The popularity of Android mobile phones has caused more cybercriminals to create malware applications that carry out various malicious activities. The attacks, which escalated after the COVID-19 pandemic, proved there is great importance in protecting Android mobile devices from malware attacks. Intelligent Mobile Malware Detection will teach users how to develop intelligent Android malware detection mechanisms by using various graph and stochastic models. The book begins with an introduction to the Android operating system accompanied by the limitations of the state-of-the-art static malware detection mechanisms as well as a detailed presentation of a hybrid malware detection mechanism. The text then presents four different system call-based dynamic Android malware detection mechanisms using graph centrality measures, graph signal processing and graph convolutional networks. Further, the text shows how most of the Android malware can be detected by checking the presence of a unique subsequence of system calls in its system call sequence. All the malware detection mechanisms presented in the book are based on the authors' recent research. The experiments are conducted with the latest Android malware samples, and the malware samples are collected from public repositories. The source codes are also provided for easy implementation of the mechanisms. This book will be highly useful to Android malware researchers, developers, students and cyber security professionals to explore and build defense mechanisms against the ever-evolving Android malware.
Author(s): Tony Thomas, Teenu John, Mamoun Alazab, Roopak Surendran
Series: Security, Privacy, and Trust in Mobile Communications
Publisher: CRC Press
Year: 2022
Language: English
Pages: 190
City: Boca Raton
Cover
Half Title
Series Page
Title Page
Copyright Page
Contents
Preface
Acknowledgements
About the Authors
Symbols
1. Internet and Android OS
1.1. Android OS
1.1.1. Linux kernel
1.1.2. Native libraries
1.1.3. Android runtime
1.1.4. Application framework
1.1.5. Application layer
1.2. Android Application Development
1.3. Google Playstore
1.4. Intents and Intent Filters
1.5. Android Security
1.5.1. Permissions
1.5.2. Application sandbox
1.5.3. Application signature
1.5.4. Data encryption
1.6. Internet of Things
1.6.1. Architecture of IoT
1.6.1.1. Sensor layer
1.6.1.2. Gateways and networks
1.6.1.3. Management service layer
1.6.1.4. Application layer
1.7. Android Things
1.8. IoT Security
1.8.1. Malware Threats in IoT
1.9. Conclusion
2. Android Malware
2.1. PC Malware vs. Android Malware
2.2. Trends in Malware
2.2.1. Trends in Windows malware
2.2.2. Trends in Android malware
2.3. Types of Malware Detection Mechanisms
2.4. Malware Types
2.5. Malware Attacks in Android
2.5.1. Drive by download attack
2.5.2. Update attack
2.5.3. Repacking attack
2.6. History of Malware Attacks in Android
2.7. Conclusion
3. Static Malware Detection
3.1. Reverse Engineering and Static Analysis
3.1.1. Reverse engineering using Apktool and Dex2jar
3.1.2. Static malware analysis tools
3.2. Components of Android Application
3.3. API Call Analysis
3.3.1. API’s used by malware applications
3.4. API Call-Based Static Detection
3.4.1. Mechanisms using the independent occurrence of API
3.4.2. Mechanisms Using API Call Graphs
3.5. Permission and Intent-Based Static Detection
3.5.1. Permission analysis
3.5.1.1. Permissions used by the malware applications
3.5.1.2. Component-based permission escalation attack
3.5.2. Intent-based analysis
3.5.2.1. Intents used for malware attacks
3.5.2.2. Intent-based vulnerabilities
3.5.3. Malware detection using permissions and intents
3.6. Opcode-Based Static Detection
3.6.1. Malware detection using opcodes
3.7. Conclusion
4. Dynamic and Hybrid Malware Detection
4.1. Emulator-Based Dynamic Analysis
4.2. Dynamic Malware Detection Mechanisms
4.2.1. System metric and traffic analysis (Category 1)
4.2.2. Network packet analysis (Category 2)
4.2.3. Sensitive API call analysis (Category 3)
4.2.4. System call analysis (Category 4)
4.2.4.1. System call frequency or TF-IDF-based methods
4.2.4.2. System call dependency graph or markov chain-based methods
4.2.4.3. System call phylogeny-based methods
4.2.4.4. System call behavior or sequence analysis-based methods
4.3. Hybrid Analysis
4.3.1. Hybrid detection based on a single classifier (Category 1)
4.3.2. Hybrid detection based on ensemble classifiers (Category 2)
4.4. Correlation Among Static and Dynamic Features
4.4.1. Tree augmented Naive Bayes (TAN) model
4.5. Hybrid Analysis with TAN Classifier
4.5.1. Dependencies among API calls, permission and system calls
4.5.2. Ridge regularized logistic regression (RRLR)
4.5.3. Probability estimation
4.5.4. Anomaly detection
4.5.4.1. App permission analysis
4.5.4.2. Static API function call analysis
4.5.4.3. System call analysis
4.5.5. Malware detection using TAN-based model
4.6. Experiments and Analysis
4.6.1. Training phase
4.6.1.1. Estimation of threshold for L1,L2,L3
4.6.1.2. Conditional probability estimation
4.6.2. Evaluation phase
4.7. Conclusion
5. Detection Using Graph Centrality Measures
5.1. Digraph from System Call Sequence
5.2. Centrality Measures from System Call Digraph
5.3. Malware Detection Phase
5.4. Experiments and Analysis
5.4.1. Dataset
5.4.2. Performance results
5.5. Conclusion
6. Graph Convolutional Network for Detection
6.1. Introduction to GCN
6.2. GCN-Based Malware Detection
6.2.1. System call graph construction
6.2.2. GCN for low dimensional feature representation
6.2.3. Training of GCN
6.2.4. System call graph classification using GCN
6.3. Experiments and Analysis
6.3.1. Implementation details
6.4. Detection of Emerging Malware
6.5. Conclusion
7. Graph Signal Processing-Based Detection
7.1. Graph Signal Processing and Its Applications
7.2. Graph Signals from System Call Sequence
7.3. Machine Learning Classification for Malware Detection
7.3.1. Construction of low-dimensional feature vectors
7.4. Experiments and Analysis
7.4.1. Experimental setup
7.4.2. Performance analysis with various ML classifiers
7.5. Miscellaneous Operations on Graph Signals
7.6. Conclusion
8. System Call Pattern-Based Detection
8.1. Extraction of Patterns From System Call Sequences
8.1.1. Representing system call sequence as ergodic Markov chain
8.1.2. Computation of information in system call sequence
8.1.3. Identification of system call patterns
8.2. System call patterns in Walkinwat trojan
8.3. Malware Detection and Classification Based on System Call Patterns
8.4. Experiments and Analysis
8.5. Conclusion
9. Conclusions and Future Directions
9.1. Recent Malware Attacks
9.2. Identifying Exploitation Attacks
9.3. Mitigating Emulator Evasion and Code Coverage Problem
9.4. Resilience to the Change in System Call Sequence
9.5. Collusion Attack
Appendix
Bibliography
Index
