Presentation is loading. Please wait.

Presentation is loading. Please wait.

October 20-23rd, 2015 Automatically Combining Static Malware Detection Techniques ir. David De Lille 1.

Published byArline Bond Modified over 8 years ago

Similar presentations

Presentation on theme: "October 20-23rd, 2015 Automatically Combining Static Malware Detection Techniques ir. David De Lille 1."— Presentation transcript:

1 October 20-23rd, 2015 Automatically Combining Static Malware Detection Techniques ir. David De Lille 1

2 October 20-23rd, 2015 About me Ghent University, Belgium Sense of Security, Australia delilledavid@gmail.com 2

3 October 20-23rd, 2015 Agenda Introduction Background Methodology Results Conclusions 3

4 October 20-23rd, 2015 INTRODUCTION 4

5 October 20-23rd, 2015 Problem 5 Goodware Malware

6 October 20-23rd, 2015 Goal 6 GoodwareMalwareGoodware Malware Accuracy Cost Automatic

7 October 20-23rd, 2015 BACKGROUND 7

8 October 20-23rd, 2015 Collecting Data Cross validation 8 SampleClassTechn. 1Techn. 2Techn. 3 Sample1M110 Sample2G100 Sample3M111 Sample4G000 Avg. Cost71012

9 October 20-23rd, 2015 SampleClassTechn. 1Techn. 2Techn. 3 Sample1M110 Sample2G100 Sample3M111 Avg. Cost71012 SampleClassTechn. 1Techn. 2Techn. 3 Sample4G000 Avg. Cost71012 SampleClassTechn. 1Techn. 2Techn. 3 Sample1M110 Sample3M111 Avg. Cost71012 SampleClassTechn. 1Techn. 2Techn. 3 Sample2G100 Avg. Cost71012 SampleClassTechn. 1Techn. 2Techn. 3 Sample1M110 Sample2G100 Sample3M111 Sample4G000 Avg. Cost71012 Constructing DT 9 Techn. 1 Goodware Techn. 2 GoodwareMalware

10 October 20-23rd, 2015 Algorithms 10

11 October 20-23rd, 2015 Stop Conditions Same class Same values Minimum information gain Minimum # samples 11 SampleClassTechn. 1Techn. 2Techn. 3 SampleXG101 SampleYG101 SampleZM101

12 October 20-23rd, 2015 METHODOLOGY 12

13 October 20-23rd, 2015 Cross Validation Scheme 13

14 October 20-23rd, 2015 APK Android Application Package ZIP file Android Manifest Permissions 14

15 October 20-23rd, 2015 Samples 1598 malware samples:  Android Malware Genome Project  Contagio Mobile 1858 goodware samples:  Top 60 Google Play Store 15

16 October 20-23rd, 2015 Restrictions Static techniques only No fingerprint techniques 16

17 October 20-23rd, 2015 Techniques 7 existing  1-NN on API calls (with a twist) 4 new  DT based on permissions (2 versions)  Does it have permissions?  Does the APK contain an APK? 17

18 October 20-23rd, 2015 RESULTS 18

19 October 20-23rd, 2015 Results Techniques (1) TechniqueCostAccuracySensitivitySpecificity Adagio13.4s94.80%97.50%92.40% API-1NN6.7s95.40%96.40%94.50% BNB0.35s77.50%77.10%77.80% PNB0.35s77.20%79.90%77.50% HMNB0.35s79.30%78.40%80.10% Contains APK0.44s64.60%24.60%98.90% DroidLegacy137s75.70%71.80%79.10% Kirin0.35s68.80%47.60%87.50% Has Permissions0.35s47.20%99.30%2.40% Perm.-DT0.53s93.10%91.30%94.70% Perm.-DT-Enhanc.8.2s94.10% 94.20% 19

20 October 20-23rd, 2015 Results Techniques (2) 20

21 October 20-23rd, 2015 Results DTs 21

22 October 20-23rd, 2015 Other ensembles TechniqueAccuracy 1-NN96.66% 2-NN96.95% 3-NN97.24% 4-NN97.05% 5-NN97.28% Naive Bayes95.85% Neural Network97.36% Support Vector Machine95.59% Linear Discriminant Analysis96.66% 22

23 October 20-23rd, 2015 CONCLUSIONS 23

24 October 20-23rd, 2015 Conclusions EG2 best algorithm More efficient than other ensembles 24

25 October 20-23rd, 2015 Remarks The result is too static. The result is limited to known detection techniques. The authors only use static detection techniques. Would a malware expert get the best decision tree manually ? What is the advantage of DTs over the individual techniques? 25

26 October 20-23rd, 2015 Q&A 26 delilledavid@gmail.com

Download ppt "October 20-23rd, 2015 Automatically Combining Static Malware Detection Techniques ir. David De Lille 1."

Similar presentations

Ch. Eick: More on Machine Learning & Neural Networks Different Forms of Learning: –Learning agent receives feedback with respect to its actions (e.g. using.

Ch. Eick: More on Machine Learning & Neural Networks Different Forms of Learning: –Learning agent receives feedback with respect to its actions (e.g. using.
Data Mining Classification: Alternative Techniques

Data Mining Classification: Alternative Techniques
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID David Barrera, H. Güne¸s Kayacık, P.C. van Oorschot,
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Transportation mode detection using mobile phones and GIS information Leon Stenneth, Ouri Wolfson, Philip Yu, Bo Xu 1University of Illinois, Chicago.

Transportation mode detection using mobile phones and GIS information Leon Stenneth, Ouri Wolfson, Philip Yu, Bo Xu 1University of Illinois, Chicago.
A Combinatorial Fusion Method for Feature Mining Ye Tian, Gary Weiss, D. Frank Hsu, Qiang Ma Fordham University Presented by Gary Weiss.

A Combinatorial Fusion Method for Feature Mining Ye Tian, Gary Weiss, D. Frank Hsu, Qiang Ma Fordham University Presented by Gary Weiss.
CS 590M Fall 2001: Security Issues in Data Mining Lecture 3: Classification.

CS 590M Fall 2001: Security Issues in Data Mining Lecture 3: Classification.
Network and Systems Laboratory nslab.ee.ntu.edu.tw Kaisen Lin, Aman Kansal, Dimitrios Lymberopoulos, and Feng Zhao Archiang.

Network and Systems Laboratory nslab.ee.ntu.edu.tw Kaisen Lin, Aman Kansal, Dimitrios Lymberopoulos, and Feng Zhao Archiang.
Mapping Between Taxonomies Elena Eneva 11 Dec 2001 Advanced IR Seminar.

Mapping Between Taxonomies Elena Eneva 11 Dec 2001 Advanced IR Seminar.
Bagging and Boosting in Data Mining Carolina Ruiz

Bagging and Boosting in Data Mining Carolina Ruiz
Three kinds of learning

Three kinds of learning
1 HealthSense : Classification of Health-related Sensor Data through User-Assisted Machine Learning Presenter: Mi Zhang Feb. 23 rd, 2009 From Prof. Gregory.

1 HealthSense : Classification of Health-related Sensor Data through User-Assisted Machine Learning Presenter: Mi Zhang Feb. 23 rd, 2009 From Prof. Gregory.
Bagging LING 572 Fei Xia 1/24/06. Ensemble methods So far, we have covered several learning methods: FSA, HMM, DT, DL, TBL. Question: how to improve results?

Bagging LING 572 Fei Xia 1/24/06. Ensemble methods So far, we have covered several learning methods: FSA, HMM, DT, DL, TBL. Question: how to improve results?
Pattern Classification All materials in these slides were taken from Pattern Classification (2nd ed) by R. O. Duda, P. E. Hart and D. G. Stork, John Wiley.

Pattern Classification All materials in these slides were taken from Pattern Classification (2nd ed) by R. O. Duda, P. E. Hart and D. G. Stork, John Wiley.
Defect prediction using social network analysis on issue repositories Reporter: Dandan Wang Date: 04/18/2011.

Defect prediction using social network analysis on issue repositories Reporter: Dandan Wang Date: 04/18/2011.
Walter Hop Web-shop Order Prediction Using Machine Learning Master’s Thesis Computational Economics.

Walter Hop Web-shop Order Prediction Using Machine Learning Master’s Thesis Computational Economics.
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
CISC 879 - Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

APKInspector -Static Analysis of Android Applications Student: Yuan Tian Mentor: Cong Zheng Backup Mentor: Anthony Kara Jianwei 08/22/2012.

Similar presentations

Ads by Google