A Friend or a Foe? Detecting Malware using Memory and CPU Features

Jelena Milosevic, Miroslaw Malek, Alberto Ferrante

Abstract

With an ever-increasing and ever more aggressive proliferation of malware, its detection is of utmost importance. However, due to the fact that IoT devices are resource-constrained, it is difficult to provide effective solutions. The main goal of this paper is the development of lightweight techniques for dynamic malware detection. For this purpose, we identify an optimized set of features to be monitored at runtime on mobile devices as well as detection algorithms that are suitable for battery-operated environments. We propose to use a minimal set of most indicative memory and CPU features reflecting malicious behavior. The performance analysis and validation of features usefulness in detecting malware have been carried out by considering the Android operating system. The results show that memory and CPU related features contain enough information to discriminate between execution traces belonging to malicious and benign applications with significant detection precision and recall. Since the proposed approach requires only a limited number of features and algorithms of low complexity, we believe that it can be used for effective malware detection, not only on mobile devices, but also on other smart elements of IoT.

References

  1. Android Open Source project (2015a). Android Debug Bridge. Online: http://developer.android.com/tools/help/adb.html.
  2. Android Open Source project (2015b). Android Software Development Kit. Online: https://developer.android.com/sdk/index.html.
  3. Android Open Source project (2015c). UI/Application Exerciser Monkey. Online: http://developer.android.com/tools/help/monkey.html.
  4. Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., and Rieck, K. (2014). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS.
  5. Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., Uellenbeck, S., and Wolf, C. (2011). Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices. In Symposium on Security and Privacy, SP 7811, pages 96-111. IEEE Computer Society.
  6. Bishop, C. M. (2006). Pattern Recognition and Machine Learning (Information Science and Statistics). Springer-Verlag New York, Inc., Secaucus, NJ, USA.
  7. Breiman, L. (2001). Random forests. Mach. Learn., 45(1):5-32.
  8. Enck, W., Ongtang, M., and McDaniel, P. (2009). On lightweight mobile phone application certification. In 16th ACM conference on Computer and communications security (CCS), pages 235-245. ACM.
  9. Felt, A. P., Finifter, M., Chin, E., Hanna, S., and Wagner, D. (2011a). A Survey Of Mobile Malware in the Wild. In 1st ACM workshop on Security and privacy in smartphones and mobile devices (SPSM), pages 3- 14. ACM.
  10. Felt, A. P., Greenwood, K., and Wagner, D. (2011b). The effectiveness of application permissions. In 2nd USENIX conference on Web application development (WebApps), pages 7-7. USENIX Association.
  11. Gartner, Inc. (2015). Gartner says emerging markets drove worldwide smartphone sales to 15.5 percent growth in third quarter of 2015. Online: http://www.gartner.com/newsroom/id/3169417.
  12. Google Developers (2015). Brillo. Online: https://developers.google.com/brillo.
  13. Google Inc. (2015a). Android Developers - Investigating Your RAM Usage. Online: http://developer.an droid.com/tools/debugging/debugging-memory.html.
  14. Google Inc. (2015b). Google Play. Online: https://play.google.com.
  15. Google Inc. (2015c). Google Report - Android Security 2014 Year in Review. Technical report. Online: https://static.googleusercontent.com/media/source.an droid.com/it//devices/tech/security/reports/Google Android Security 2014 Report Final.pdf.
  16. Group, C. (2015). 2015 cyberthreat defense report. Technical report. Online: http://www.bright cloud.com/pdf/cyberedge-2015-cdr-report.pdf.
  17. Hall, M., Frank, E., Holmes, G., Pfahringer, B., Reutemann, P., and Witten, I. H. (2009). The WEKA data mining software: an update. SIGKDD Explor. Newsl., 11(1):10-18.
  18. Hall, M. A. (1998). Correlation-based Feature Subset Selection for Machine Learning. PhD thesis, University of Waikato, Hamilton, New Zealand.
  19. Ham, H.-S. and Choi, M.-J. (2013). Analysis of android malware detection performance using machine learning classifiers. In ICT Convergence (ICTC), 2013 International Conference on, pages 490-495.
  20. Holte, R. (1993). Very simple classification rules perform well on most commonly used datasets. Machine Learning, 11(1):63-90.
  21. John, G. and Langley, P. (1995). Estimating continuous distributions in bayesian classifiers. In In Proceedings of the Eleventh Conference on Uncertainty in Artificial Intelligence, pages 338-345. Morgan Kaufmann.
  22. Kim, H., Smith, J., and Shin, K. G. (2008). Detecting energy-greedy anomalies and mobile malware variants. In Proceedings of the 6th International Conference on Mobile Systems, Applications, and Services, MobiSys 7808, pages 239-252, New York, NY, USA. ACM.
  23. Kohavi, R. (1995). A study of cross-validation and bootstrap for accuracy estimation and model selection. pages 1137-1143. Morgan Kaufmann.
  24. Le Cessie, S. and Van Houwelingen, J. C. (1992). Ridge estimators in logistic regression. Applied statistics, pages 191-201.
  25. Liu, H. and Yu, L. (2005). Toward integrating feature selection algorithms for classification and clustering. IEEE Transactions on Knowledge and Data Engineering, 17(4):491-502.
  26. Liu, L., Yan, G., Zhang, X., and Chen, S. (2009). VirusMeter: Preventing Your Cellphone from Spies. In 12th International Symposium on Recent Advances in Intrusion Detection (RAID), pages 244-264. Springer.
  27. McAfee Labs (February 2015). Threats Report. Technical report. Online: http://www.mcafee.com/hk/resources/reports/rpquarterly-threat-q4-2014.pdf.
  28. Milosevic, J., Dittrich, A., Ferrante, A., and Malek, M. (2014). A resource-optimized approach to efficient early detection of mobile malware. In Availability, Reliability and Security (ARES), 2014 Ninth International Conference on, pages 333-340. IEEE.
  29. Milosevic, J., Ferrante, A., and Malek, M. (2016). What does the memory say? towards the most indicative features for efcfiient malware detection. In CCNC 2016, The 13th Annual IEEE Consumer Communications & Networking Conference, Las Vegas, NV, USA. IEEE Communication Society, IEEE Communication Society.
  30. Moser, A., Kruegel, C., and Kirda, E. (2007). Limits of static analysis for malware detection. In Computer Security Applications Conference, 2007. ACSAC 2007. Twenty-Third Annual, pages 421-430.
  31. Quinlan, J. R. (1993). C4.5: programs for machine learning. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA.
  32. Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., and Weiss, Y. (2012). ”andromaly”: A behavioral malware detection framework for android devices. J. Intell. Inf. Syst., 38(1):161-190.
  33. Symantec Corporation (2015). Internet security threat report volume 20. Technical report. Online: https://www.symantec.com/content/en/us/enterprise/ other resources/21347933 GA RPT-internetsecurity-threat-report-volume-20-2015.pdf.
  34. Truong, H. T. T., Lagerspetz, E., Nurmi, P., Oliner, A. J., Tarkoma, S., Asokan, N., and Bhattacharya, S. (2013). The Company You Keep: Mobile Malware Infection Rates and Inexpensive Risk Indicators. CoRR, abs/1312.3245.
  35. Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., and Wu, K.-P. (2012). Droidmat: Android malware detection through manifest and api calls tracing. In Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on, pages 62-69.
  36. Zhou, Y. and Jiang, X. (2012). Dissecting Android Malware: Characterization and Evolution. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 7812, pages 95-109, Washington, DC, USA. IEEE Computer Society.
Download


Paper Citation


in Harvard Style

Milosevic J., Malek M. and Ferrante A. (2016). A Friend or a Foe? Detecting Malware using Memory and CPU Features . In Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016) ISBN 978-989-758-196-0, pages 73-84. DOI: 10.5220/0005964200730084


in Bibtex Style

@conference{secrypt16,
author={Jelena Milosevic and Miroslaw Malek and Alberto Ferrante},
title={A Friend or a Foe? Detecting Malware using Memory and CPU Features},
booktitle={Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)},
year={2016},
pages={73-84},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005964200730084},
isbn={978-989-758-196-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 13th International Joint Conference on e-Business and Telecommunications - Volume 4: SECRYPT, (ICETE 2016)
TI - A Friend or a Foe? Detecting Malware using Memory and CPU Features
SN - 978-989-758-196-0
AU - Milosevic J.
AU - Malek M.
AU - Ferrante A.
PY - 2016
SP - 73
EP - 84
DO - 10.5220/0005964200730084