Publication Type
Conference Proceeding Article
Version
acceptedVersion
Publication Date
12-2018
Abstract
Android is the most widely used mobile operating system with billions of users and devices. The popularity of Android apps have enticed malware writers to target them. Recently, Jamrozik et al. proposed an approach, named Boxmate, to mine sandboxes to protect Android users from malicious behaviors. In a nutshell, Boxmate analyzes the execution of an app, and collects a list of sensitive APIs that are invoked by that app in a monitoring phase. Then, it constructs a sandbox that can restrict accesses to sensitive APIs not called by the app. In such a way, malicious behaviors that are not observed in the monitoring phase – occurring, for example, due to malicious code injection during an attack – can be prevented. Nevertheless, Boxmate only focuses on a specific API type (i.e., sensitive APIs); it also ignores parameter values of many API methods and requested permissions during the execution of a target app. As a result, Boxmate is not able to detect malicious behaviors in many cases. In this work, we address the limitation of Jamrozik et al.’s work by considering input parameters of many different types of API methods for mining a more comprehensive sandbox. Given a benign app, we first extract a list of Android permissions that the app may request during its execution. Next, we leverage an automated test case generation tool, named Droidbot, to generate a rich set of GUI test cases for exploring behaviors of the app. During the execution of these test cases, we analyze the execution of four different types of API methods. Furthermore, we record input parameters to these API methods, and classify those into four different categories. We leverage the collected parameter values, and the list of requested permissions to create a sandbox that can protect users from malicious behaviors. Our experiments on 25 pairs of real benign and malicious apps show that our approach is more effective than the coarseand fine-grained variants of Boxmate by 267.37% and 81.64% in terms of Fmeasure respectively.
Keywords
Android security, Malicious behavior detection, Mining sandboxes
Discipline
Databases and Information Systems | Numerical Analysis and Scientific Computing
Research Areas
Data Science and Engineering
Publication
ICECCS 2018: 23rd International Conference on Engineering of Complex Computer Systems: Proceedings : 12-14 December, Melbourne, Australia
First Page
51
Last Page
60
ISBN
9781538693414
Identifier
10.1109/ICECCS2018.2018.00014
Publisher
IEEE Computer Society
City or Country
Los Alamitos, CA
Citation
LE, Tien-Duy B.; BAO, Lingfeng; LO, David; GAO, Debin; and LI, Li.
Towards mining comprehensive Android sandboxes. (2018). ICECCS 2018: 23rd International Conference on Engineering of Complex Computer Systems: Proceedings : 12-14 December, Melbourne, Australia. 51-60.
Available at: https://ink.library.smu.edu.sg/sis_research/4289
Copyright Owner and License
Authors
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Additional URL
https://doi.org/10.1109/ICECCS2018.2018.00014
Included in
Databases and Information Systems Commons, Numerical Analysis and Scientific Computing Commons