Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
3-2018
Abstract
The popularity of Android platform on mobile devices has attracted much attention from many developers and researchers, as well as malware writers. Recently, Jamrozik et al. proposed a technique to secure Android applications referred to as mining sandboxes. They used an automated test case generation technique to explore the behavior of the app under test and then extracted a set of sensitive APIs that were called. Based on the extracted sensitive APIs, they built a sandbox that can block access to APIs not used during testing. However, they only evaluated the proposed technique with benign apps but not investigated whether it was effective in detecting malicious behavior of malware that infects benign apps. Furthermore, they only investigated one test case generation tool (i.e., Droidmate) to build the sandbox, while many others have been proposed in the literature. In this work, we complement Jamrozik et al.'s work in two ways: (1) we evaluate the effectiveness of mining sandboxes on detecting malicious behaviors; (2) we investigate the effectiveness of multiple automated test case generation tools to mine sandboxes. To investigate effectiveness of mining sandboxes in detecting malicious behaviors, we make use of pairs of malware and benign app it infects. We build a sandbox based on sensitive APIs called by the benign app and check if it can identify malicious behaviors in the corresponding malware. To generate inputs to apps, we investigate five popular test case generation tools: Monkey, Droidmate, Droidbot, GUIRipper, and PUMA. We conduct two experiments to evaluate the effectiveness and efficiency of these test case generation tools on detecting malicious behavior. In the first experiment, we select 10 apps and allow test case generation tools to run for one hour; while in the second experiment, we select 102 pairs of apps and allow the test case generation tools to run for one minute. Our experiments highlight that 75.5%-77.2% of malware in our dataset can be uncovered by mining sandboxes - showing its power to protect Android apps. We also find that Droidbot performs best in generating test cases for mining sandboxes, and its effectiveness can be further boosted when coupled with other test case generation tools.
Keywords
Android Malware, Automated Test Case Generation, Mining Sandboxing
Discipline
Databases and Information Systems | Information Security | Numerical Analysis and Scientific Computing
Research Areas
Data Science and Engineering
Publication
2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER): Campobasso, Italy, March 20-23: Proceedings
First Page
445
Last Page
455
ISBN
9781538649695
Identifier
10.1109/SANER.2018.8330231
Publisher
IEEE Computer Society
City or Country
Los Alamitos, CA
Citation
BAO, Lingfeng; LE, Tien Duy B.; and LO, David.
Mining sandboxes: Are we there yet?. (2018). 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER): Campobasso, Italy, March 20-23: Proceedings. 445-455.
Available at: https://ink.library.smu.edu.sg/sis_research/4110
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1109/SANER.2018.8330231
Included in
Databases and Information Systems Commons, Information Security Commons, Numerical Analysis and Scientific Computing Commons