Towards mining comprehensive Android sandboxes
Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors....
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2018
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4289 https://ink.library.smu.edu.sg/context/sis_research/article/5292/viewcontent/le2018towards.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5292 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-52922020-03-27T01:46:06Z Towards mining comprehensive Android sandboxes LE, Tien-Duy B. BAO, Lingfeng LO, David GAO, Debin LI, Li Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase – occurring, for example, due to malicious code injection during an attack – can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.’s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarseand fine-grained variants of Boxmate by 267.37% and 81.64% in terms of Fmeasure respectively. 2018-12-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4289 info:doi/10.1109/ICECCS2018.2018.00014 https://ink.library.smu.edu.sg/context/sis_research/article/5292/viewcontent/le2018towards.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Android security Malicious behavior detection Mining sandboxes Databases and Information Systems Numerical Analysis and Scientific Computing |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Android security Malicious behavior detection Mining sandboxes Databases and Information Systems Numerical Analysis and Scientific Computing |
| spellingShingle |
Android security Malicious behavior detection Mining sandboxes Databases and Information Systems Numerical Analysis and Scientific Computing LE, Tien-Duy B. BAO, Lingfeng LO, David GAO, Debin LI, Li Towards mining comprehensive Android sandboxes |
| description |
Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase – occurring, for example, due to malicious code injection during an attack – can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.’s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarseand fine-grained variants of Boxmate by 267.37% and 81.64% in terms of Fmeasure respectively. |
| format |
text |
| author |
LE, Tien-Duy B. BAO, Lingfeng LO, David GAO, Debin LI, Li |
| author_facet |
LE, Tien-Duy B. BAO, Lingfeng LO, David GAO, Debin LI, Li |
| author_sort |
LE, Tien-Duy B. |
| title |
Towards mining comprehensive Android sandboxes |
| title_short |
Towards mining comprehensive Android sandboxes |
| title_full |
Towards mining comprehensive Android sandboxes |
| title_fullStr |
Towards mining comprehensive Android sandboxes |
| title_full_unstemmed |
Towards mining comprehensive Android sandboxes |
| title_sort |
towards mining comprehensive android sandboxes |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2018 |
| url |
https://ink.library.smu.edu.sg/sis_research/4289 https://ink.library.smu.edu.sg/context/sis_research/article/5292/viewcontent/le2018towards.pdf |
| _version_ |
1770574600639348736 |