Andrea Saracino

MADAM: a multi-level anomaly detector for android malware

Currently, in the smartphone market, Android is the platform with the highest share. Due to this popularity and also to its open source nature, Android-based smartphones are now an ideal target for attackers. Since the number of malware designed for Android devices is increasing fast, Android users are looking for security solutions aimed at preventing malicious actions from damaging their smartphones. In this paper, we describe MADAM, a Multi-level Anomaly Detector for Android Malware. MADAM concurrently monitors Android at the kernel-level and user-level to detect real malware infections using machine learning techniques to distinguish between standard behaviors and malicious ones. The first prototype of MADAM is able to detect several real malware found in the wild. The device usability is not affected by MADAM due to the low number of false positives generated after the learning phase.

MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention

Android users are constantly threatened by an increasing number of malicious applications (apps), generically called malware. Malware constitutes a serious threat to user privacy, money, device and file integrity. In this paper we note that, by studying their actions, we can classify malware into a small number of behavioral classes, each of which performs a limited set of misbehaviors that characterize them. These misbehaviors can be defined by monitoring features belonging to different Android levels. In this paper we present MADAM, a novel host-based malware detection system for Android devices which simultaneously analyzes and correlates features at four levels: kernel, application, user and package, to detect and stop malicious behaviors. MADAM has been specifically designed to take into account those behaviors that are characteristics of almost every real malware which can be found in the wild. MADAM detects and effectively blocks more than 96 percent of malicious apps, which come from three large datasets with about 2,800 apps, by exploiting the cooperation of two parallel classifiers and a behavioral signature-based detector. Extensive experiments, which also includes the analysis of a testbed of 9,804 genuine apps, have been conducted to show the low false alarm rate, the negligible performance overhead and limited battery consumption.

Modeling Privacy Aware Information Sharing Systems: A Formal and General Approach

This paper presents and model a novel general framework for privacy aware collaborative information sharing for data analysis. Collaborative information sharing systems can be cross-domain, involve different data providers which might also be competitors. For this reason, shared information may imply privacy concerns, which must be addressed, applying privacy preserving mechanisms on information before sharing them. However, since the application of these privacy preserving mechanisms may negatively affect the accuracy of data analysis, a trade-off must be considered, and the privacy preserving mechanism to be applied must be chosen correctly. The proposed framework is based on the separation between a first level which enforces information privacy as specified by data providers, and a second level which performs data analysis on the sanitized data. The proposed framework defines and models a workflow which applies to any privacy aware collaborative information sharing system, defines indexes to measure the compatibility between privacy requirements, and includes a novel method to compute the trade-off between privacy and accuracy. This work also proposes a methodology to choose, case-by-case, the privacy mechanism which maximizes the trade-off between privacy and accuracy. An applicative example on a real dataset with more than 30k records is also presented.

Towards enforcing on-the-fly policies in BYOD environments

The Bring Your Own Device (BYOD) paradigm is becoming extremely popular across all kind of organizations. In fact, employees are continually trying to incorporate their personal devices, e.g. smartphones and tablets, into the office to perform some of their work or simply to access the Internet with a device they trust or they are more familiar with. Unfortunately, several security issues may arise from all these external devices accessing the corporate network. To address these issues, in this paper we propose a framework that enforces on-the-fly instantiated policies inside organizations using trusted BYOD technologies. The proposed framework implements a role-based access control system based upon user identity and her current context. To this end, each user receives a specific policy from a server based upon the current role and context. The effective user identity is confirmed using OAuth 2.0, while the device integrity and policy enforcement is ensured by means of a on-device root-of-trust and an enforcer running on each device.

A Multi-criteria-Based Evaluation of Android Applications

Android users can face the risk of downloading and installing bad applications on their devices. In fact, many applications may either hide malware, or their expected behavior do not fully follow the user’s expectation. This happens because, at install-time, even if the user is warned with the potential security threat of the application, she often skips this alert message. On Android this is due to the complexity of the permission system, which may be tricky to fully understand.

Fast and Effective Clustering of Spam Emails Based on Structural Similarity

Spam emails yearly impose extremely heavy costs in terms of time, storage space and money to both private users and companies. Finding and persecuting spammers and eventual spam emails stakeholders should allow to directly tackle the root of the problem. To facilitate such a difficult analysis, which should be performed on large amounts of unclassified raw emails, in this paper we propose a framework to fast and effectively divide large amount of spam emails into homogeneous campaigns through structural similarity. The framework exploits a set of 21 features representative of the email structure and a novel categorical clustering algorithm named Categorical Clustering Tree (CCTree). The methodology is evaluated and validated through standard tests performed on three dataset accounting to more than 200k real recent spam emails.

Classifying Android Malware through Subgraph Mining

Current smartphones are based upon the concept of apps, which are lightweight applications that are distributed through on-line marketplaces, such as Google Play (for Android devices). Unfortunately, this market-centric model is affected by several major security and trust issues, due to the fact that anyone can easily create, and deploy through the market, a malicious app that could potentially lead to a massive malware spread. In this paper, we propose a framework to classify Android malware based upon the concept of common patterns of actions executed by malicious applications. The basic idea is to extract, from known malware, a subset of frequent subgraphs of system calls that are executed by most of the malware. This set of subgraphs constitutes a database of known malicious features. Then, when a new application is downloaded from a market, it is first run in a sandbox to monitor its behavior. This will result in an execution trace that may contain some of the subgraphs previously found in malware. The resulting vector of the found subgraphs is given to a classifier that returns its decision in terms of a likely malware or not. Preliminary tests executed both on known good apps and malware confirm the effectiveness and quality of our proposal.

Evaluating the Trust of Android Applications through an Adaptive and Distributed Multi-criteria Approach

New generation mobile devices, and their app stores, lack of a methodology to associate a level of trust to applications to faithfully represent their potential security risks. This problem is even more critical with newly published applications, for which either user reviews are missing or the number of downloads is still low. In this scenario, users may not fully estimate the risk associated with downloading apps found on on-line stores. Hence, here we propose a methodology for evaluating the trust level of an application through an adaptive, flexible, and dynamic framework. The evaluation of an application trust is performed using both static and dynamic parameters, which consider the application meta-data, its run-time behavior and the reports of users with respect to the software critical operations. We have validated the proposed approach by testing it on more than 180 real applications found both on official and unofficial markets by showing that it correctly categorizes applications as trusted or untrusted in 94% of the cases and it is resilient to poisoning attacks.

Risk analysis of Android applications: a user-centric solution

Abstract Android applications (apps) pose many risks to their users, e.g., by including code that may threaten user privacy or system integrity. Most of the current security countermeasures for detecting dangerous apps show some weaknesses, mainly related to users’ understanding and acceptance. Hence, users would benefit from an effective but simple technique that indicates whether an app is safe or risky to be installed. In this paper, we present MAETROID (Multi-criteria App Evaluator of TRust for AndrOID), a framework to evaluate the trustworthiness of Android apps, i.e., the amount of risk they pose to users, e.g., in terms of confidentiality and integrity. MAETROID performs a multi-criteria analysis of an app at deploy-time and returns a single easy-to-understand evaluation of the app’s risk level (i.e., Trusted, Medium Risk, and High Risk), aimed at driving the user decision on whether or not installing a new app. The criteria include the set of requested permissions and a set of metadata retrieved from the marketplace, denoting the app quality and popularity. We have tested MAETROID on a set of 11,000 apps both coming from Google Play and from a database of known malicious apps. The results show a good accuracy in both identifying the malicious apps and in terms of false positive rate.

Stateful Usage Control for Android Mobile Devices

This paper proposes a framework for regulating data sharing on Android mobile devices. In our approach, the user downloads a copy of the data on his Android device, then the framework controls the data usage by enforcing the usage control policies which have been embedded in the data itself by the data producer. The usage control policy is based on the Usage Control model, whose main feature is to allow the usage of the downloaded data as long as conditions specified in the policy are satisfied. The proposed framework secures the data access procedure relying on both the Android security mechanisms and the introduction of Trusted Platform Module functions. The paper details the proposed framework, presents some preliminary results from the prototype that has been developed, and discusses the security of the prototype.