research-article

Morpheus: benchmarking computational diversity in mobile malware

Authors:

Mikhail Kazdagli,

Mohit TiwariAuthors Info & Claims

HASP '14: Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy

Article No.: 3, Pages 1 - 8

https://doi.org/10.1145/2611765.2611767

Published: 15 June 2014 Publication History

Abstract

Computational characteristics of a program can potentially be used to identify malicious programs from benign ones. However, systematically evaluating malware detection techniques, especially when malware samples are hard to run correctly and can adapt their computational characteristics, is a hard problem.

We introduce Morpheus -- a benchmarking tool that includes both real mobile malware and a synthetic malware generator that can be configured to generate a computationally diverse malware sample-set -- as a tool to evaluate computational signatures based malware detection. Morpheus also includes a set of computationally diverse benign applications that can be used to repackage malware into, along with a recorded trace of over 1 hour long realistic human usage for each app that can be used to replay both benign and malicious executions.

The current Morpheus prototype targets Android applications and malware samples. Using Morpheus, we quantify the computational diversity in malware behavior and expose opportunities for dynamic analyses that can detect mobile malware. Specifically, the use of obfuscation and encryption to thwart static analyses causes the malicious execution to be more distinctive -- a potential opportunity for detection. We also present potential challenges, specifically, minimizing false positives that can arise due to diversity of benign executions.

References

[1]

500 top webites. http://www.alexa.com/topsites.

[2]

Android malware blog. http://contagiodump.blogspot.com.

[3]

Androidreran. http://www.androidreran.com.

[4]

Exploid exploit. http://forum.xda-developers.com/showthread.php?t=739874.

[5]

Gingerbreak exploit. http://droidmodderx.com/gingerbreak-apk-root-your-gingerbread-device.

[6]

How fictitious clicks occur in third-party click fraud audit reports. http://static.googleusercontent.com/media/www.google.com/en/us/adwords/ReportonThird-PartyClickFraudAuditing.pdf.

[7]

Java reflection. http://docs.oracle.com/javase/tutorial/reflect.

[8]

Malware database. http://virusshare.com.

[9]

Mobile bitcoin miner. https://blog.lookout.com/blog/2014/04/24/badlepricon-bitcoin.

[10]

Mobile malware evolution: 2013. https://www.securelist.com/en/analysis/204792326/Mobile_Malware_Evolution_2013.

[11]

Prolexic q4 2013 report. http://www.prolexic.com/knowledge-center-ddos-attack-report-2013-q4.html.

[12]

Universal android rooting procedure. http://theunlockr.com/2010/10/26/universal-android-rooting-procedure-rage-method.

[13]

Average number of phone contacts (us), 2010. http://www.mediapost.com/publications/article/122938.

[14]

Us census, 2010. http://www.census.gov/2010census.

[15]

Average number of phone contacts (uk), 2011. http://www.10yetis.co.uk/releases/average-brit-has-476-facebook-friends-compared-to-152-mobile-phone-contacts 402.html.

[16]

Average number of sms, 2011. http://www.phonedog.com/2011/12/16/how-many-text-messages-do-you-send-per-month-on-average.

[17]

Average number of sms, 2011. http://www.pewinternet.org/2011/09/19/how-americans-use-text-messaging.

[18]

Android trojan mounting ddos attack, 2012. http://news.drweb.com/show/?i=3191.

[19]

G. Ammons, T. Ball, and J. Larus. Exploiting hardware performance counters with flow and context sensitive profiling. In ACM Sigplan Notices, 1997.

Digital Library

[20]

K. Asdemir, O. Yurtseven, and M. Yahya. An economic model of click fraud in publisher networks. Journal of Electronic Commerce, 2008.

Digital Library

[21]

R. Azimi, M. Stumm, and R. Wisniewski. Online performance analysis by statistical sampling of microprocessor performance counters. In International Conference on Supercomputing, 2005.

Digital Library

[22]

K. Bare, S. Kavulya, and P. Narasimhan. Hardware performance counter-based problem diagnosis for e-commerce systems. In International Conference on Supercomputing, 2010.

[23]

J. Demme, M. Maycock, J. Schmitz, A. Tang, A. Waksman, A. Aethumadhavan, and S. Stolfo. On the feasibility of online malware detection with performance counters. In International Symposium on Computer Architecture, 2013.

Digital Library

[24]

R. Dunbar. Neocortex size as a constraint on group size in primates. Journal of Human Evolution, 1992.

[25]

P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Computer and Commnications Security, 2011.

Digital Library

[26]

D. Holmes. The ddos threat spectrum, 2012. http://www.f5.com/pdf/white-papers/ddos-threat-spectrum-wp.pdf.

[27]

C. Malone, M. Zahran, and R. Karri. Are hardware performance counters a cost effective way for integrity checking of programs. In ACM Workshop on Scalable Trusted Computing, 2011.

Digital Library

[28]

C. McCarty, P. Killworth, H. Bernard, E. Johnsen, and G. Shelley. Comparing two methods for estimating network size. In Applied Anthropology, 2001.

[29]

A. Metwally, D. Agrawal, and A. Abbadi. Detectives: detecting coalition hit inflation attacks in advertising networks streams. In International conference on World Wide Web, 2007.

Digital Library

[30]

RSnake and J. Kinsella. Slowloris http dos, 2009. http://ckers.org/slowloris.

[31]

T. Sherwood, E. Perelman, G. Hamerly, S. Sair, and B. Calder. Discovering and exploiting program phases. IEEE Micro, 2003.

Digital Library

[32]

T. Sherwood, S. Sair, and B. Calder. Phase tracking and prediction. In International Symposium on Computer Architecture, 2003.

Digital Library

[33]

T. Strazzere and T. Wyatt. Geinimi trojan technical teardown. 2011. https://blog.lookout.com/_media/Geinimi_Trojan_Teardown.pdf.

[34]

A. Tuzhilin. The lane's gifts v. google report. 2006. http://googleblog.blogspot.com/pdf/Tuzhilin_Report.pdf.

[35]

Y. Xia, Y. Liu, H. Chen, and B. Zang. Cfimon: Detecting violation of control flow integrity using performance counters. In Dependable Systems and Networks, 2012.

[36]

L. Yuan, W. Xing, H. Chen, and B. Zang. Security breaches as pmu deviation: Detecting and identifying security attacks using performance counters. In Asia-Pacific Workshop on Systems, 2011.

Digital Library

[37]

Y. Zhou and X. Jiang. Dissecting android malware: Characterization and evolution. In Security and Privacy, 2012.

Digital Library

Cited By

Sun XLi LBissyandé TKlein JOcteau DGrundy J(2021)Taming ReflectionACM Transactions on Software Engineering and Methodology10.1145/344003330:3(1-36)Online publication date: 23-Apr-2021
https://dl.acm.org/doi/10.1145/3440033
Rajput PSarkar ETychalas DManiatakos M(2021)Remote Non-Intrusive Malware Detection for PLCs based on Chain of Trust Rooted in Hardware2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00033(369-384)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00033
Du YNing ZXu JWang ZLin YZhang FXing XMao B(2020)HART: Hardware-Assisted Kernel Module Tracing on ArmComputer Security – ESORICS 202010.1007/978-3-030-58951-6_16(316-337)Online publication date: 12-Sep-2020
https://doi.org/10.1007/978-3-030-58951-6_16
Show More Cited By

Index Terms

Morpheus: benchmarking computational diversity in mobile malware
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

A comprehensive survey on deep learning based malware detection techniques
Abstract
Recent theoretical and practical studies have revealed that malware is one of the most harmful threats to the digital world. Malware mitigation techniques have evolved over the years to ensure security. Earlier, several classical ...
On the feasibility of online malware detection with performance counters
ICSA '13

The proliferation of computers in any domain is followed by the proliferation of malware in that domain. Systems, including the latest mobile platforms, are laden with viruses, rootkits, spyware, adware and other classes of malware. Despite the ...
The rise of malware

Malicious software (malware) is a computer program designed to create harmful and undesirable effects. It considered as one of the many dangerous threats for Internet users. Rootkit, botnet, worm, spyware and Trojan horse are the most common types of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

HASP '14: Proceedings of the Third Workshop on Hardware and Architectural Support for Security and Privacy

June 2014

89 pages

ISBN:9781450327770

DOI:10.1145/2611765

Conference Chairs:
Ruby Lee
Princeton University
,
Weidong Shi
University of Houston

Copyright © 2014 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGARCH: ACM Special Interest Group on Computer Architecture

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 15 June 2014

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Division of Computer and Network Systems

Conference

HASP '14

Sponsor:

SIGARCH

HASP '14: The Third Workshop on Hardware and Architectural Support for Security and Privacy

June 15, 2014

Minnesota, Minneapolis, USA

Acceptance Rates

Overall Acceptance Rate 9 of 13 submissions, 69%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
303
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)2

Reflects downloads up to 13 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sun XLi LBissyandé TKlein JOcteau DGrundy J(2021)Taming ReflectionACM Transactions on Software Engineering and Methodology10.1145/344003330:3(1-36)Online publication date: 23-Apr-2021
https://dl.acm.org/doi/10.1145/3440033
Rajput PSarkar ETychalas DManiatakos M(2021)Remote Non-Intrusive Malware Detection for PLCs based on Chain of Trust Rooted in Hardware2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00033(369-384)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00033
Du YNing ZXu JWang ZLin YZhang FXing XMao B(2020)HART: Hardware-Assisted Kernel Module Tracing on ArmComputer Security – ESORICS 202010.1007/978-3-030-58951-6_16(316-337)Online publication date: 12-Sep-2020
https://doi.org/10.1007/978-3-030-58951-6_16
Das SWerner JAntonakakis MPolychronakis MMonrose F(2019)SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security2019 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2019.00021(20-38)Online publication date: May-2019
https://doi.org/10.1109/SP.2019.00021
Alzaidi AAlshehri SBuhari S(2019)DroidRista: a highly precise static data flow analysis framework for android applicationsInternational Journal of Information Security10.1007/s10207-019-00471-wOnline publication date: 1-Oct-2019
https://doi.org/10.1007/s10207-019-00471-w
Liu CLi JYu MLi GLuo BChen KJiang JHuang W(2018)URefFlow: A Unified Android Malware Detection Model Based on Reflective Calls2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC)10.1109/PCCC.2018.8711111(1-7)Online publication date: Nov-2018
https://doi.org/10.1109/PCCC.2018.8711111
Liu YZhang YGuan JXu CWang Y(2018)When Group Buying Meets Wi-Fi Advertising2018 IEEE 37th International Performance Computing and Communications Conference (IPCCC)10.1109/PCCC.2018.8711007(1-8)Online publication date: Nov-2018
https://doi.org/10.1109/PCCC.2018.8711007
Liu CLi JYu MLuo BLi SChen KHuang WLv B(2018)FGFDect: A Fine-Grained Features Classification Model for Android Malware DetectionSecurity and Privacy in Communication Networks10.1007/978-3-030-01701-9_16(281-293)Online publication date: 29-Dec-2018
https://doi.org/10.1007/978-3-030-01701-9_16
Tam KFeizollah AAnuar NSalleh RCavallaro L(2017)The Evolution of Android Malware and Android Analysis TechniquesACM Computing Surveys10.1145/301742749:4(1-41)Online publication date: 13-Jan-2017
https://dl.acm.org/doi/10.1145/3017427
Kazdagli MReddi VTiwari MHsu WYang CLipasti MLee H(2016)Quantifying and improving the efficiency of hardware-based mobile malware detectorsThe 49th Annual IEEE/ACM International Symposium on Microarchitecture10.5555/3195638.3195683(1-13)Online publication date: 15-Oct-2016
https://dl.acm.org/doi/10.5555/3195638.3195683
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents