分布式恶意软件检测算法(DMDA)(IJCNIS-V9-N8-7)

I.J.ComputerNetworkandInformationSecurity,2017,8,48-53PublishedOnlineAugust2017inMECS()DOI:10.5815/ijcnis.2017.08.07Copyright©2017MECSI.J.ComputerNetworkandInformationSecurity,2017,8,48-53DistributedMalwareDetectionAlgorithm(DMDA)AimanA.AbuSamra,HasanN.Qunoo,AlaaM.AlSalehiIslamicUniversityofGaza,Gazacity,PalestineE-mail:aasamra@iugaza.edu.ps,hqunoo@gmail.com,asalehi@iugaza.edu.psReceived:18May2017;Accepted:05July2017;Published:08August2017Abstract—Theincreasingnumberofmalwareshasledtoanincreaseinresearchworkonmalwareanalysisstudyingthemalwarebehavior.Themalwaretriestoleaksensitiveinformationfrominfecteddevices.Inthispaper,westudyaspecificattackmethod,whichdistributesthedatasourceandthepointofdatalossondifferentversionsofthemalwareapplication.Thatisdoneusinglocalstoragebystoringpartorallofthevitaldatatobeleakedinthefuture.WeintroduceaDistributedMalwareDetectionAlgorithm(DMDA),whichisanalgorithmtodetectdistributedmalwareonappversions.DMDAproposesanewwaytoanalyzeapplicationagainstredistributedmalware.DMDAiscreatedtoanalyzethedataandidentifytransitionallosspoints.WetestthisalgorithmonasampleofAndroidapplicationspublishedontheGooglePlaymarketcontaining100applications,whereeachapplicationhastwoversions.Thealgorithmdetected150transientdatasources,200transientlossofdatapointandtwoleakagesofdata.Incomparison,thisdatasetwascheckedusing56anti-malwareapplicationsbutnoneofthemcouldfindanymaliciouscode.IndexTerms—Android,Distributedmalware,Malwaredetection,Transientdatasources,Transientsinks.I.INTRODUCTIONTremendousincreaseofandroidmarketsandGoogle'sopenpolicyofacceptingapplicationsintheAndroidMarketplace,makeiteasyforanyonetopublishappsandupdatethem.So,theproblemofdetectingMalwaresonmobiledevicesisaninterestingtopic.Infact,86%ofdetectedmalwaresareoldmalwarerepackagedinnewapps[1].However,theantimalwareandantivirustoolsthatwelookedatinthescopeofthispaper,focusonlyonthecurrentappversion.Theydonotdetectanattackdistributedovermultipleversionsofthesameapplication.Therearetwotypesofcodeanalysisthatcanbeusedtodetectmalwares,StaticCodeAnalysisandDynamicCodeAnalysis.Thedifferencebetweentwotypesisthat:staticprogramanalysisisperformedwithoutexecutingprograms,whiledynamicanalysisisperformedbyexecutingprograms.Inthispaper,weproposeanewwaytoanalyzeapplicationagainstredistributedmalwares.WealsointroduceaDistributedMalwareDetectionAlgorithm(DMDA),whichisanalgorithmtodetectdistributedmalwareonapplicationversions.A.AndroidApplicationEntrypointsAndroidprovidesaSoftwareDeveloperKit(SDK)todevelopers.ThisSDKexposestheAPIneededbydeveloperstobuildapplications.Unlikejavaapplicationthathasoneentrypointfortheapplicationwhichisthemainmethodandworksononeprogramarchitecture,androidapplicationhasmulti-entrypointsandworksonmessagepassingarchitecture.Androidmulti-entrypointsare:Activities,Services,BroadcastReceivers.B.AndroidStorageOptionsAndroidprovidesseveraloptionstosaveapplicationdata.Theoptionyouchoosedependsonyourapplicationneeds,suchas,whetherthedatashouldbeprivateforyourapplicationoraccessiblebyotherapplicationsandhowmuchspaceyourdatarequire.Androiddatastorageoptionsarethefollowing:SharedPreferences,InternalStorage,ExternalStorage,SQLiteDatabasesandNetworkConnection[2].II.RELATEDWORKManyworksweredoneinthefieldofandroidmalwaredetection.SomeworksusedStaticprogramanalysiswherethesourcecodeisgivenasinputtosomeautomatedtool.Thetoolchecksthecodewithoutexecutingit,andyieldsresults.Otherworksusedynamicanalysiswherethecodeisexecuted.HerewepresentsomeoftherecentworksrelatedtothepropagationofmalwareontheAndroidplatformIn[3]authorsexplainhowtoapplyclusteringtechniquesinMalwaredetectionofAndroidapplications.TheirevaluationisgivenbyclusteringtwocategoriesofAndroidapplications:business,andtools.TheyextractthefeaturesoftheapplicationsfromXML-fileswhichcontainpermissionsrequestedbyapplicationsEncketal.[4]introducedanapproachtoconvertDalvikbytecodebacktoJavabytecode,andthenusedexistingdecompilerstoobtainthesourcecodeoftheappsforanalysis.DistributedMalwareDetectionAlgorithm(DMDA)49Copyright©2017MECSI.J.ComputerNetworkandInformationSecurity,2017,8,48-53Chinetal.[5]showedthatappsmightbeexploitablewhenservicingexternalintents.TheybuiltComDroidtoidentifypubliclyexportedcomponentsandwarndevelopersaboutthepotentialthreats.Forthat,ComDroidchecksappmetadataandspecificAPIusages.Asaresult,warnedpubliccomponentsarenotnecessarilyexploitableorharmful(e.g.theopennesscanbeinthedesignorthecomponentisnotsecuritycritical).Ontheotherhand,Androidpermissionsystemissubjecttoseveralinstancesoftheclassicconfuseddeputyattack[6].Asdemonstratedby[7,8,9],anunprivilegedappcanaccesspermission-protectedresourcesthroughprivilegedappsthatdonotcheckpermissions.Graceetal.[9]employedanintra-proceduralpath-sensitivestaticanalysistodiscoverpermissionleaksspecifictostockappsfrommultipledevicevendors.In[10]authorsintroducedasecuritysoftwarethatprovidescomprehensiveprotectionofpersonaldataandmobiletelephonefrommalwareandillegalactivityofcybercriminals.ThedevelopedsecuritysoftwareG