Mobile devices have become, in the last years, an essential tool used to perform daily activities. However, they also have become the target of continuous malware attacks usually coming out from new malware obtained as a variant of existing ones. For this reason, we suppose that by comparing the behavior of a new application with those of known malware applications it is possible to define it as malicious or trusted. According to this, the current study proposes an approach based on a data-aware declarative process mining technique to identify similarities and recurring patterns in the system call traces generated by a set of malicious mobile applications. The obtained characterization, represented by a set of declarative constraints within their data attributes, can be considered as a run-time fingerprint of a malware useful to evaluate the membership of a new application to a given malware family. The empirical validation of the proposed approach is performed on a dataset of more than 1200 trusted and malicious applications coming out from eight malware families and the obtained results show a very good discrimination ability.

Data-Aware Declarative Process Mining for Malware Detection

Aversano L.;Bernardi M. L.;
2020-01-01

Abstract

Mobile devices have become, in the last years, an essential tool used to perform daily activities. However, they also have become the target of continuous malware attacks usually coming out from new malware obtained as a variant of existing ones. For this reason, we suppose that by comparing the behavior of a new application with those of known malware applications it is possible to define it as malicious or trusted. According to this, the current study proposes an approach based on a data-aware declarative process mining technique to identify similarities and recurring patterns in the system call traces generated by a set of malicious mobile applications. The obtained characterization, represented by a set of declarative constraints within their data attributes, can be considered as a run-time fingerprint of a malware useful to evaluate the membership of a new application to a given malware family. The empirical validation of the proposed approach is performed on a dataset of more than 1200 trusted and malicious applications coming out from eight malware families and the obtained results show a very good discrimination ability.
2020
978-1-7281-6926-2
data-aware process mining
Declarative process mining
Malware detection
File in questo prodotto:
Non ci sono file associati a questo prodotto.

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/20.500.12070/60202
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? ND
social impact