$\sf {DBank}$ DBank : Predictive Behavioral Analysis of Recent Android Banking Trojans
作者: Chongyang Bai , Qian Han , Ghita Mezzour , Fabio Pierazzi , V. S. Subrahmanian
DOI: 10.1109/TDSC.2019.2909902
关键词: Theoretical computer science 、 Behavioral analysis 、 False positive rate 、 Feature vector 、 PageRank 、 Computer science 、 Malware 、 Android (operating system) 、 Training set 、 Trojan
摘要: Using a novel dataset of Android banking trojans (ABTs), other malware, and goodware, we develop the $\sf {DBank}$ DBank system to predict whether given APK is trojan or not. We introduce concept Triadic Suspicion Graph (TSG for short) which contains three kinds nodes: trojans, API packages. feature space based on two classes scores derived from TSGs: suspicion (SUS) ranks (SR)—the latter yields family features that generalize PageRank. While TSG (based SUS/SR scores) provide very high predictive accuracy their own in predicting recent (2016-2017) ABTs, show combination with previously studied lightweight static dynamic literature highest distinguishing ABTs while preserving same prior combinations malware. In particular, ’s overall an not up 99.9% AUC 0.3% false positive rate. Moreover, have already reported unlabeled APKs VirusTotal (which has detected as ABTs) Google Security Team—in one case, discovered it before any 63 anti-virus products did, beat 62 anti-viruses VirusTotal. This suggests capable making new discoveries wild established vendors. also our some interesting defensive properties they are robust knowledge training set by adversary: even if adversary uses 90% exact use, difficult him infer predictions APKs. additionally identify best separate characterize goodware well Finally, detailed data-driven analysis five major ABT families: FakeToken , Svpeng Asacub BankBot Marcher them other-malware.
sci-hub.se 参考文章(26)
Konrad Rieck, Thorsten Holz, Carsten Willems, Patrick Düssel, Pavel Laskov, Learning and Classification of Malware Behavior international conference on detection of intrusions and malware and vulnerability assessment. pp. 108- 125 ,(2008) , 10.1007/978-3-540-70542-0_6
Martina Lindorfer, Matthias Neugschwandtner, Christian Platzer, None, MARVIN: Efficient and Comprehensive Mobile App Classification through Static and Dynamic Analysis computer software and applications conference. ,vol. 2, pp. 422- 433 ,(2015) , 10.1109/COMPSAC.2015.103
Lok Kwong Yan, Heng Yin, DroidScope: seamlessly reconstructing the OS and Dalvik semantic views for dynamic Android malware analysis usenix security symposium. pp. 29- 29 ,(2012)
Yousra Aafer, Wenliang Du, Heng Yin, DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering. pp. 86- 103 ,(2013) , 10.1007/978-3-319-04283-1_6
Iker Burguera, Urko Zurutuza, Simin Nadjm-Tehrani, Crowdroid Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices - SPSM '11. pp. 15- 26 ,(2011) , 10.1145/2046614.2046619
Fabian Yamaguchi, Nico Golde, Daniel Arp, Konrad Rieck, Modeling and Discovering Vulnerabilities with Code Property Graphs ieee symposium on security and privacy. pp. 590- 604 ,(2014) , 10.1109/SP.2014.44
Lei Cen, Christoher S. Gates, Luo Si, Ninghui Li, A Probabilistic Discriminative Model for Android Malware Detection with Decompiled Source Code IEEE Transactions on Dependable and Secure Computing. ,vol. 12, pp. 400- 412 ,(2015) , 10.1109/TDSC.2014.2355839
Claudio Criscione, Fabio Bosatelli, Stefano Zanero, Federico Maggi, ZARATHUSTRA: Extracting Webinject signatures from banking trojans conference on privacy, security and trust. pp. 139- 148 ,(2014) , 10.1109/PST.2014.6890933
André Ricardo A. Grégio, Dario Simões Fernandes, Vitor Monte Afonso, Paulo Lício de Geus, Victor Furuse Martins, Mario Jino, An empirical analysis of malicious internet banking software behavior acm symposium on applied computing. pp. 1830- 1835 ,(2013) , 10.1145/2480362.2480704
Kimberly Tam, Salahuddin J. Khan, Aristide Fattori, Lorenzo Cavallaro, CopperDroid: Automatic Reconstruction of Android Malware Behaviors network and distributed system security symposium. ,(2015) , 10.14722/NDSS.2015.23145