Mobile phones are more and more used for sensitive resources exchange and access, becoming target for possible malware attacks. These attacks are still increasing with the birth of new and sophisticated malware that make the existing malware detection approaches often inadequate. Since the majority of new malware are generated using existing malicious code, it becomes very important tracking the mobile malware phylogeny. In this work, a Process Mining (PM) approach for building a malware phylogeny model using information contained in system calls traces, is proposed. The adoption of a declarative Process Mining technique allows to mine a constraint-based model that can be effectively used as a malware fingerprint expressing relationships and recurring execution patterns among system calls in the execution flows. The model characterizes the behavior of malware applications allowing the identification of similarities across malware families and among malware variants belonging to the same family. The proposed approach is evaluated using a dataset of more than 700 infected applications across seven malware families obtaining very encouraging results.
Process mining meets malware evolution: A study of the behavior of malicious code
Bernardi M. L.;
2017-01-01
Abstract
Mobile phones are more and more used for sensitive resources exchange and access, becoming target for possible malware attacks. These attacks are still increasing with the birth of new and sophisticated malware that make the existing malware detection approaches often inadequate. Since the majority of new malware are generated using existing malicious code, it becomes very important tracking the mobile malware phylogeny. In this work, a Process Mining (PM) approach for building a malware phylogeny model using information contained in system calls traces, is proposed. The adoption of a declarative Process Mining technique allows to mine a constraint-based model that can be effectively used as a malware fingerprint expressing relationships and recurring execution patterns among system calls in the execution flows. The model characterizes the behavior of malware applications allowing the identification of similarities across malware families and among malware variants belonging to the same family. The proposed approach is evaluated using a dataset of more than 700 infected applications across seven malware families obtaining very encouraging results.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.