You are here

Malware Profiling and Anomaly Detection for Mobile Cyber-Physical System

[Ongoing Project] From Jan. 2012 to Dec. 2015 @ Institute of Information Science, Sinica as Postdoctoral Fellow under the supervision of Dr. Meng Chang Chen with Criminal Investigation Bureau.

Problem. Malicious apps may conduct various behaviors to install unwanted program or gather sensitive information from your mobile device. By nature, Android malware fork several threads to accomplish a malicious task. It makes a security expert difficult to analyze such a complex malicious app. In addition, Android operating system has its own security models, e.g., permission, user group, intents, which is not covered by the scope of Linux.

Goal and Benefit. Design a monitoring system for Android system and develop an analysis process to group and analyze Android malware behaviors based on their dynamic analysis results. A visualized analysis result, such as the phylogenetic tree, the principal components and the dot matrix of different malware families should be provided to demonstrate the variety and characteristics of malware. The research results help security professionals to reveal the malware structure and their evolution and it could help to detect new malware variants.

Design. 1) Develop virtual machine introspection, VMI, mechanism in the hypervisor to monitor the execution of Android malware, and generate the behavior profile of the malware. 2) Modified Android Dalvik VM and hacked Android stack and heap to obtain the runtime information of an App.

The structure of VMI based monitoring system with an Android guest under virtualized environment.

Analysis Strategy. Although malware is a program, I view them as live organisms in the digital world. I adopt the similarity analysis algorithm to identify similar behavior among multiple malware profiles, and group them together to demonstrate their relationship. I also consider a profile as the DNA of a malware, and adopt sequence analysis algorithms from bioinformatics that are very useful for discovering functional, structural, and evolutionary information. I populate the phylogenetic tree, the significant behavior signature and the dot matrix of different malware families to demonstrate the variety and characteristics of malware. It reveals the malware structure and their evolution that never been noticed.

The Phylogenetic tree of Android malware family ‘Morstar’.

The behavior clustering result of Android malware family ‘ADRD’.

Copyright 2013 © Advanced Networking Technologies and Services Group, ALL RIGHT RESERVED.