Spotting the Malicious Moment: Characterizing Malware Behavior Using Dynamic Features

posted Jun 20, 2016, 12:31 AM by Eric Medvet   [ updated Dec 19, 2016, 1:09 AM ]
While mobile devices become more pervasive every day, the interest in them from attackers is also increasing, making effective malware detection tools of ultimate importance for malware investigation and users protection.
The most informative way of malware identification is to say when exactly and how malicious behavior is exposed. In this way, better understanding of malware can be achieved and effective tools for its detection can be written.However, due to complexity of such task, most of the current approaches classify complete application into malicious or benign, without giving further insight into which parts of it were malicious.
In this work, we propose a technique for the automatic analysis of mobile applications which allows users/analysts to identify the subsequences of execution traces where malicious activity happens, hence making easier further manual analysis and understanding of malware. Our technique is based on dynamic features concerning resources usage and system calls, which are jointly collected while the application is executed. An execution trace is then split in shorter chunks that are analyzed with machine learning techniques to detect local malicious behavior. Obtained results on the analysis of 3232 Android applications show that collected features contain enough information to identify suspicious execution traces that should be further analysed and investigated.
Eric Medvet,
Dec 19, 2016, 1:12 AM