TY - GEN
T1 - DySign
T2 - 11th International Conference on Malicious and Unwanted Software, MALWARE 2016
AU - Karbab, El Mouatez Billah
AU - Debbabi, Mourad
AU - Alrabaee, Saed
AU - Mouheb, Djedjiga
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2017/3/28
Y1 - 2017/3/28
N2 - The astonishing spread of Android OS, not only in smart phones and tablets but also in IoT devices, makes this operating system a very tempting target for malware threats. Indeed, the latter are expanding at a similar rate. In this respect, malware fingerprints, whether based on cryptographic or fuzzyhashing, are the first defense line against such attacks. Fuzzyhashing fingerprints are suitable for capturing malware static features. Moreover, they are more resilient to small changes in the actual static content of malware files. On the other hand, dynamic analysis is another technique for malware detection that uses emulation environments to extract behavioral features of Android malware. However, to the best of our knowledge, there is no such fingerprinting technique that leverages dynamic analysis and would act as the first defense against Android malware attacks. In this paper, we address the following question: could we generate effective fingerprints for Android malware through dynamic analysis? To this end, we propose DySign, a novel technique for fingerprinting Android malware's dynamic behaviors. This is achieved through the generation of a digest from the dynamic analysis of a malware sample with respect to existing known malware. It is important to mention that: (i) DySign fingerprints are approximates of the observed behaviors during dynamic analysis so as to achieve resiliency to small changes in the behaviors of future malware variants; (ii) Fingerprint computation is agnostic to the analyzed malware sample or family. DySign leverages state-of-the-art Natural Language Processing (NLP) techniques to generate the aforementioned fingerprints, which are then leveraged to build an enhanced Android malware detection system with family attribution. The evaluation of the proposed system on both real-life malware and benign apps demonstrates a good detection performance with high scalability.
AB - The astonishing spread of Android OS, not only in smart phones and tablets but also in IoT devices, makes this operating system a very tempting target for malware threats. Indeed, the latter are expanding at a similar rate. In this respect, malware fingerprints, whether based on cryptographic or fuzzyhashing, are the first defense line against such attacks. Fuzzyhashing fingerprints are suitable for capturing malware static features. Moreover, they are more resilient to small changes in the actual static content of malware files. On the other hand, dynamic analysis is another technique for malware detection that uses emulation environments to extract behavioral features of Android malware. However, to the best of our knowledge, there is no such fingerprinting technique that leverages dynamic analysis and would act as the first defense against Android malware attacks. In this paper, we address the following question: could we generate effective fingerprints for Android malware through dynamic analysis? To this end, we propose DySign, a novel technique for fingerprinting Android malware's dynamic behaviors. This is achieved through the generation of a digest from the dynamic analysis of a malware sample with respect to existing known malware. It is important to mention that: (i) DySign fingerprints are approximates of the observed behaviors during dynamic analysis so as to achieve resiliency to small changes in the behaviors of future malware variants; (ii) Fingerprint computation is agnostic to the analyzed malware sample or family. DySign leverages state-of-the-art Natural Language Processing (NLP) techniques to generate the aforementioned fingerprints, which are then leveraged to build an enhanced Android malware detection system with family attribution. The evaluation of the proposed system on both real-life malware and benign apps demonstrates a good detection performance with high scalability.
UR - http://www.scopus.com/inward/record.url?scp=85018169561&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85018169561&partnerID=8YFLogxK
U2 - 10.1109/MALWARE.2016.7888739
DO - 10.1109/MALWARE.2016.7888739
M3 - Conference contribution
AN - SCOPUS:85018169561
T3 - 2016 11th International Conference on Malicious and Unwanted Software, MALWARE 2016
SP - 139
EP - 146
BT - 2016 11th International Conference on Malicious and Unwanted Software, MALWARE 2016
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 18 October 2016 through 21 October 2016
ER -