◮ A common pattern exhibited by malware instances in a human-decided malware family, which is rarely seen in benign applications. ◮ We have developed a learning-centred method to capture unexpected behaviours from thousands of malware instances across hundreds of families. ◮ Differentiate salient features by adding benign applications for training. F k = {⊕ A∈ G k A | ⊕ ∈ {− , ∩}} w (Σ | w j | + Σ log(1 + e − y i w T x i )) ∧ x i ∈ F | F k | min k F k ← { j ∈ F k | w j � = 0 } F k ⊗ F l = {A − B , A ∩ B , B − A | A ∈ F k ∧ B ∈ F l } U = { j ∈ F | w j < 0 }

  15. � The Approach: Learning SEND SMS, INTERNET SEND SMS, INTERNET SMS RECEIVED � q 0 � q 1 � q 2 (from instances of Ggtracker and Zitmo)

  16. The Approach: Learning ◮ A singular behaviour identified in a group of applications which have similar behaviours.

  17. The Approach: Learning Accessing Your Location normal singular

  18. The Approach: Learning Sending SMS Messages normal singular

  19. The Approach: Learning Context-Sensitive Training Fine-Grained Unexpected Groups Data Behaviours Training Clustering Auto_1 Group A Auto_2 Group B Auto_2 Pre-labelled Apps Auto_3 Group C ... ...

  20. The Approach: Explanation [Similarity] Check Generation Auto_1 Group B Templates Auto_x A Target Explanation Auto_2 Auto_y App Sentences Auto_a ◮ Present behaviour automata directly. ◮ Extract singletons, i.e., API calls, actions, and events, from automata, and search by keywords for sentences in malware analysis reports. ◮ Extract pairs, i.e., something happens before another thing, from automata, and feed them through pre-defined templates.

  21. The Approach: Explanation — Sentence Searching intercepts incoming sms messages and forwards them to a remote server including informations like imsi and imei these applications send premium sms messages the application will run in the background gathering sms activity and periodically send it to a proxy email address it sends sms messages to premium rated numbers and tries to hide this action from the malware investigators by using some kind of steganography this trojan steals personal information and receives commands via sms steals information sms messages imei imsi etc sending sms messages it sends sms messages to premium rated numbers it sends sms texts to all contacts on the device and sends an sms text to report its installation without the affected users knowledge and possibly resulting in data charges for the owner of the affected device allows an application to send sms messages allows an application to write sms messages sends sms messages to premium rated numbers this malware also sends sms messages sends sms spam messages afterwards the trojan sends sms messages to phone numbers listed in this configuration file this malware attempts to send premium rated sms messages the trojan gathers the following information from the compromised device sms messages phone number and the imei of the infected device it also sends sms messages

  22. The Approach: Explanation — Sentence Searching Choose the central sentence. � tfidf ( a , s , C ) , if a is a word of s ; V [ s ][ a ] = 0 , otherwise. � σ V ( s ) = cos ( θ V [ s ] , V [ t ] ) t ∈ C s ′ ∈ C σ V ( s ′ ) arg max

  23. The Approach: Explanation — Sentence Searching intercepts incoming sms messages and forwards them to a remote server including informations like imsi and imei these applications send premium sms messages the application will run in the background gathering sms activity and periodically send it to a proxy email address it sends sms messages to premium rated numbers and tries to hide this action from the malware investigators by using some kind of steganography this trojan steals personal information and receives commands via sms steals information sms messages imei imsi etc sending sms messages it sends sms messages to premium rated numbers it sends sms texts to all contacts on the device and sends an sms text to report its installation without the affected users knowledge and possibly resulting in data charges for the owner of the affected device allows an application to send sms messages allows an application to write sms messages sends sms messages to premium rated numbers this malware also sends sms messages sends sms spam messages afterwards the trojan sends sms messages to phone numbers listed in this configuration file this malware attempts to send premium rated sms messages the trojan gathers the following information from the compromised device sms messages phone number and the imei of the infected device it also sends sms messages

Recommend


More recommend