Presentation is loading. Please wait.

Presentation is loading. Please wait.

AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS. 2012. "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.

Published byGeorgia Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS. 2012. "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID."— Presentation transcript:

1 AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS. 2012. "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID DEVICES. J. INTELL. INF. SYST. 38, 1 (FEB 2012) PRESENTERS: OMKAR A. GADGIL MELVIN GEORGE RESHMA RAGHAVAN Andromaly

2 Introduction The paper describes a generic and modular framework for detecting malware on Android mobile devices. The framework relies on a light-weight application that monitors various system metrics analyzes them to infer the well-being state of the device. System metrics include CPU consumption, battery level, number of running processes etc. The final aim is to identify an optimal mix of classification method, feature selection and number of monitored features.

3 Related Work Malware detecting analysis are split in 2 categories i.e. Static and Dynamic. These methods are implemented using 2 methods i.e. Signature based and Heuristic based. Frameworks like ANN, Smart Siren, B-SIPS implement anomaly detection while framework like B-BID implement signature detection. Framework like IDAMN use anomaly as well as signature detection.

4 Working Android uses a system-centric security model. Implements lightweight malware detection system that performs real-time, monitoring, collection, pre- processing and analysis of various system metrics. The system metrics are sent for analysis to processors called threat assessment(TA) units The TAs are weighted as per threat type and also includes a smoothing phase to avoid any instantaneous false alarms.

5 Modules

6 Flow

7 Detection Method Machine Learning for Malware Detection  Standard machine learning classifiers categorize continuously monitored features and events as benign and malicious.  Classifiers used – k-Means, Logistic Regression, Histograms, Decision Tree, Bayesian Networks and Naïve Bayes. Feature selection using Filter approach – Essential!  Methods used – Chi-Square, Fisher Score, Information Gain.  These use the Feature Ranking Approach.  Configurations used – 10,20 and 50 highest ranked features out of the 88 features that were ranked.

8 Evaluation This paper aimed to address – The possibility of detecting unknown malicious applications using the Andromoly framework. The possibility that the behavior of applications could be learned and used to perform the detection on other devices. Find the most accurate classification algorithm. Find the no of extracted features and the feature selection method that results in the most accurate detection.

9 Evaluation (Contd…) Standard Metrics Used-  True Positive Rate(TRP) – proportion of positive instances classified correctly  False Positive Rate(FRP) – proportion of negative instances misclassfied  Total Accuracy – proportion of absolutely correctly classified instances (positive and negative) Malicious Applications Developed to perform DoS Attacks and Information Thefts-  Tips Calculator : DoS Attacks  Schedule SMS and Lunar Lander : Information Theft  Snake : Information Theft  HTTP Upload : Information Theft

10 Experiments

11 Experimental Results DT, Logistic Regression and NB are the best classifiers in experiments 1 and 2. NB outperforms the others in experiments 3 and 4. The detection rate is better when using a game as the benign application than when using a tool.

12 Experimental Results For experiment 1, InfoGain outperformed all the others. For experiments 2, 3 and 4, FisherScore outperformed all the others. Chi-Square and InfoGain graded the same top 10 selected features with a very similar rank.

13 Discussion and Conclusion

14 On observing all the sub-experiments, we can conclude that the NB and Logistic Regression were superior to other classifiers in the majority of the configurations. Another interesting fact is that in all the experiments, it was easier to distinguish between malicious and benign applications when the benign application was a game, as opposed to a tool application. The most common highly ranked features were the same due to a unique and persistent behavior of malicious applications across the devices. The proposed detection approach is recommended for detecting continuous attacks (e.g., DoS, worm infection) and needs to be trained on a broader range of examples.

Download ppt "AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS. 2012. "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID."

Similar presentations

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.

Abstract There is significant need to improve existing techniques for clustering multivariate network traffic flow record and quickly infer underlying.
Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.

Scalable Parallel Intrusion Detection Fahad Zafar Advising Faculty: Dr. John Dorband and Dr. Yaacov Yeesha 1 University of Maryland Baltimore County.
Pablo Garaizar Sagarminaga Jaime Devesa Esteban Dr. Igor Santos.

Pablo Garaizar Sagarminaga Jaime Devesa Esteban Dr. Igor Santos.
Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
Application of Bayesian Network in Computer Networks Raza H. Abedi.

Application of Bayesian Network in Computer Networks Raza H. Abedi.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.

Cyber Threat Analysis  Intrusions are actions that attempt to bypass security mechanisms of computer systems  Intrusions are caused by:  Attackers accessing.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.

KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor: Asaf Shabtai Team Members: Eliya Rahamim Elad Ankry Uri Kanonov.
Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.

Copyright 2002, Center for Secure Information Systems 1 Panel: Role of Data Mining in Cyber Threat Analysis Professor Sushil Jajodia Center for Secure.
KB-IDS Application Design Document1 KB-IDS – Application Design Document Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for.

KB-IDS Application Design Document1 KB-IDS – Application Design Document Knowledge-based Temporal Abstraction Host- based Intrusion Detection System for.
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.

1. Introduction Generally Intrusion Detection Systems (IDSs), as special-purpose devices to detect network anomalies and attacks, are using two approaches.
Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.

Combining Supervised and Unsupervised Learning for Zero-Day Malware Detection © 2013 Narus, Inc. Prakash Comar 1 Lei Liu 1 Sabyasachi (Saby) Saha 2 Pang-Ning.
Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.

Over the last years, the amount of malicious code (Viruses, worms, Trojans, etc.) sent through the internet is highly increasing. Due to this significant.
A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.

A.C. Chen ADL M Zubair Rafique Muhammad Khurram Khan Khaled Alghathbar Muddassar Farooq The 8th FTRA International Conference on Secure and.
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Similar presentations

Ads by Google