Mobile devices have become, in the last years, an essential tool used to perform daily activities. However, they also have become the target of continuous malware attacks usually coming out from new malware obtained as a variant of existing ones. For this reason, we suppose that by comparing the behavior of a new application with those of known malware applications it is possible to define it as malicious or trusted. According to this, the current study proposes an approach based on a data-aware declarative process mining technique to identify similarities and recurring patterns in the system call traces generated by a set of malicious mobile applications. The obtained characterization, represented by a set of declarative constraints within their data attributes, can be considered as a run-time fingerprint of a malware useful to evaluate the membership of a new application to a given malware family. The empirical validation of the proposed approach is performed on a dataset of more than 1200 trusted and malicious applications coming out from eight malware families and the obtained results show a very good discrimination ability.
Data-Aware Declarative Process Mining for Malware Detection
Aversano L.;Bernardi M. L.;
2020-01-01
Abstract
Mobile devices have become, in the last years, an essential tool used to perform daily activities. However, they also have become the target of continuous malware attacks usually coming out from new malware obtained as a variant of existing ones. For this reason, we suppose that by comparing the behavior of a new application with those of known malware applications it is possible to define it as malicious or trusted. According to this, the current study proposes an approach based on a data-aware declarative process mining technique to identify similarities and recurring patterns in the system call traces generated by a set of malicious mobile applications. The obtained characterization, represented by a set of declarative constraints within their data attributes, can be considered as a run-time fingerprint of a malware useful to evaluate the membership of a new application to a given malware family. The empirical validation of the proposed approach is performed on a dataset of more than 1200 trusted and malicious applications coming out from eight malware families and the obtained results show a very good discrimination ability.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.