Documente Academic
Documente Profesional
Documente Cultură
1.
http://orbilu.uni.lu/bitstream/10993/18702/1/A%20Forensic%20Analysis%20of
%20Android%20Malware.pdf
Abstract:
We consider in this paper the analysis of a large set of malware and benign applications
from the Android ecosystem. Although a large body of research work has dealt with Android
malware over the last years, none has addressed it from a forensic point of view. After
collecting over 500,000 applications from user markets and research repositories, we
perform an analysis that yields precious insights on the writing process of Android malware.
This study also explores some strange artifacts in the datasets, and the divergent
capabilities of state-of-the-art antivirus to recognize/define malware. We further highlight
some major weak usage and misunderstanding of Android security by the criminal
community and show some patterns in their operational flow. Finally, using insights from this
analysis, we build a naive malware detection scheme that could complement existing anti
virus software.
http://ieeexplore.ieee.org/abstract/document/5489509/authors
http://www.sciencedirect.com/science/article/pii/S0160791X10000497
..
Detection
Abstract:
The most major threat of Android users is malware infection via Android application
markets. In case of the Android Market, as security inspections are not applied for many
users have uploaded applications. Therefore, malwares, e.g., Geimini and Droid Dream will
attempt to leak personal information, getting root privilege, and abuse functions of the smart
phone. An audit framework called log cat is implemented on the Dalvik virtual machine to
monitor the application behavior. However, only the limited events are dumped, because an
application developers use the log cat for debugging. The behavior monitoring framework
that can audit all activities of applications is important for security inspections on the market
places. In this paper, we propose a kernel-base behavior analysis for android malware
inspection. The system consists of a log collector in the Linux layer and a log analysis
application. The log collector records all system calls and filters events with the target
application. The log analyzer matches activities with signatures described by regular
expressions to detect a malicious activity. Here, signatures of information leakage are
automatically generated using the smart phone IDs, e.g., phone number, SIM serial number,
and Gmail accounts. We implement a prototype system and evaluate 230 applications in
total. The result shows that our system can effectively detect malicious behaviors of the
unknown applications
Takamasa Isohara
KDDI R&D Labs.. Saitama, Saitama, Japan
Keisuke Takemori
KDDI R&D Labs.. Saitama, Saitama, Japan
Ayumu Kubota
KDDI R&D Labs.. Saitama, Saitama, Japan
http://ieeexplore.ieee.org/abstract/document/6128277/authors
Malware
Abstract
Numerous attacks, such as worms, phishing, and botnets, threaten the availability of the Internet, the
integrity of its hosts, and the privacy of its users. A core element of defense against these attacks is anti-
virus (AV) softwarea service that detects, removes, and characterizes these threats. The ability of these
products to successfully characterize these threats has far-reaching effectsfrom facilitating sharing
across organizations, to detecting the emergence of new threats, and assessing risk in quarantine and
cleanup. In this paper, we examine the ability of existing host-based anti-virus products to provide
semantically meaningful information about the malicious software and tools (or malware) used by
attackers. Using a large, recent collection of malware that spans a variety of attack vectors (e.g., spyware,
worms, spam), we show that different AV products characterize malware in ways that are inconsistent
across AV products, incomplete across malware, and that fail to be concise in their semantics. To address
these limitations, we propose a new classification technique that describes malware behavior in terms of
system state changes (e.g., files written, processes created) rather than in sequences or patterns of
system calls. To address the sheer volume of malware and diversity of its behavior, we provide a method
for automatically categorizing these profiles of malware into groups that reflect similar classes of
behaviors and demonstrate how behavior-based clustering provides a more direct and effective way of
classifying and analyzing Internet malware.