Abstract ：

Malicious domains are crucial vectors for attackers to conduct malicious activities. With the increasing numbers in domain-based attack activities and the enhancement of attacker evasion methods, the detection of malicious domains has become critical and increasingly difficult. Statistical feature-based and graph structure-based detection methods are mainstream technical approaches. However, highly hidden domains can escape feature detection, and the detection range of graph structure-based methods is limited. Based on these, we propose a malicious detection method called HANDOM. HANDOM combines statistical features and graph structural information to neutralize their limitations, and uses the Heterogeneous Attention Network (HAN) model to jointly handle both information to achieve high-performance malicious domain classification. We conduct experimental evaluations on real-world datasets and compare HANDOM with machine learning methods and other malicious detection methods. The results present that HANDOM has superior and robust performance, and can identify highly hidden domains. © 2022

Keyword ：

Classification (of information) Feature extraction Graphic methods Learning systems Malware

Cite：

Copy from the list or Export to your reference management。

Abstract ：

For remote malicious code injection attacks, the analysis of injected code behavior has always been the difficulty of malicious code dynamic analysis. In this paper, a remote code injection behavior analysis method based on code refactoring was proposed. By analyzing the behavior of remote code injection attack, extracting the injection behavior pattern rules, analyzing the malicious code by using the dynamic binary analysis platform, identifying the remote injection behavior in the execution process, obtaining the remote injected malicious data, then refactoring and executing the injected code, and finally triggering the hidden behavior of injected code, this method improves the integrity of malicious code behavior analysis. A series of malicious code samples were also used for experimental analysis. And the results showed that this method can obtain more comprehensive behavior information for malicious code with remote injection, and effectively improve the integrity of malicious code analysis. © 2022 IEEE.

Keyword ：

Malware

Cite：

Copy from the list or Export to your reference management。

Abstract ：

Cyber–physical systems are interactive intelligent systems integrating computing units and physical objects through information networks. They have been widely used in critical infrastructures, and are increasingly vulnerable to malicious software attacks. To explore the spread mechanism of malicious software in cyber–physical systems from a macroscopic perspective, this work proposes a new malicious software spread model with time delay, and analyzes its complex dynamic behavior by using the stability theory and bifurcation theorem. A hybrid bifurcation control method is presented to control adverse bifurcations that cause harmful behavior of cyber–physical systems, and the influence of control parameters on the Hopf bifurcation threshold is revealed. Cyber–physical systems with the proposed method can be stabilized, which behave as expected during malicious software spread. The simulations show that the proposed control method can advance or postpone the threshold of Hopf bifurcation, thus making cyber–physical systems achieve a stable state. Consequently, damage and disruption to cyber–physical systems caused by malicious software are effectively reduced. © 2022 Elsevier B.V.

Keyword ：

Computation theory Delay control systems Hopf bifurcation Information services Intelligent systems Malware

Cite：

Copy from the list or Export to your reference management。

Abstract ：

App developers are increasingly using packing services (or packers) to protect their code against being reverse engineered or modified. However, such packing techniques are also leveraged by the malicious developers to prevent the malware from being analyzed and detected by the static malware analysis and detection systems. Though there are already studies on unpacking packed Android apps, they usually leverage the manual reverse engineered packing behaviors to unpack apps packed by the specific packers and cannot be applied to the evolving and new packers. In this paper, we propose a novel unpacking approach with the capacity of adaptively unpacking the evolving and newly encountered packers. Also, we develop a new system, named PackerGrind, based on this adaptive approach for unpacking Android packers. The evaluation with real packed apps demonstrates that PackerGrind can successfully reveal packers? protection mechanisms, effectively handle their evolution and recover Dex files with low overhead. IEEE

Keyword ：

Androids; Humanoid robots; Monitoring; Open area test sites; Runtime; Subspace constraints; Tools

Cite：

Copy from the list or Export to your reference management。

Abstract ：

The rapid growth of malicious software has brought huge harm to smart users, including tariff consumption, privacy theft, and remote control. To combat the evolving malware attack, deep learning-based systems have been successfully developed and offer unparalleled flexibility in the automatic malware detection. However, deep neural networks are vulnerable to adversarial attacks, and recent researches have demonstrated that adversary can leverage feature amplitude in-equilibrium to bypass malware detectors. Therefore, this paper studies a malware detection scheme AMDNN based on deep learning, it achieves the goal of defending against various adversarial attacks without obtaining detection model information and redeployment. In response to the increasing detection of massive binary applications, we propose and implement a general defense framework DQNet, which enforces the maintenance of malicious semantics through comparative regular constraints during training. Promising experimental results based on real-world datasets demonstrate that AMDNN typically provides superior classification performance and robustness to white-box attacks. © 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.

Cite：

Copy from the list or Export to your reference management。

Abstract ：

Android malware authors have widely used obfuscation techniques to avoid their harmful apps from detection. In this paper, we present an automatic method for de-obfuscation of Android apps. It is based on Markov models. Our tool mainly focuses on layout obfuscation created by obfuscator ProGuard, which is one of the most widely used obfuscators. The evaluation of the system verifies the effectiveness of the de-obfuscation task. © 2022 SPIE.

Keyword ：

Android (operating system) Markov processes Trees (mathematics)

Cite：

Copy from the list or Export to your reference management。

Abstract ：

Concurrent programs with multiple threads executing in parallel are widely used to unleash the power of multicore computing systems. Owing to their complexity, a lot of research focuses on testing and debugging concurrent programs. Besides correctness, we find that security can also be compromised by concurrency. In this article, we present concurrent program spectre (ConcSpectre), a new security threat that hides malware in nondeterministic thread interleavings. To demonstrate such threat, we have developed a stealth malware technique called concurrent logic bomb by partitioning a piece of malicious code and injecting its components separately into a concurrent program. The malicious behavior can be triggered by certain thread interleavings that rarely happen (e.g., $<$1%) under a normal execution environment. However, with a new technique called controllable probabilistic activation, we can activate such ConcSpectre malware with a very high probability (e.g., $>$90%) by remotely disturbing thread scheduling. In the evaluation, more than 1000 ConcSpectre samples are generated, which bypassed most of the antivirus engines in VirusTotal and four well-known online dynamic malware analysis systems. We also demonstrate how to remotely trigger a ConcSpectre sample on a web server and control its activation probability. Our work shows an urgent need for new malware analysis methods for concurrent programs.

Keyword ：

Botnet Codes Concurrent computing Concurrent logic bomb (CLB) concurrent programs concurrent program spectre (ConcSpectre) controllable probabilistic activation (CPA) Malware Message systems Probabilistic logic Programming software security

Cite：

Copy from the list or Export to your reference management。

Abstract ：

Each malware application belongs to a specific malware family, and each family has unique characteristics. However, existing Android malware detection schemes do not pay attention to the use of malware family information. If the family information is exploited well, it could improve the accuracy of malware detection. In this paper, we propose a general Ensemble framework combining Family Information for Android Malware Detector, called EFIMDetector. First, eight categories of features are extracted from Android application packages. Then, we define the malware family with a large sample size as a prosperous family and construct a classifier for each prosperous family as a conspicuousness evaluator for the family characteristics. These conspicuousness evaluators are combined with a general classifier (which can be a base or ensemble classifier in itself), called the final classifier, to form a two-layer ensemble framework. For the samples of prosperous families with conspicuous family characteristics, the conspicuousness evaluators directly provide detection results. For other samples (including the samples of prosperous families with nonconspicuous family characteristics and the samples of nonprosperous families), the final classifier is responsible for detection. Seven common base classifiers and three common ensemble classifiers are used to detect malware in the experiment. The results show that the proposed ensemble framework can effectively improve the detection accuracy of these classifiers.

Keyword ：

Android conspicuousness evaluator ensemble framework family information malware family

Cite：

Copy from the list or Export to your reference management。

Abstract ：

Android overlay enables one app to draw over other apps by creating an extra view layer atop the host view, which nevertheless can be exploited by malicious apps (malware) to attack users. To combat this threat, prior countermeasures concentrate on restricting the capabilities of overlays at the OS level while sacrificing overlays' usability; recently, the overlay mechanism has been substantially updated to prevent a variety of attacks, which however can still be evaded by considerable adversaries. To address these shortcomings, a more pragmatic approach is to enable early detection of overlay-based malware during the app market review process, so that all the capabilities of overlays can stay unchanged. For this purpose, in this paper we first conduct a large-scale comparative study of overlay characteristics in benign and malicious apps, and then implement the OverlayChecker system to automatically detect overlay-based malware for one of the world's largest Android app stores. In particular, we have made systematic efforts in feature engineering, UI exploration, emulation architecture, and run-time environment, thus maintaining high detection accuracy (97 percent precision and 97 percent recall) and short per-app scan time (similar to 1.7 minutes) with only two commodity servers, under an intensive workload of similar to 10K newly submitted apps per day.

Keyword ：

android emulation Android overlay app market machine learning mobile malware detection user interaction

Cite：

Copy from the list or Export to your reference management。

Abstract ：

Despite being crucial to today's mobile ecosystem, app markets have meanwhile become a natural, convenient malware delivery channel as they actually "lend credibility" to malicious apps. In the past few years, machine learning (ML) techniques have been widely explored for automated, robust malware detection, but till now we have not seen an ML-based malware detection solution applied at market scales. To systematically understand the real-world challenges, we conduct a collaborative study with T-Market, a popular Android app market that offers us large-scale ground-truth data. Our study illustrates that the key to successfully developing such systems is multifold, including feature selection and encoding, feature engineering and exposure, app analysis speed and efficacy, developer and user engagement, as well as ML model evolution. Failure in any of the above aspects could lead to the "wooden barrel effect" of the whole system. This article presents our judicious design choices and first-hand deployment experiences in building a practical ML-powered malware detection system. It has been operational at T-Market, using a single commodity server to check similar to 12K apps every day, and has achieved an overall precision of 98.9 percent and recall of 98.1 percent with an average per-app scan time of 0.9 minutes.

Keyword ：

Android emulation app market dynamic analysis Emulation Encoding Feature extraction Machine learning Malware Metadata mobile malware detection Security Servers

Cite：

Copy from the list or Export to your reference management。