Auditing anti-malware tools by evolving Android malware and dynamic loading technique
Although a previous paper shows that existing antimalware tools (AMTs) may have high detection rate, the report is based on existing malware and thus it does not imply that AMTs can effectively deal with future malware. It is desirable to have an alternative way of auditing AMTs. In our previous pap...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2017
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/4853 https://ink.library.smu.edu.sg/context/sis_research/article/5856/viewcontent/auditing_anti_malware__PV.pdf |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| id |
sg-smu-ink.sis_research-5856 |
|---|---|
| record_format |
dspace |
| spelling |
sg-smu-ink.sis_research-58562020-01-23T07:10:32Z Auditing anti-malware tools by evolving Android malware and dynamic loading technique XUE, Yinxing MENG, Guozhu LIU, Yang TAN, Tian Huat CHEN, Hongxu SUN, Jun ZHANG, Jie Although a previous paper shows that existing antimalware tools (AMTs) may have high detection rate, the report is based on existing malware and thus it does not imply that AMTs can effectively deal with future malware. It is desirable to have an alternative way of auditing AMTs. In our previous paper, we use malware samples from android malware collection GENOME to summarize a malware meta-model for modularizing the common attack behaviors and evasion techniques in reusable features. We then combine different features with an evolutionary algorithm, in which way we evolve malware for variants. Previous results have shown that the existing AMTs only exhibit detection rate of 20%–30% for 10 000 evolved malware variants. In this paper, based on the modularized attack features, we apply the dynamic code generation and loading techniques to produce malware, so that we can audit the AMTs at runtime. We implement our approach, named MYSTIQUE-S, as a serviceoriented malware generation system. MYSTIQUE-S automatically selects attack features under various user scenarios and delivers the corresponding malicious payloads at runtime. Relying on dynamic code binding (via service) and loading (via reflection) techniques, MYSTIQUE-S enables dynamic execution of payloads on user devices at runtime. Experimental results on real-world devices show that existing AMTs are incapable of detecting most of our generated malware. Last, we propose the enhancements for existing AMTs. 2017-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4853 info:doi/10.1109/TIFS.2017.2661723 https://ink.library.smu.edu.sg/context/sis_research/article/5856/viewcontent/auditing_anti_malware__PV.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Android feature model defense capability malware generation dynamic loading linear programming Programming Languages and Compilers Software Engineering |
| institution |
Singapore Management University |
| building |
SMU Libraries |
| continent |
Asia |
| country |
Singapore Singapore |
| content_provider |
SMU Libraries |
| collection |
InK@SMU |
| language |
English |
| topic |
Android feature model defense capability malware generation dynamic loading linear programming Programming Languages and Compilers Software Engineering |
| spellingShingle |
Android feature model defense capability malware generation dynamic loading linear programming Programming Languages and Compilers Software Engineering XUE, Yinxing MENG, Guozhu LIU, Yang TAN, Tian Huat CHEN, Hongxu SUN, Jun ZHANG, Jie Auditing anti-malware tools by evolving Android malware and dynamic loading technique |
| description |
Although a previous paper shows that existing antimalware tools (AMTs) may have high detection rate, the report is based on existing malware and thus it does not imply that AMTs can effectively deal with future malware. It is desirable to have an alternative way of auditing AMTs. In our previous paper, we use malware samples from android malware collection GENOME to summarize a malware meta-model for modularizing the common attack behaviors and evasion techniques in reusable features. We then combine different features with an evolutionary algorithm, in which way we evolve malware for variants. Previous results have shown that the existing AMTs only exhibit detection rate of 20%–30% for 10 000 evolved malware variants. In this paper, based on the modularized attack features, we apply the dynamic code generation and loading techniques to produce malware, so that we can audit the AMTs at runtime. We implement our approach, named MYSTIQUE-S, as a serviceoriented malware generation system. MYSTIQUE-S automatically selects attack features under various user scenarios and delivers the corresponding malicious payloads at runtime. Relying on dynamic code binding (via service) and loading (via reflection) techniques, MYSTIQUE-S enables dynamic execution of payloads on user devices at runtime. Experimental results on real-world devices show that existing AMTs are incapable of detecting most of our generated malware. Last, we propose the enhancements for existing AMTs. |
| format |
text |
| author |
XUE, Yinxing MENG, Guozhu LIU, Yang TAN, Tian Huat CHEN, Hongxu SUN, Jun ZHANG, Jie |
| author_facet |
XUE, Yinxing MENG, Guozhu LIU, Yang TAN, Tian Huat CHEN, Hongxu SUN, Jun ZHANG, Jie |
| author_sort |
XUE, Yinxing |
| title |
Auditing anti-malware tools by evolving Android malware and dynamic loading technique |
| title_short |
Auditing anti-malware tools by evolving Android malware and dynamic loading technique |
| title_full |
Auditing anti-malware tools by evolving Android malware and dynamic loading technique |
| title_fullStr |
Auditing anti-malware tools by evolving Android malware and dynamic loading technique |
| title_full_unstemmed |
Auditing anti-malware tools by evolving Android malware and dynamic loading technique |
| title_sort |
auditing anti-malware tools by evolving android malware and dynamic loading technique |
| publisher |
Institutional Knowledge at Singapore Management University |
| publishDate |
2017 |
| url |
https://ink.library.smu.edu.sg/sis_research/4853 https://ink.library.smu.edu.sg/context/sis_research/article/5856/viewcontent/auditing_anti_malware__PV.pdf |
| _version_ |
1770575063991451648 |