Te-En Wei

DroidMat: Android Malware Detection through Manifest and API Calls Tracing

Recently, the threat of Android malware is spreading rapidly, especially those repackaged Android malware. Although understanding Android malware using dynamic analysis can provide a comprehensive view, it is still subjected to high cost in environment deployment and manual efforts in investigation. In this study, we propose a static feature-based mechanism to provide a static analyst paradigm for detecting the Android malware. The mechanism considers the static information including permissions, deployment of components, Intent messages passing and API calls for characterizing the Android applications behavior. In order to recognize different intentions of Android malware, different kinds of clustering algorithms can be applied to enhance the malware modeling capability. Besides, we leverage the proposed mechanism and develop a system, called Droid Mat. First, the Droid Mat extracts the information (e.g., requested permissions, Intent messages passing, etc) from each applications manifest file, and regards components (Activity, Service, Receiver) as entry points drilling down for tracing API Calls related to permissions. Next, it applies K-means algorithm that enhances the malware modeling capability. The number of clusters are decided by Singular Value Decomposition (SVD) method on the low rank approximation. Finally, it uses kNN algorithm to classify the application as benign or malicious. The experiment result shows that the recall rate of our approach is better than one of well-known tool, Androguard, published in Black hat 2011, which focuses on Android malware analysis. In addition, Droid Mat is efficient since it takes only half of time than Androguard to predict 1738 apps as benign apps or Android malware.

Android Malware Detection via a Latent Network Behavior Analysis

The rapid growth of smartphones has lead to a renaissance for mobile application services. Android and iOS now as the most popular smartphone platforms offer a public marketplace respectively, the Android Market and App Store- but operate with dramatically different approaches to prevent malware on their devices. In Android platform, developer not only can directly deliver their apps on the Android market without strict review process, but also is capable to put the non-official verified apps marketplace (i.e., Applanet, AppBrain and so on). In this study, we purpose an automatic Android malware detection mechanism based on the result from sandbox. We leverage network spatial feature extraction of Android apps and independent component analysis (ICA) to find the intrinsic domain name resolution behavior of Android malware. The proposed mechanism that identifies the Android malware can achieve in automatic way. For evaluation the proposed approach, the public Android malware apps dataset and popular benign apps collected from Android Market are used for evaluating the effectiveness in analyzing the grouping ability and the effectiveness of identifying the Android malware. The proposed approach successfully identifies malicious Android Apps close to 100% accuracy, precision and recall rate.

Suspicious URL Filtering Based on Logistic Regression with Multi-view Analysis

The current malicious URLs detecting techniques based on whole URL information are hard to detect the obfuscated malicious URLs. The most precise way to identify a malicious URL is verifying the corresponding web page contents. However, it costs very much in time, traffic and computing resource. Therefore, a filtering process that detecting more suspicious URLs which should be further verified is required in practice. In this work, we propose a suspicious URL filtering approach based on multi-view analysis in order to reduce the impact from URL obfuscation techniques. URLs are composed of several portions, each portion has a specific use. The proposed method intends to learn the characteristics from multiple portions (multi-view) of URLs for giving the suspicion level of each portion. Adjusting the suspicion threshold of each portion, the proposed system would select the most suspicious URLs. This work uses the real dataset from T. Co. to evaluate the proposed system. The requests from T. Co. are (1) detection rate should be less than 25%, (2) missing rate should be lower than 25%, and (3) the process with one hour data should be end in an hour. The experiment results show that our approach is effective, is capable to reserve more malicious URLs in the selected suspicious ones and satisfy the requests given by practical environment, such as T. Co. daily works.

Survey and remedy of the technologies used for RFID tags against counterfeiting

RFID tags such as EPC tags have been used in some commercial sectors such as the pharmaceutical industry as an anti-counterfeiting tool. RFID tags are a powerful mechanism for object identification, and can facilitate the compilation of detailed object histories and pedigrees. Since RFID tags communicate with the reader through open air in an automated, wireless manner, they are poor authenticators. Furthermore, they have a small microchip on board that offer functionality that can be used for security purposes. This chip functionality makes it possible to verify the authenticity of a product and hence to detect and prevent counterfeiting. In order to be successful for these security purposes, RFID tags have to be resistant against many attacks, in particular against cloning of the tag. Therefore, RFID tags are vulnerable to elementary cloning and counterfeiting attacks. In this paper, we survey and remedy the technologies used for RFID tags against counterfeiting. In the first section, we present an overview of the RFID tags counterfeiting issue. In the second section, we survey the existing methods which investigate how an RFID-tag can be made unclonable. In the third section, we compare and contrast the pros and cons of those existing methods and also identify the discrepancy areas which require further enhancement. In the fourth section, we propose some design principles and guidelines for improvement of the existing methods. Finally, we draw a conclusion and suggest further research direction in this field.

DroidExec: Root exploit malware recognition against wide variability via folding redundant function-relation graph

DroidExec is a novel root exploit recognition to reduce the influence of wide variability, which usually affects the Android malware detection rate, because of Android applicationss various properties. In Android, a specific malware family (e.g., root exploit malware), and thus its implementation may be influenced by the campaign it is serving, and thus producing wide variability, leading its samples to appear to match a wider range of potential families. In this paper, we propose a similarity recognition named as DroidExec, reducing wide variability via folding redundant function-relation graph based on Bipartite Graph Conceptual Matching of graph edit distance. We compute the multiple square roots for each 2×2 block in the cost matrix to conceptually cripple the wide variability. In the experiments, we measure the applicationss opcode structural similarity for clustering Android malware. Empirical validation shows that DroidExec can effectively filter surplus and various behaviors, which can improve the precision/recall rate from 82%/95% to 83%/97%, respectively.

RedJsod: A Readable JavaScript Obfuscation Detector Using Semantic-based Analysis

JavaScript allows Web-developers to hide intention behind their code inside different looking scripts known as Obfuscated code. Automatic detection of obfuscated code is generally tackled from readability perspective. However, recently obfuscation exhibits patterns that modify both syntax and semantic characteristics while preserving readability characteristic. There are two problems in dealing with readable obfuscation: 1. Difficulty in locating it since it does not manipulate suspicious strings. 2. It is a common and essential practice adopted in both benign codes and malicious codes. In this work, we first investigate why and how readable obfuscation can hinder detection of maliciousness and prevent the static analysis of suspicious scripts. Next, we propose a readable JavaScript obfuscation detector (RedJsod) system to deal with this type of threat. RedJsod is a well defined detector based on variable length context-based feature extraction (VCLFE) scheme that takes advantages of abstract syntax tree (AST) representation of a given JavaScript code to infer run-time behaviors statically. We applied RedJsod to three datasets collected from real world Web-pages to evaluate its effectiveness. Also, we tested RedJsod on well-known readable obfuscation samples cited in related works as a proof of concept illustration. Our experimental results indicated that RedJsod achieved very high detection rates (greater than 97%) in terms of accuracy, eliminated false negatives completely, while at the same time yielded very few false positives.

A novel approach for re-authentication protocol using personalized information

Since authentication is the key to access control security in Internet access for every user, therefore, how to verify a user is who he claimed to be is a very important requirement in Internet security. In some situations, users need to be re-authenticated to make sure that they are still actively engaged in real time interaction. For instance, people will be notified to dial to a specific server phone number to reconfirm his identity again before re-login using their account ID and passwords pairs. This approach has been adopted by many online game servers. In this paper, we proposed a novel approach for re-authentication protocol using personalized information with CAPTCHA.

How to solve collision and authentication issues using RFID protocol technology

RFID tags are a powerful mechanism for object identification and can facilitate the compilation of detailed object histories and pedigrees. Since RFID tags communicate with the reader through open air in an automated, wireless manner, they are poor authenticators. The real life RFID application issues include poor-authentication, counterfeit and collision. Therefore, in this paper we focus on passive and active RFID collision problems with authentication and counterfeit. We propose a new protocol called CRPA to make anti-collision protocol and authentication protocol working together for passive RFID tags. Previously, we have proposed a suitable communication protocol with the function of anti-collision and anti-counterfeiting called CRPAC for active RFID tags. In this CRPA scheme, when the anti-collision mechanism is in progress, the anti-counterfeiting scheme is working along with it. Eventually, the new scheme effectively reduces the workload of RFID system and significantly decreases collision probability of the passive tags. The proposed CRPA protocol is especially applicable to multiple tags scenario that requires anti-collision and authentication.

RePEF — A system for Restoring Packed Executable File for malware analysis

Malware analysis technologies are important and essential for extracting the behavior of malicious program. However, in order to avoid detection and analysis, malware creators usually deploy packing techniques to achieve their goals. This kind of packing technique hides import table of program file, so that people can neither understand how to assembly code nor learn the structure of the PE file. Recently, Institute for Information Industry (III) developed the CSS technique which can be used to unpack PE file from the memory. Subsequently, we proposed a reconstructive method base on CSS to rebuild the dumped file which then can be executed correctly. The combination of CSS and the reconstructive method is named Restoring Packed Executable File (RePEF), which can be used to automatically reverse the packed PE file (UPX and ASPack) immaterial of running on either Windows or Linux platform. RePEF can also improve and ensure the successful rate of malware detection and dynamic analysis.

The Radio Frequency Identification tag with the function of anti-collision and anti-counterfeiting

Anti-collision in RFID will occur when multiple tags or readers transmit data simultaneously, and these data will affect each other and cannot be recognized. While anti-counterfeiting in RFID occurs when a duplicated tag is used in the goods, and the reader will not be able to discover that it is a fake tag. Anti-collision and anti-counterfeiting mechanisms are usually operated separately in the past, but they may have to perform at the same time in some cases. For example, when RFID-based exhibition tickets are used for entrance purpose both mechanisms will be needed simultaneously. To counter forgery attack, it is important that we have to meet not only anti-collision but also anti-counterfeiting requirement. Therefore, in this paper, we propose a suitable communication protocol of RFID tag with the function of anticollision and anti-counterfeiting called A Combined Active RFID Tag Collision Resolution Protocol Against Counterfeiting (CRPAC). In our proposed scheme, when the anti-collision mechanism is in progress, the anti-counterfeiting scheme is working along with it. Eventually, the new scheme effectively reduces the workload of RFID system and significantly decreases collision probability of the active tags.