The growth in use of mobile phones to communicate and access sensitive resources drives the research of new approaches for protecting smartphones from all the possible attacks deriving from malicious software. Moreover, the continuous emerging of new and sophisticated malware makes current solutions to protect mobile phones inadequate shortly after being implemented. In this paper a new approach for run-time malware detection is proposed. It consists in analyzing system call traces gathered from malware and trusted applications to identify a set of relationships and recurring execution patterns that characterize their respective behavior. The characterization of the malware behaviour is expressed in terms of declarative constraints between system calls and can be used to identify similarities across malware families, detect malware variants within the same family, and to build trees of malware families based on their similarities. The effectiveness and efficiency of the approach have been assessed using a dataset of more than 1500 between trusted and malicious applications across six malware families. The results show that the proposed approach exhibits a very good discriminating ability exploitable for both malware detection and the study of malware evolution.
A constraint-driven approach for dynamic malware detection
Bernardi M. L.;
2016-01-01
Abstract
The growth in use of mobile phones to communicate and access sensitive resources drives the research of new approaches for protecting smartphones from all the possible attacks deriving from malicious software. Moreover, the continuous emerging of new and sophisticated malware makes current solutions to protect mobile phones inadequate shortly after being implemented. In this paper a new approach for run-time malware detection is proposed. It consists in analyzing system call traces gathered from malware and trusted applications to identify a set of relationships and recurring execution patterns that characterize their respective behavior. The characterization of the malware behaviour is expressed in terms of declarative constraints between system calls and can be used to identify similarities across malware families, detect malware variants within the same family, and to build trees of malware families based on their similarities. The effectiveness and efficiency of the approach have been assessed using a dataset of more than 1500 between trusted and malicious applications across six malware families. The results show that the proposed approach exhibits a very good discriminating ability exploitable for both malware detection and the study of malware evolution.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
