Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Chen, Kai | - |
dc.contributor.author | Wang, Peng | - |
dc.contributor.author | 이연준 | - |
dc.contributor.author | Wang, Xiaofeng | - |
dc.contributor.author | Zhang, Nan | - |
dc.contributor.author | Huang, Heqing | - |
dc.contributor.author | Zou, Wei | - |
dc.contributor.author | Liu, Peng | - |
dc.date.accessioned | 2021-06-22T19:23:02Z | - |
dc.date.available | 2021-06-22T19:23:02Z | - |
dc.date.created | 2021-02-18 | - |
dc.date.issued | 2015-08 | - |
dc.identifier.uri | https://scholarworks.bwise.kr/erica/handle/2021.sw.erica/17435 | - |
dc.description.abstract | An app market’s vetting process is expected to be scalable and effective. However, today’s vetting mechanisms are slow and less capable of catching new threats. In our research, we found that a more powerful solution can be found by exploiting the way Android malware is constructed and disseminated, which is typically through repackaging legitimate apps with similar malicious components. As a result, such attack payloads often stand out from those of the same repackaging origin and also show up in the apps not supposed to relate to each other. Based upon this observation, we developed a new technique, called MassVet, for vetting apps at a massive scale, without knowing what malware looks like and how it behaves. Unlike existing detection mechanisms, which often utilize heavyweight program analysis techniques, our approach simply compares a submitted app with all those already on a market, focusing on the difference between those sharing a similar UI structure (indicating a possible repackaging relation), and the commonality among those seemingly unrelated. Once public libraries and other legitimate code reuse are removed, such diff/common program components become highly suspicious. In our research, we built this “DiffCom” analysis on top of an efficient similarity comparison algorithm, which maps the salient features of an app’s UI structure or a method’s control-flow graph to a value for a fast comparison. We implemented MassVet over a stream processing engine and evaluated it nearly 1.2 million apps from 33 app markets around the world, the scale of Google Play. Our study shows that the technique can vet an app within 10 seconds at a low false detection rate. Also, it outperformed all 54 scanners in VirusTotal (NOD32, Symantec, McAfee, etc.) in terms of detection coverage, capturing over a hundred thousand malicious apps, including over 20 likely zero-day malware and those installed millions of times. A close look at these apps brings to light intriguing new observations: e.g., Google’s detection strategy and malware authors’ countermoves that cause the mysterious disappearance and reappearance of some Google Play apps. © 2015 Proceedings of the 24th USENIX Security Symposium. All rights reserved. | - |
dc.language | 영어 | - |
dc.language.iso | en | - |
dc.publisher | USENIX | - |
dc.title | Finding Unknown Malice in 10 Seconds: Mass Vetting for New Threats at the Google-Play Scale | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | 이연준 | - |
dc.identifier.scopusid | 2-s2.0-85076271905 | - |
dc.identifier.bibliographicCitation | Proceedings of the 24th USENIX Security Symposium, pp.659 - 674 | - |
dc.relation.isPartOf | Proceedings of the 24th USENIX Security Symposium | - |
dc.citation.title | Proceedings of the 24th USENIX Security Symposium | - |
dc.citation.startPage | 659 | - |
dc.citation.endPage | 674 | - |
dc.type.rims | ART | - |
dc.description.journalClass | 1 | - |
dc.description.isOpenAccess | N | - |
dc.description.journalRegisteredClass | scopus | - |
dc.subject.keywordPlus | Commerce | - |
dc.subject.keywordPlus | Computer software reusability | - |
dc.subject.keywordPlus | Computer viruses | - |
dc.subject.keywordPlus | Data flow analysis | - |
dc.subject.keywordPlus | Flow graphs | - |
dc.subject.keywordPlus | Libraries | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
55 Hanyangdeahak-ro, Sangnok-gu, Ansan, Gyeonggi-do, 15588, Korea+82-31-400-4269 sweetbrain@hanyang.ac.kr
COPYRIGHT © 2021 HANYANG UNIVERSITY. ALL RIGHTS RESERVED.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.