Tackling Android's Native Library Malware with Robust, Efficient and Accurate Similarity Measures

Beitrag bei einer Tagung
(Konferenzbeitrag)


Details zur Publikation

Autorinnen und Autoren: Kalysch A, Milisterfer O, Protsenko M, Müller T
Herausgeber: ACM
Verlag: Association for Computing Machinery
Verlagsort: Hamburg
Jahr der Veröffentlichung: 2018
Tagungsband: Proceedings of the 13th International Conference on Availability, Reliability and Security
Seitenbereich: 58:1--58:10
ISBN: 978-1-4503-6448-5


Abstract

Code similarity measures create a comparison metric showing to what
degree two code samples have the same functionality, e.g., to statically
detect the use of known libraries in binary code. They are both an
indispensable part of automated malware analysis, as well as a helper
for the detection of plagiarism (IP protection) and the illegal use of
open-source libraries in commercial apps. The centroid similarity metric
extracts control-flow features from binary code and encodes them as
geometric structures before comparing them. In our paper, we propose
novel improvements to the centroid approach and apply it to the ARM
architecture for the first time. We implement our approach as a plug-in
for the IDA Pro disassembler and evaluate it regarding efficiency,
accuracy and robustness on Android. Based on a dataset of 508,745 APKs,
collected from 18 third-party app markets, we achieve a detection rate
of 89% for the use of native code libraries, with an FPR of 10.8%. To
test the robustness of our approach against the compiler version,
optimization level, and other code transformations, we obfuscate and
recompile known open-source libraries to evaluate which code
transformations are resisted. Based on our results, we discuss how code
re-use can be hidden by obfuscation and conclude with possible
improvements.


FAU-Autorinnen und Autoren / FAU-Herausgeberinnen und Herausgeber

Kalysch, Anatoli
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Müller, Tilo Dr.-Ing.
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)
Protsenko, Mykolai
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)


Zitierweisen

APA:
Kalysch, A., Milisterfer, O., Protsenko, M., & Müller, T. (2018). Tackling Android's Native Library Malware with Robust, Efficient and Accurate Similarity Measures. In ACM (Eds.), Proceedings of the 13th International Conference on Availability, Reliability and Security (pp. 58:1--58:10). Hamburg, Germany: Hamburg: Association for Computing Machinery.

MLA:
Kalysch, Anatoli, et al. "Tackling Android's Native Library Malware with Robust, Efficient and Accurate Similarity Measures." Proceedings of the International Conference on Availability, Reliability and Security Proceedings 2018, Hamburg, Germany Ed. ACM, Hamburg: Association for Computing Machinery, 2018. 58:1--58:10.

BibTeX: 

Zuletzt aktualisiert 2018-05-10 um 12:53