experiences of of la landing machine le learning onto
play

Experiences of of La Landing Machine Le Learning onto - PowerPoint PPT Presentation

Aug 27, 2022 •126 likes •424 views

Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu Mobile Malware Detection Android App Markets

  1. Experiences of of La Landing Machine Le Learning onto Market-Scale Mobile Malware Detection Liangyi Gong, Zhenhua Li, Feng Qian, Zifan Zhang, Qi Alfred Chen, Zhiyun Qian, Hao Lin, Yunhao Liu

  2. Mobile Malware Detection ⚫ Android App Markets “lend credib ibil ilit ity ” Mobile App Markets Mobile Users ⚫ Current Mobile App Review ✓ Fingerprint-based Antivirus Checking ✓ Expert-informed API inspection ✓ User-report-driven Manual Examination ✓ API-based Dynamic Analysis

  3. Mobile Malware Detection ⚫ Android App Markets “lend credib ibil ilit ity ” Mobile App Markets Mobile Users ⚫ ML-based Mobile App Review Techniques ⚫ Fingerprint-based Antivirus Checking ⚫ Static Code Inspection ⚫ Dynamic Behavior Analysis

  4. ML-based Detection at Market Scales Real-world Widely explored in No existing report of the past decade the effectiveness Challenges? ML-based Malware ML-based Solutions Detection at Market Scales

  5. Large-scale Dataset: API-centric, Dynamic • 500K apps submitted to Tencent Market • From March to December 2017 • Containing apps’ malice labels Monkey : UI Event Steam APK APK Commodity servers Trigger api to Trigger API to output log output log App Emulation Tencent Market https://sj.qq.com/ One-hot Feature Vector

  6. API Selection: Correlation ⚫ APIs’ correlations with the ⚫ Time consumption of malice of apps Tracking APIs ▪ Using SRC ( Spearman’s rank ▪ Tracking highly correlated APIs ▪ Fitting a tri-modal distribution correlation coefficient ) to evaluate APIs’ correlation with apps’ malice ▪ 260 APIs pose non-trivial correlation (| SRC | ≥ 0.2) 0.6 0.5 0.4 |SRC| 0.3 0.2 0.1 0 0 200 400 600 800 1000 Ranking of API

  7. API Selection: Correlation ⚫ APIs’ correlations with the ⚫ Time consumption of malice of apps tracking different API sets ▪ Fitting a tri-modal distribution ▪ Using SRC ( Spearman’s rank ▪ Indicating a complex relationship correlation coefficient ) to evaluate APIs’ correlation with apps’ malice ▪ 260 APIs pose non-trivial correlation (| SRC | ≥ 0.2) 0.6 0.5 0.4 |SRC| 0.3 0.2 0.1 0 0 200 400 600 800 1000 Ranking of API

  8. API Selection: Model & Accuracy ⚫ Machine Learning Model & Detection Accuracy Model Precision Recall Training Time Tracking top-490 correlated APIs achieves the highest Naive Bayes 60.4% 59.6% 3.6 min precision/recall LR 81.2% 70.3% 10.4 min SVM 87.9% 71.6% ∼ 27K min GBDT 88.4% 74.3% 364 min kNN 86.5% 83.7% ∼ 1.8K min CART 87.6% 84.3% 11.6 min ∼ 1.2K min ANN 90.8% 89.9% DNN 91.5% 90.9% ∼ 1.9K min Random Forest 91.6% 90.2% 29.1 min

  9. API Selection: Model & Accuracy ⚫ Machine Learning Model & Detection Accuracy Model Precision Recall Training Time Tracking top-490 correlated APIs achieves the highest Naive Bayes 60.4% 59.6% 3.6 min precision/recall LR 81.2% 70.3% 10.4 min SVM 87.9% 71.6% ∼ 27K min GBDT 88.4% 74.3% 364 min kNN 86.5% 83.7% ∼ 1.8K min CART 87.6% 84.3% 11.6 min ∼ 1.2K min ANN 90.8% 89.9% DNN 91.5% 90.9% ∼ 1.9K min Random Forest 91.6% 90.2% 29.1 min

  10. Key API Selection Strategy ⚫ Step 1. Selecting APIs with the highest correlation with malware (Set-C). ⚫ Step 2. Selecting APIs that relate to restrictive permissions (Set-P). ⚫ Step 3. Selecting APIs that perform sensitive operations (Set-S). ⚫ Step 4. Combining the above. Set-C Performance: 244 ⚫ Analysis time: 4.3 minutes 12 4 ⚫ Precision/Recall: 96.8% / 93.7% Set-P Set-S 100 66 ⚫ Training time: 14.4 seconds

  11. Key API Selection Strategy ⚫ Step 1. Selecting APIs with the highest correlation with malware (Set-C). ⚫ Step 2. Selecting APIs that relate to restrictive permissions (Set-P). ⚫ Step 3. Selecting APIs that perform sensitive operations (Set-S). ⚫ Step 4. Combining the above. Set-C Performance: 244 ⚫ Analysis time: 4.3 minutes 12 4 ⚫ Precision/Recall: 96.8% / 93.7% Set-P Set-S 100 66 ⚫ Training time: 14.4 seconds

  12. Further Enriching the Feature Space ⚫ Hidden features – API invocation hidden by certain techniques Hidden and internal APIs IPC through intents triggered by special techniques leveraging other apps/services to like Java reflection perform sensitive actions Checking Permissions Checking Used Intents Key APIs alone API + Permission + Intents ⚫ Precision: 96.8% ⚫ Precision: 98.6% ⚫ Recall: 93.7% ⚫ Recall: 96.7%

  13. Further Enriching the Feature Space ⚫ Hidden features – API invocation hidden by certain techniques Hidden and internal APIs IPC through intents triggered by special techniques leveraging other apps/services to like Java reflection perform sensitive actions Checking Permissions Checking Used Intents Key APIs alone API + Permission + Intents ⚫ Precision: 96.8% ⚫ Precision: 98.6% ⚫ Recall: 93.7% ⚫ Recall: 96.7%

  14. System: Emulation Optimization ⚫ Default Google Android Emulator: full-system emulation ⚫ Result: 30% of apps require ≥ 5-minute analysis time ⚫ Solution: lightweight emulation on powerful x86 server ⚫ Architect: native x86 Android + Dynamic Binary Translation

  15. System: Emulation Optimization ⚫ Configuration: 5x4-core x86 server with CPU pinning ⚫ Compatibility: ≤ 1% incompatible apps ⚫ Roll back to the Google Emulator for incompatible apps ⚫ Performance: saving around 70% of the detection time Able to analyze an app in around 1.3 minutes

  16. System: Real-world Deployment ⚫ Integration to Tencent Market ⚫ Integration to Tencent Market ⚫ System Evoluation ▪ Running since March 2018 ⚫ Monthly updating the key APIs ▪ Checking ~10K apps per day using a with apps and SDK APIs single commodity server ⚫ Dataset ▪ Over 98%/96% online precision/recall contains the original dataset and new apps submitted ⚫ Fluctuating between 425 and 432

  17. System: Real-world Deployment ⚫ Integration to Tencent Market ⚫ System Evolution ▪ Running since March 2018 ▪ Monthly updating the key APIs ▪ Checking ~10K apps per day using a with the original dataset and single commodity server newly submitted apps ▪ Over 98%/96% online precision/recall ▪ Fluctuating between 425 and 432

  18. System: Addressing FPs & FNs ⚫ False Positives ⚫ False Negative ▪ 2% FP apps as complained by ⚫ 4% False Negative (FN) apps developers reported by end users ▪ All using a few top-ranking APIs ⚫ Most (87%) of the FN apps barely ▪ Most are quickly vetted based use the 426 key APIs on previous versions ⚫ These apps have fairly simple functionalities without posing a great security threat to end users ⚫ a small number of false negative Manual Inspection: apps in fact has little effect on the acceptable workload regular operation of T-Market Active & complete Passive mitigation of FNs avoidance of FPs

  19. System: Addressing FPs & FNs ⚫ False Positives ⚫ False Negatives ▪ ▪ 4% FN apps reported by end users 2% FP apps as complained by ▪ Hard to avoid developers ▪ All using a few top-ranking APIs ▪ Most (87%) barely use key APIs ▪ ▪ They have fairly simple Most are quickly vetted based on previous versions functionalities, posing little threat Manual Inspection: Report-driven: acceptable workload mild impact on users Active & complete Passive mitigation of FNs avoidance of FPs

  20. Revealed Important Features ⚫ Attempting to acquire privacy-sensitive information of user devices ⚫ Tracking or intercepting system-level events ⚫ Enabling certain types of attacks such as overlay-based attacks Gini Importance 0 0.02 0.04 0.06 0.08 0.1 API: SmsManager_sendTextMessage Permission: SEND_SMS Intent: SMS_RECEIVED Intent: wifi.STATE_CHANGE Permission: RECEIVE_SMS Intent: DEVICE_ADMIN_ENABLED Intent: buluetooth.STATE_CHANGED Permission: RECEIVE_MMS Intent: ACTION_BATTERY_OKAY API: TelephonyManager_getLine1Number Permission: RECEIVE_WAP_PUSH API: WifiInfo_getMacAddress Permission: READ_SMS API: View_setBackgroundColor Permission: ACCESS_NETWORK_STATE Permission: SYSTEM_ALERT_WINDOW API: SQLiteDatabase_insertWithOnConflict Permission: RECEIVE_BOOT_COMPLETED API: HttpURLConnection_connect API: ActivityManager_getRunningTasks

  21. Experiences of APIC HECKER Feature Engineering Feature Selection Adversary’s Principled, perspective data-driven Benign Malicious Analysis Speed Model Evolution Efficient app Monthly emulation on update with powerful x86 novel apps & servers Developer Engagement SDK APIs Active & complete avoidance of FPs vs. Passive mitigation of FNs

  22. Conclusion & Dataset ⚫ We conduct a large-scale study to understand and overcome real-world challenges of developing ML- based malware detection solutions at market scales. ⚫ We showcase several key design decisions we make towards implementing, deploying, and operating a production market-scale mobile malware detection system – APIC HECKER . ⚫ Our system has been operational at Tencent Market since March 2018, vetting around 10K apps per day on a single commodity server. Dataset & tool release: https://apichecker.github.io/

Recommend

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences Microsoft Research The typical machine learning problem ,

560 views • 45 slides
Experiences with Charm++ and NAMD on Knights Landing Supercomputers 15 th Annual Workshop on

Experiences with Charm++ and NAMD on Knights Landing Supercomputers 15 th Annual Workshop on

Experiences with Charm++ and NAMD on Knights Landing Supercomputers 15 th Annual Workshop on Charm++ and its Applica7ons James Phillips Beckman InsCtute, University of Illinois hIp://www.ks.uiuc.edu/Research/namd/ NAMD Mission Statement:

578 views • 33 slides
LANDING ACCOUNT PROCEDURES. LANDING ACCOUNT The Landing Account is a report of all the cargo that

LANDING ACCOUNT PROCEDURES. LANDING ACCOUNT The Landing Account is a report of all the cargo that

LANDING ACCOUNT PROCEDURES. LANDING ACCOUNT The Landing Account is a report of all the cargo that was actually discharge from a vessel/aircraft. All Agents/Cargo Reporters are required under section 74(1) of the Customs Act to submit a landing

176 views • 14 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

497 views • 26 slides
Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by

Machine Learning By Alex Scarlatos What is Machine Learning? Machine Learning is the process by which computers can be trained through observation, rather than being explicitly programmed. Basically, a program is given input and adjusts its

567 views • 17 slides
GLOBEVILLE LANDING OUTFALL Globeville Landing Park Globeville Landing Park Part of the DPR

GLOBEVILLE LANDING OUTFALL Globeville Landing Park Globeville Landing Park Part of the DPR

Globeville Landing Park GLOBEVILLE LANDING OUTFALL Globeville Landing Park Globeville Landing Park Part of the DPR system of open space along the South Platte River Gateway into the National Western Center Community park for

207 views • 8 slides
Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning: Study of algorithms that improve their performance P at some task T

Machine Learning 10-601 Tom M. Mitchell Machine Learning Department Carnegie Mellon University January 12, 2015 Today: Readings: What is machine learning? The Discipline of ML Decision tree learning Mitchell, Chapter 3

881 views • 29 slides
Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Traditional Machine Learning: Unsupervised Learning Juhan Nam Traditional Machine Learning Pipeline in Classification Tasks A set of hand-designed audio features are selected

405 views • 26 slides
CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine

1/22/19 CS 335 Machine Learning What is Machine Learning? Dan Sheldon Spring 2019 What is Machine Learning? A Simple Task: Recognize Obama How do you program a computer to Recognize faces? Recommend movies? Decide which web

584 views • 5 slides
Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their

Machine Learning Machine Learning: algorithms that use experience to improve their performance We use machine learning in situations where it is very challenging (or impossible) to define the rules by hand: e.g. face detection

1.05k views • 28 slides
Valid and Reliable Assessment of Uncommon Learning Experiences Kim Carter

Valid and Reliable Assessment of Uncommon Learning Experiences Kim Carter

Valid and Reliable Assessment of Uncommon Learning Experiences Kim Carter kcarter@qedfoundation.org Extended Learning Opportunities Small learning environments Hands-on learning Real world, relevant learning experiences Extended

370 views • 12 slides
Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine

Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine

Introduction to Machine Learning COMPSCI 371D Machine Learning COMPSCI 371D Machine Learning Introduction to Machine Learning 1 / 12 Outline 1 Nearest Neighbor Prediction 2 Complexity Considerations 3 The Voronoi Diagram 4 Overfitting

571 views • 12 slides
Apollo 11: Lunar Landing INST 154 Apollo at 50 Lunar Landing Apollo 11 Landing Site Selection

Apollo 11: Lunar Landing INST 154 Apollo at 50 Lunar Landing Apollo 11 Landing Site Selection

Apollo 11: Lunar Landing INST 154 Apollo at 50 Lunar Landing Apollo 11 Landing Site Selection Criteria Smoothness : The sites should have relatively few craters Slope: The general slope of the landing area must be less than 2 degrees

279 views • 16 slides
1 Why Study Machine Learning? Why Study Machine Learning? Cognitive Science The Time is Ripe

1 Why Study Machine Learning? Why Study Machine Learning? Cognitive Science The Time is Ripe

What is Learning? Herbert Simon: Learning is any process by which a system improves performance from CS 391L: Machine Learning experience. Introduction What is the task? Classification Problem solving / planning /

603 views • 6 slides
MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING

MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING

JACOPO DI IORIO, MATTEO FONTANA, DANIELE OCCHIUTO, CLAUDIA VOLPETTI MACHINE LEARNING, STATISTICAL LEARNING AND PARALLEL COMPUTING INTRODUCTION VS MACHINE LEARNING STATISTICAL LEARNING Separate evolutions, but with shared methodologies MERGE

565 views • 55 slides
Image Blob Detection: A Machine Learning Approach Andrew Colello Undergraduate Thesis 2016

Image Blob Detection: A Machine Learning Approach Andrew Colello Undergraduate Thesis 2016

Image Blob Detection: A Machine Learning Approach Andrew Colello Undergraduate Thesis 2016 Union College Department of Computer Science Faculty Advisor: Valerie Barr Background: Golf Ball Problem Photo of landing location Finding bright

429 views • 17 slides
Apache PredictionIO End-to-End Machine Learning Server with Apache Spark What is Machine

Apache PredictionIO End-to-End Machine Learning Server with Apache Spark What is Machine

Apache PredictionIO End-to-End Machine Learning Server with Apache Spark What is Machine Learning? What is Machine Learning? Examples of machine learning applications: Facial recognition software E-mail spam detectors Automated

302 views • 17 slides
Machine Learning 11 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 11 1 11 Machine Learning

Machine Learning 11 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 11 1 11 Machine Learning

Machine Learning 11 AI Slides (6e) c Lin Zuoquan@PKU 1998-2020 11 1 11 Machine Learning 11.1 Learning agents 11.2 Inductive learning 11.3 Deep learning 11.4 Statistical learning 11.5 Reinforcement learning 11.6 Transfer learning

1.7k views • 159 slides
Deep Learning: Intro Juhan Nam Review of Traditional Machine Learning The traditional machine

Deep Learning: Intro Juhan Nam Review of Traditional Machine Learning The traditional machine

GCT634/AI613: Musical Applications of Machine Learning (Fall 2020) Deep Learning: Intro Juhan Nam Review of Traditional Machine Learning The traditional machine learning pipeline Temporal Frame-level Unsupervised Classifier Summary

613 views • 27 slides
Machine Learning for Auto Optimization What is Machine Learning? Definition: Machine

Machine Learning for Auto Optimization What is Machine Learning? Definition: Machine

Machine Learning for Auto Optimization What is Machine Learning? Definition: Machine learning refers to any system where the performance of a machine in performing a task improves by gaining more experience in performing that task .

396 views • 27 slides
MACHINE LEARNING kernels 1 MACHINE LEARNING 2012 MACHINE LEARNING Kernels: Intuition How

MACHINE LEARNING kernels 1 MACHINE LEARNING 2012 MACHINE LEARNING Kernels: Intuition How

MACHINE LEARNING 2012 MACHINE LEARNING MACHINE LEARNING kernels 1 MACHINE LEARNING 2012 MACHINE LEARNING Kernels: Intuition How to separate the red class from the grey class? x 2 360 r x 1 Polar coordinates Data

1.04k views • 44 slides
BBM406 Fundamentals of Machine Learning Lecture 2: Machine Learning by Examples, Nearest

BBM406 Fundamentals of Machine Learning Lecture 2: Machine Learning by Examples, Nearest

photo:@rewardyfahmi // Unsplash BBM406 Fundamentals of Machine Learning Lecture 2: Machine Learning by Examples, Nearest Neighbor Classifier Aykut Erdem // Hacettepe University // Fall 2019 When Do We Use Machine Learning? ML is

1.33k views • 110 slides
Machine Learning Modeling and Learning 15-110 Monday 4/13 Learning Goals Given a

Machine Learning Modeling and Learning 15-110 Monday 4/13 Learning Goals Given a

Machine Learning Modeling and Learning 15-110 Monday 4/13 Learning Goals Given a dataset, identify features which may help predict information about the data Identify common types of machine learning algorithms 2 Machine

554 views • 27 slides
Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in

Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in

Machine Learning @ Amazon Ralf Herbrich Amazon 6/29/17 1 Overview Machine Learning in Practise Probabilities Finite Resource Machine Learning @ Amazon Forecasting Machine Translation Visual Systems Conclusions

348 views • 34 slides

More recommend