Andro-Dumpsys: Anti-malware system based on the similarity of malware creator and malware centric information

Jae Wook Jang; Hyunjae Kang; Jiyoung Woo; Aziz Mohaisen; Huy Kang Kim

doi:10.1016/j.cose.2015.12.005

Andro-Dumpsys: Anti-malware system based on the similarity of malware creator and malware centric information

Jae Wook Jang, Hyunjae Kang, Jiyoung Woo, Aziz Mohaisen, Huy Kang Kim

Research output: Contribution to journal › Article › peer-review

53 Citations (Scopus)

Abstract

With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

Original language	English
Pages (from-to)	125-138
Number of pages	14
Journal	Computers and Security
Volume	58
DOIs	https://doi.org/10.1016/j.cose.2015.12.005
Publication status	Published - 2016 May

Bibliographical note

Publisher Copyright:
© 2015 Elsevier Ltd. All rights reserved.

Keywords

Android
Malware creator centric information
Mobile malware
Similarity
Volatile memory acquisition

ASJC Scopus subject areas

General Computer Science
Law

Access to Document

10.1016/j.cose.2015.12.005

Cite this

@article{aedc68de14604b6e9acf3ac3e2eaedee,

title = "Andro-Dumpsys: Anti-malware system based on the similarity of malware creator and malware centric information",

abstract = "With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.",

keywords = "Android, Malware creator centric information, Mobile malware, Similarity, Volatile memory acquisition",

author = "Jang, {Jae Wook} and Hyunjae Kang and Jiyoung Woo and Aziz Mohaisen and Kim, {Huy Kang}",

year = "2016",

month = may,

doi = "10.1016/j.cose.2015.12.005",

language = "English",

volume = "58",

pages = "125--138",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Ltd",

}

TY - JOUR

T1 - Andro-Dumpsys

T2 - Anti-malware system based on the similarity of malware creator and malware centric information

AU - Jang, Jae Wook

AU - Kang, Hyunjae

AU - Woo, Jiyoung

AU - Mohaisen, Aziz

AU - Kim, Huy Kang

PY - 2016/5

Y1 - 2016/5

N2 - With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

AB - With the fast growth in mobile technologies and the accompanied rise of the integration of such technologies into our everyday life, mobile security is viewed as one of the most prominent areas and is being addressed accordingly. For that, and especially to address the threat associated with malware, various malware-centric analysis methods are developed in the literature to identify, classify, and defend against mobile threats and malicious actors. However, along with this development, anti-malware analysis techniques, such as packing, dynamic loading, and dex encryption, have seen wide adoption, making existing malware-centric analysis methods less effective. In this paper, we propose a feature-rich hybrid anti-malware system, called Andro-Dumpsys, which leverages volatile memory acquisition for accurate malware detection and classification. Andro-Dumpsys is based on similarity matching of malware creator-centric and malware-centric information. Using Andro-Dumpsys, we detect and classify malware samples into similar behavior groups by exploiting their footprints, which are equivalent to unique behavior characteristics. Our experimental results demonstrate that Andro-Dumpsys is scalable, and performs well in detecting malware and classifying malware families with low false positives and false negatives, and is capable of responding zero-day threats.

KW - Android

KW - Malware creator centric information

KW - Mobile malware

KW - Similarity

KW - Volatile memory acquisition

UR - http://www.scopus.com/inward/record.url?scp=84954211474&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2015.12.005

DO - 10.1016/j.cose.2015.12.005

M3 - Article

AN - SCOPUS:84954211474

SN - 0167-4048

VL - 58

SP - 125

EP - 138

JO - Computers and Security

JF - Computers and Security

ER -

Andro-Dumpsys: Anti-malware system based on the similarity of malware creator and malware centric information

Abstract

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this