Visible to the public Detection of transformed malwares using permission flow graphs

TitleDetection of transformed malwares using permission flow graphs
Publication TypeConference Paper
Year of Publication2017
AuthorsSeth, R., Kaushal, R.
Conference Name2017 IEEE International Conference on Consumer Electronics-Asia (ICCE-Asia)
ISBN Number978-1-5386-2787-7
KeywordsAndroid app, Android malware, Androids, attack surface, code level changes, control flow, detection accuracy, feature extraction, flow graphs, graph based similarity metrics, graph theory, Human Behavior, Humanoid robots, invasive software, learning (artificial intelligence), lightweight static Permission Flow Graph based approach, malicious apps, Malware, malware analysis, malware variants, Measurement, Metrics, mobile computing, nontransformed malware, permission flow graph, permission flow graphs, permission framework, privacy, pubcrawl, resilience, Resiliency, signature based detection, smart phones, state-of-the-art graph similarity algorithm, transformed malware, vertex level

With growing popularity of Android, it's attack surface has also increased. Prevalence of third party android marketplaces gives attackers an opportunity to plant their malicious apps in the mobile eco-system. To evade signature based detection, attackers often transform their malware, for instance, by introducing code level changes. In this paper we propose a lightweight static Permission Flow Graph (PFG) based approach to detect malware even when they have been transformed (obfuscated). A number of techniques based on behavioral analysis have also been proposed in the past; how-ever our interest lies in leveraging the permission framework alone to detect malware variants and transformations without considering behavioral aspects of a malware. Our proposed approach constructs Permission Flow Graph (PFG) for an Android App. Transformations performed at code level, often result in changing control flow, however, most of the time, the permission flow remains invariant. As a consequences, PFGs of transformed malware and non-transformed malware remain structurally similar as shown in this paper using state-of-the-art graph similarity algorithm. Furthermore, we propose graph based similarity metrics at both edge level and vertex level in order to bring forth the structural similarity of the two PFGs being compared. We validate our proposed methodology through machine learning algorithms. Results prove that our approach is successfully able to group together Android malware and its variants (transformations) together in the same cluster. Further, we demonstrate that our proposed approach is able to detect transformed malware with a detection accuracy of 98.26%, thereby ensuring that malicious Apps can be detected even after transformations.

Citation Keyseth_detection_2017