Towards mining comprehensive android sandboxes

Tien-Duy B. Le, Lingfeng Bao, David Lo, Debin Gao, Li Li

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

1 Citation (Scopus)

Abstract

Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. Proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase-occurring, for example, due to malicious code injection during an attack-can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

Original languageEnglish
Title of host publicationProceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018
Subtitle of host publication12–14 December 2018 Melbourne, Australia
EditorsJun Sun, Anthony Widjaja Lin
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages51-60
Number of pages10
ISBN (Electronic)9781538693414
ISBN (Print)9781538693421
DOIs
Publication statusPublished - 2018
EventIEEE International Conference on Engineering of Complex Computer Systems 2018 - Melbourne, Australia
Duration: 12 Dec 201814 Dec 2018
Conference number: 23rd
https://formal-analysis.com/iceccs/2018/

Conference

ConferenceIEEE International Conference on Engineering of Complex Computer Systems 2018
Abbreviated titleICECCS 2018
CountryAustralia
CityMelbourne
Period12/12/1814/12/18
Internet address

Keywords

  • Android security
  • Malicious behavior detection
  • Mining sandboxes

Cite this

B. Le, T-D., Bao, L., Lo, D., Gao, D., & Li, L. (2018). Towards mining comprehensive android sandboxes. In J. Sun, & A. Widjaja Lin (Eds.), Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018: 12–14 December 2018 Melbourne, Australia (pp. 51-60). [8595059] Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/ICECCS2018.2018.00014
B. Le, Tien-Duy ; Bao, Lingfeng ; Lo, David ; Gao, Debin ; Li, Li. / Towards mining comprehensive android sandboxes. Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018: 12–14 December 2018 Melbourne, Australia. editor / Jun Sun ; Anthony Widjaja Lin. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2018. pp. 51-60
@inproceedings{4f150640e8714db2a655c2f58acacd93,
title = "Towards mining comprehensive android sandboxes",
abstract = "Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. Proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase-occurring, for example, due to malicious code injection during an attack-can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37{\%} and 81.64{\%} in terms of F-measure respectively.",
keywords = "Android security, Malicious behavior detection, Mining sandboxes",
author = "{B. Le}, Tien-Duy and Lingfeng Bao and David Lo and Debin Gao and Li Li",
year = "2018",
doi = "10.1109/ICECCS2018.2018.00014",
language = "English",
isbn = "9781538693421",
pages = "51--60",
editor = "Sun, {Jun } and {Widjaja Lin}, {Anthony }",
booktitle = "Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018",
publisher = "IEEE, Institute of Electrical and Electronics Engineers",
address = "United States of America",

}

B. Le, T-D, Bao, L, Lo, D, Gao, D & Li, L 2018, Towards mining comprehensive android sandboxes. in J Sun & A Widjaja Lin (eds), Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018: 12–14 December 2018 Melbourne, Australia., 8595059, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 51-60, IEEE International Conference on Engineering of Complex Computer Systems 2018, Melbourne, Australia, 12/12/18. https://doi.org/10.1109/ICECCS2018.2018.00014

Towards mining comprehensive android sandboxes. / B. Le, Tien-Duy ; Bao, Lingfeng; Lo, David; Gao, Debin; Li, Li.

Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018: 12–14 December 2018 Melbourne, Australia. ed. / Jun Sun; Anthony Widjaja Lin. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2018. p. 51-60 8595059.

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearchpeer-review

TY - GEN

T1 - Towards mining comprehensive android sandboxes

AU - B. Le, Tien-Duy

AU - Bao, Lingfeng

AU - Lo, David

AU - Gao, Debin

AU - Li, Li

PY - 2018

Y1 - 2018

N2 - Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. Proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase-occurring, for example, due to malicious code injection during an attack-can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

AB - Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. Proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase-occurring, for example, due to malicious code injection during an attack-can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.'s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarse-and fine-grained variants of Boxmate by 267.37% and 81.64% in terms of F-measure respectively.

KW - Android security

KW - Malicious behavior detection

KW - Mining sandboxes

UR - http://www.scopus.com/inward/record.url?scp=85061399272&partnerID=8YFLogxK

U2 - 10.1109/ICECCS2018.2018.00014

DO - 10.1109/ICECCS2018.2018.00014

M3 - Conference Paper

SN - 9781538693421

SP - 51

EP - 60

BT - Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018

A2 - Sun, Jun

A2 - Widjaja Lin, Anthony

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

ER -

B. Le T-D, Bao L, Lo D, Gao D, Li L. Towards mining comprehensive android sandboxes. In Sun J, Widjaja Lin A, editors, Proceedings - 23rd IEEE International Conference on Engineering of Complex Computer Systems, ICECCS 2018: 12–14 December 2018 Melbourne, Australia. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2018. p. 51-60. 8595059 https://doi.org/10.1109/ICECCS2018.2018.00014