The$credit$for$crea-ng$these$slides$belongs$to$ … · 2020-05-26 · Contributions A new approach...
Transcript of The$credit$for$crea-ng$these$slides$belongs$to$ … · 2020-05-26 · Contributions A new approach...
The$credit$for$crea-ng$these$slides$belongs$to$Fall$2014$CS$521/621$students.$$Student$names$have$been$removed$per$FERPA$regula-ons.$
Checking App Behavior Against App Descriptions
Is it Malicious?
● An app that sends a text message to a premium number to raise money is suspicious? Maybe, but on Android, this is a legitimate payment method for unlocking game features.
● An app that tracks your current position is malicious? Not if it is a navigation app, a trail tracker, or a map application.
● An application that takes all of your contacts and sends them to some server is malicious? This is what WhatsApp does upon initialization, one of the world’s most popular mobile messaging applications.
Research Questions● How do we know an application does what it claims to do?
● How do we identify malware in an app market?
● How do we group together similar applications based on their
description?
Key Idea
● By clustering Android apps by their description topics, we can identify outliers in each cluster by examining their API usage.
● Applications that are similar, in terms of app description, should also behave similarly.
● If an app make an API call that other apps in the same cluster do not make, we can mark that app as an outlier
ContributionsA new approach called CHABADA (CHecking App Behavior Against Descriptions of Apps)
to detect anomalies (mismatches between advertised and implemented behavior).● Applied on a set of 22,500+ Android applications● Identified the main topics for each application from their descriptions● Sorted applications by related topics into 32 clusters (different from
Google Play Store categories)● Ranked applications in each cluster as most abnormal with respect to
their usage of sensitive APIs ● Correctly identified 56% of malicious applications, without requiring
known malware patterns
Example - GPS App
Example - GPS App1. CHABADA starts with a collection of “good” apps2. It identifies the main topics (“weather”, “navigation”...)3. It then clusters apps by related topics (Figure 1)4. In each cluster, it identifies the APIs each app accesses
(sensitive APIs only). (Figure 2)5. It identifies outliers with respect to API usage, produces
a ranked list of applications for each cluster for abnormality.
Example - GPS App
Figure 1
Example - GPS App
Figure 2
Clustering Apps by Description● Obtained a total of 22,521 apps across all categories in the
Google Play Store.● Used NLP to reduce App description to only English,
functional base words.● Feed processed descriptions into LDA to form 30 “topics”,
clusters of words commonly found together.● Use K-means clustering algorithm to group applications into
32 topics
Clusters and Assigned Names
Identifying Outliers by API’s● Extracted all API calls from apk file via static analysis● Filtered to only sensitive API’s, which are those regulate by
user approved app permissions.● Use machine learning to recognize abnormal API usage in
each topic cluster● Train an OC-SVM on a subset of each topic, then use it to
identify outlier applications.
Example - Outlier API UsageLondon Restaurants App, bold are outlier API calls
EvaluationDoes this technique effectively identify anomalies?● Ran CHABADA on the 32 clusters and obtained top 5 outliers for
each cluster: total 160 outliers● Manually examined sensitive behavior of apps and classified as:
○ Malicious - unadvertised behavior against user’s interest○ Dubious - unadvertised behavior not necessarily against user’s
interest○ Benign - properly advertised behavior
EvaluationCan this technique identify malicious Android applications?● Collected 1,200 known malicious Android apps and searched for their
corresponding descriptions, using title and package identifier● Manually checked the 188 matches found and removed the non-English
descriptions: resulting in 172 malicious apps● Trained OC-SVM only on benign apps, thereby simulating a situation
where every malware attack is novel● Ran OC-SVM model as a classifier on benign apps and known malicious
apps in each cluster
EvaluationCan this technique identify malicious Android applications
without clustering?
● Trained OC-SVM only on sensitive APIs and NLP-preprocessed words from the description
● All applications form one big cluster
EvaluationCan this technique identify malicious Android applications
using given categories?
● Clustered applications based on their categories in Google Play Store● Repeated the experiment with the resulting 30 clusters
Discussion QuestionsWould this tool be useful/ worthwhile for Google to employ to find
malware before it is enters the app store?
What type of enhancements could be added to CHABADA in
order for it to more successfully detect threats?
Why are benign applications identified as outliers by this
technique?
What would be the effect of clustering the apps into more/less
clusters (via the k-means algorithm)?
All of these approaches rely on static analysis, if dynamic
analysis was used what further information would this give the
researchers?
Could this technique be applied to different application
ecosystems? What would be challenges of bringing this
approach to the iOS App Store? Could it be used to identify
abnormal Windows programs?
Bibliography
All information, data, and sample code taken from the article: