Presentation is loading. Please wait.

Presentation is loading. Please wait.

AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao,

Published byElinor Gilbert Modified over 8 years ago

Similar presentations

Presentation on theme: "AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao,"— Presentation transcript:

1 AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao, Benjamin Andow, Rahul Pandita, William Enck (NCSU)

2 Mobile App Markets Apple App Store Google Play Microsoft Windows Phone

3 App Store beyond Mobile Apps!

4 App Store within Mobile App!

5 What If Formal Specs Are Written?! 5 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code

6 Informal App Functional Requirements: App Description 6 App Code App Permissions

7 App Security Requirements: Permission List 7

8 What If Formal Specs Are Written?! 8 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements informal: app description, etc. permission list, etc. App Code

9 Example Andriod App: Angry Birds 9

10 What If Formal Specs Are Written?! 10 APP DEVELOPERS APP USERS App Functional Requirements App Security Requirements User Functional Requirements User Security Requirements In reality, few of these requirements are (formally) specified!!  Hope?!: Bring human into the loop: user perception + judgment informal: app description, etc. permission list, etc. App Code

11 Our Yin-Yang View on Mobile App Security 11 App Description App Code App Permissions User-Perceived Information App Security Behavior o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the boundary, e.g., AppContext (  ) o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App UIs, App categories, App metadata, User forums, … [functional] [security]

12 o Apple (Market’s Responsibility) o Apple performs manual inspection o Google (User’s Responsibility) o Users approve permissions for security/privacy o Bouncer (static/dynamic malware analysis) o Windows Phone (Hybrid) o Permissions / manual inspection Assuring Market Security/Privacy 12

13 o Previous approaches look at permissions  code (runtime behaviors) o What does the users expect? o GPS Tracker: record and send location o Phone-Call Recorder: record audio during phone call Program Analysis + Natural Language Processing 13 App Description App Code App Permissions

14 o User expectations o user perception + user judgment o Focus on permission  app descriptions o permissions (protecting user understandable resources) should be discussed Vision “Bridging the gap between user expectation  app behaviors” 14 App Description Sentence Permission Linkage

15 WHYPER Overview 15 Pandita et al. WHYPER: Towards Automating Risk Assessment of Mobile Applications. USENIX Security 2013 http://web.engr.illinois.edu/~taoxie/publications/usenixsec13-whyper.pdf Enhance user experience while installing apps Enforce functionality disclosure on developers Complement program analysis to ensure justifications

16 Example Sentence in App Desc. 16 E.g., “Also you can share the yoga exercise to your friends via Email and SMS.” –Implication of using the contact permission –Permission sentences Keyword-based search on application descriptions

17 Problems with Ctrl + F Confounding effects: –Certain keywords such as “contact” have a confounding meaning –E.g., “... displays user contacts,...” vs “... contact me at abc@xyz.com”. abc@xyz.com Semantic inference: –Sentences often describe a sensitive operation without actually referring to keywords –E.g., “share yoga exercises with your friends via Email and SMS” 17

18 Natural Language Processing Natural Language Processing (NLP) techniques help computers understand NL artifacts In general, NLP is still difficult NLP on domain specific sentences with specific styles is feasible –Text2Policy: extraction of security policies from use cases [FSE 12] –APIInfer: inferring contracts from API docs [ICSE 12] –WHYPER: domain knowledge from API docs [USENIX Security 13]

19 Overview of WHYPER 19 APP Description APP Permission Semantic Graphs Preprocessor Intermediate Representation Generator Semantic Engine NLP Parser Semantic Graph Generator API Docs Annotated Description FOL Representation WHYPER Domain Knowledge

20 Evaluation 20 Subjects –Permissions: READ_CONTACTS READ_CALENDAR RECORD_AUDIO –581 application descriptions –9,953 sentences Evaluation setup –Manual annotation of the sentences –WHYPER for identifying permission sentences –Comparison to keyword-based searching

21 Evaluation Results Precision and recall of WHYPER –Average precision (82.8%) and recall (81.5%) Comparison to keyword-based searching –Improving precision (41.6%) and recall (-1.2%) 21 PermissionKeywords READ_CONTACTS contact, data, number, name, email READ_CALENDAR calendar, event, date, month, day, year RECORD_AUDIO record, audio, voice, capture, microphone

22 Incorrect parsing “MyLink Advanced provides full synchronization of all Microsoft Outlook emails (inbox, sent, outbox and drafts), contacts, calendar, tasks and notes with all Android phones via USB” Synonym analysis Ex non-permission sentence: “You can now turn recordings into ringtones.” functionality that allows users to create ringtones from previously recorded sounds but NOT requiring permission to record audio false positive due to using synonym: (turn, start ) Result Analysis (False Positives) 22

23 Incorrect parsing Incorrect identification of sentence boundaries and limitations of underlying NLP infrastructure Limitations of Semantic Graphs Ex. permission sentence: “blow into the mic to extinguish the flame like a real candle” false negative due to failing to associate “blow into” with “record” Automatic mining from user comments and forums Result Analysis (False Negatives) 23

24 Our Yin-Yang View on Mobile App Security 24 App Description App Code App Permissions User-Perceived Information App Security Behavior o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the boundary, e.g., AppContext (  ) o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App UIs, App categories, App metadata, User forums, … [functional] [security]

25 Related Work AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. ICSE 2014. Checking App Behavior Against App Descriptions. Alessandra Gorla and Ilaria Tavecchia and Florian Gross and Andreas Zeller. ICSE 2014.

26 AsDroid: Detecting Stealthy Behaviors in Android Applications [ICSE’14 Huang et al.] 26 “One-Click Register & Login”

27 CHABADA: Checking App Behavior Against App Descriptions [ICSE’14 Gorla et al.] ICSE 201227

28 Our Yin-Yang View on Mobile App Security 28 App Description App Code App Permissions User-Perceived Information App Security Behavior o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the boundary, e.g., AppContext (  ) o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App UIs, App categories, App metadata, User forums, … [functional] [security]

29 How to Detect Malware? –Static check of code Producing false positives –Dynamic check of behavior Producing false negatives “Damage” might be done already

30 How to Define Malicious Behavior? –What makes a behavior (app) malicious? –Existing techniques Permissions API Method Calls Information Flows

31 How to Define Malicious Behavior?: Examples –Sending a text msg to a premium number to charge money –Taking all of your contacts and sends them to some server –Tracking your current position Being legitimate payment method for unlocking game features in Andriod. (Same Permission, Same API) Being done by WhatsApp upon initialization (acquired by Facebook for $19 billion in Feb 14) (Same Permission, Same API, Same Information flow) Being done by TapSnake (a clone of the Snake game, also a spyware to track a phone’s location) (Same Permission, Same API, Same Information flow)

32 Motivation Fundamental difference between malware & benign apps: different design principles Benign apps Meet requirements from users (as delivering utility) Malware Meet requirements from users (as covering up) Trigger executing malicious behaviors frequently to seek max benefits (as delivering “utility”) Evade detection to prolong lifetime (as covering up)

33 Motivation - cont. Mobile malware leverage two major mobile-platform features Frequent occurrences of imperceptible system events E.g., many malware families trigger malicious behaviors via background events; in contrast, UI events activate when users using the app  users are around!! Indicative changes in external environments  users not around!!! E.g., DroidDream malware families suppress/trigger malicious behaviors during day/night time Malware strive to reach a balance between prolonging life time and increasing invocation chance, e.g., malicious behaviors invoked frequently enough to meet the need, e.g., a few clicks/day from the device to improve search engine ranking of website X not too frequently/not wrong timing for users to notice anomaly

34 Example ActionReceiver.OnReceive() Date date = new Date(); If(data.getHours>23 || date.getHours< 5 ){ ContextWrapper.StartService(MainService); … MainService.OnCreate() DummyMainMethod() SendTextActivity$4.onClick() SplashActivity.OnCreate() SmsManager.sendTextMessage() long last = db.query(“LastConnectTime"); long current = System.currentTimeMillis(); If(current – last > 43200000 ){ SmsManager.sendTextMessage(); db.save(“LastConnectTime”, current); … SendTextActivity$5.run() MainService.b() ContextWrapper.StartService() The app will send a SMS when phone signal strength changes and current time is within 11PM-5 AM

35 Example ActionReceiver.OnReceive() Date date = new Date(); If(data.getHours>23 || date.getHours< 5 ){ ContextWrapper.StartService(MainService); … MainService.OnCreate() DummyMainMethod() SendTextActivity$4.onClick() SplashActivity.OnCreate() SmsManager.sendTextMessage() long last = db.query(“LastConnectTime"); long current = System.currentTimeMillis(); If(current – last > 43200000 ){ SmsManager.sendTextMessage(); db.save(“LastConnectTime”, current); … SendTextActivity$5.run() MainService.b() ContextWrapper.StartService() The app will send a SMS when user enters the app and (current time – time when last msg sent) >12 hours

36 Example ActionReceiver.OnReceive() Date date = new Date(); If(data.getHours>23 || date.getHours< 5 ){ ContextWrapper.StartService(MainService); … MainService.OnCreate() DummyMainMethod() SendTextActivity$4.onClick() SplashActivity.OnCreate() SmsManager.sendTextMessage() long last = db.query(“LastConnectTime"); long current = System.currentTimeMillis(); If(current – last > 43200000 ){ SmsManager.sendTextMessage(); db.save(“LastConnectTime”, current); … SendTextActivity$5.run() MainService.b() ContextWrapper.StartService() The app will send a SMS when user clicks a button in the app

37 AppContext [Yang et al. ICSE 2015] Permission protected API methods Sources & Sinks of information flows Reflections and dynamic code loading

38 AppContext Activation event1: Signal strength changes Activation event2: Entering the app Activation event1: Clicking a button

39 AppContext

40 If(data.getHours>23 || date.getHours< 5 ) If(current – last > 43200000 ) Date date = new Date(); db.query(“LastConnectTime") System.currentTimeMillis() Conditional Stmt Information Flow Environment-property Method Calendar SystemTime DataBase Context Factors SmsManager.sendTextMessage() Context1: (Event: Signal strength changes), (Factor: Calendar) Context2: (Event: Entering app), (Factor: Database, SystemTime) Context3: (Event: Clicking a button) Context factors: environmental attributes for affecting security-sensitive behavior’s invocation (or not)

41 Context-based Security-Behavior Classification Step 1. Transform contexts for each app’s security behavior as features Step 2. Label each behavior in training set as malware or benign Step 3. Learn a predictive model via ML technique, e.g., support vector machine (SVM) Step 4. Classify an unlabeled behavior as malware or benign based on the model Vague and subjective by nature when reasoning about maliciousness of a behavior Difficult to determine a proper threshold Addressing Challenges:

42 Evaluation Security behaviors as reflective or dynamic code loading method calls Among all 922 malicious reflective method calls, accurately identify 872 malicious method calls and misidentify 180 benign method calls 82.9% precision, 94.5% recall Of all 787 malicious dynamic code loading method calls, accurately identify 710 malicious method calls and misidentify 137 benign method calls 83.8% precision, 90.2% recall Security behaviors as all security- sensitive method calls Main Results

43 Summary of Findings Activation events effectively help identify malicious method calls without context factors Context factors effectively help identify malicious behaviors triggered by UI events (activation events) Context factors also differentiate controls of security-sensitive method calls (e.g., TelephonyManager.getDeviceId for reading device info) in benign apps and malware benign apps: read device info only when auto logins are successful Context factors: info from database or Internet malware: directly read and send device info to a server Context factors: NONE

44 Road Ahead: Yin-Yang View 44 App Description App Code App Permissions User-Perceived Information App Security Behavior o Reason about user-perceived info, e.g., WHYPER ( ) o Push app security behavior across the boundary, e.g., AppContext (  ) o Check consistency across the boundary (  ) o Reduce user judgment effort ( ) App UIs, App categories, App metadata, User forums, … [functional] [security]

45 45 App Description App Code App Permissions taoxie@illinois.edu App UIs, App categories, App metadata, User forums, … Acknowledgments: Supported in part by NSA Science of Security (SoS) Lablet

46 User Expectations and App Behaviors User expectations are reflected via user perceptions of app behaviors (in combination with user judgments) There are gaps btw. user expectations and application behaviors Some application behaviors may be user imperceptible, or contradict w/ user perceptions The user/inspector may not be able to make right judgments based on perceived information User Expectations User Perceptions App Behaviors Interfaces, Descriptions, Usage scenarios etc. User judgments, Privacy requirements

47 Bridging User Expectations and Application Behaviors User expectations are reflected via user perceptions of app behaviors (in combination with user judgments) There are gaps btw. user expectations and application behaviors Some application behaviors may be user imperceptible, or contradict w/ user perceptions The user/inspector may not be able to make right judgments based on perceived information User-Aware Privacy Control ASE 2012 User-Aware Privacy Control ASE 2012 AppContext ICSE 2015 AppContext WHYPER USENIX Security 2013 WHYPER

Download ppt "AppContext: Differentiating Malicious and Benign Mobile App Behavior Under Contexts Tao Xie Joint Work w/ David Yang, Sihan Li (Illinois) Xusheng Xiao,"

Similar presentations

Advanced topics in touchdevelop privacy transparent privacy control via information flow analysis Disclaimer: This document is provided “as-is”. Information.

Advanced topics in touchdevelop privacy transparent privacy control via information flow analysis Disclaimer: This document is provided “as-is”. Information.
Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.
Bernd Bruegge & Allen Dutoit Object-Oriented Software Engineering: Conquering Complex and Changing Systems 1 Software Engineering September 12, 2001 Capturing.

Bernd Bruegge & Allen Dutoit Object-Oriented Software Engineering: Conquering Complex and Changing Systems 1 Software Engineering September 12, 2001 Capturing.
Android Permission Presenter: Zhengyang Qu.

Android Permission Presenter: Zhengyang Qu.
Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.

Android Security. N-Degree of Separation Applications can be thought as composed by Main Functionality Several Non-functional Concerns Security is a non-functional.
Fòmasyon Itilizatè Ayiti Office 365 Fòmasyon. Why the Change? Partners in Health's new hosted Microsoft Office 365 solution allows users to access their.

Fòmasyon Itilizatè Ayiti Office 365 Fòmasyon. Why the Change? Partners in Health's new hosted Microsoft Office 365 solution allows users to access their.
AutoCog: Measuring the Description-to-permission Fidelity in Android Applications Zhengyang Qu1, Vaibhav Rastogi1, Xinyi Zhang1,2, Yan Chen1, Tiantian.

AutoCog: Measuring the Description-to-permission Fidelity in Android Applications Zhengyang Qu1, Vaibhav Rastogi1, Xinyi Zhang1,2, Yan Chen1, Tiantian.
Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.

Creating Architectural Descriptions. Outline Standardizing architectural descriptions: The IEEE has published, “Recommended Practice for Architectural.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction Jianjun Huang, Xiangyu Zhang, Lin Tan,

AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction Jianjun Huang, Xiangyu Zhang, Lin Tan,
/* iComment: Bugs or Bad Comments? */

/* iComment: Bugs or Bad Comments? */
WHYPER: Towards Automating Risk Assessment of Mobile Applications Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie ♠ Department of Computer.

WHYPER: Towards Automating Risk Assessment of Mobile Applications Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie ♠ Department of Computer.
Tao Xie University of Illinois at Urbana-Champaign 0

Tao Xie University of Illinois at Urbana-Champaign 0
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
A Social Help Engine for Online Social Network Mobile Users Tam Vu, Akash Baid WINLAB, Rutgers University May 21,

A Social Help Engine for Online Social Network Mobile Users Tam Vu, Akash Baid WINLAB, Rutgers University May 21,
A Survey of Mobile Phone Sensing Michael Ruffing CS 495.

A Survey of Mobile Phone Sensing Michael Ruffing CS 495.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Company/Product Overview. You have lots of files all over the place.

Company/Product Overview. You have lots of files all over the place.
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Similar presentations

Ads by Google