DOI QR코드

DOI QR Code

Android Malware Detection Using Auto-Regressive Moving-Average Model

자기회귀 이동평균 모델을 이용한 안드로이드 악성코드 탐지 기법

  • Kim, Hwan-Hee (Dept. of Computer Science, Kangwon National University) ;
  • Choi, Mi-Jung (Dept. of Computer Science, Kangwon National University)
  • Received : 2015.03.22
  • Accepted : 2015.08.10
  • Published : 2015.08.31

Abstract

Recently, the performance of smart devices is almost similar to that of the existing PCs, thus the users of smart devices can perform similar works such as messengers, SNSs(Social Network Services), smart banking, etc. originally performed in PC environment using smart devices. Although the development of smart devices has led to positive impacts, it has caused negative changes such as an increase in security threat aimed at mobile environment. Specifically, the threats of mobile devices, such as leaking private information, generating unfair billing and performing DDoS(Distributed Denial of Service) attacks has continuously increased. Over 80% of the mobile devices use android platform, thus, the number of damage caused by mobile malware in android platform is also increasing. In this paper, we propose android based malware detection mechanism using time-series analysis, which is one of statistical-based detection methods.We use auto-regressive moving-average model which is extracting accurate predictive values based on existing data among time-series model. We also use fast and exact malware detection method by extracting possible malware data through Z-Score. We validate the proposed methods through the experiment results.

최근 스마트 기기가 PC와 유사한 성능을 보이면서, 사용자들은 메신저, SNS(Social Network Service), 은행 업무 등 PC에서 수행했던 업무들을 모바일 기기에서도 수행할 수 있게 되었다. 이 같은 긍정적인 변화와 함께 스마트 기기를 대상으로 하는 공격으로, 보안 위협이 증가하는 부정적인 변화도 나타났다. 대표적으로 사용자의 개인정보 유출, 부당한 과금을 비롯하여 최근에는 DDoS(Distributed Denial of Service) 공격을 발생시키는 봇(Bot)으로 스마트 기기가 활용되면서 모바일 보안에 대한 위협이 증가하는 실정이다. 특히, 스마트 기기의 80% 이상을 차지하는 안드로이드 플랫폼에서의 악성코드를 통한 피해건수가 증가하고 있다. 본 논문에서는 안드로이드의 악성코드를 탐지하기 위해 통계 기반 분석법 중 하나인 시계열 분석법을 제안한다. 시계열 모델 중 기존의 데이터를 기반으로 정확한 예측값을 도출할 수 있는 자기회귀 이동평균 모델을 이용하였으며, Z-Score를 이용한 비정상 데이터 후보군 추출을 통해서 전체 데이터와의 비교 없이 추출된 후보군과의 데이터 비교를 통해서 빠르게 악성코드를 탐지하는 방법을 이용한다. 악성코드 탐지 실험 결과를 통해 제안하는 방법의 타당성을 검증하고자 한다.

Keywords

References

  1. M. Chandramohan and Hee Beng Kuan Tan, "Detection of mobile malware in the wild," Computer, vol. 45, no. 9, pp. 65-71, 2012. https://doi.org/10.1109/MC.2012.36
  2. F-secure, 2013 mobile threat report, 2013.
  3. F-secure, Mobile threat report Q1 2014, 2014.
  4. H.-S. Ham, H.-H. Kim, M.-S. Kim, and M.-J. Choi, "Linear SVM-based android malware detection," Frontier and innovation in future computing and communications, vol. 301, pp. 575-585, Apr. 2014. https://doi.org/10.1007/978-94-017-8798-7_68
  5. I. D. Corporation, Worldwide quarterly mobile phone tracker 3Q13, Nov. 2013.
  6. S.-H. Yoon and M.-S. Kim, "Behavior based signature extraction method for internet application traffic identification," J. KICS, vol. 38B, no. 5, pp. 368-376, 2013. https://doi.org/10.7840/kics.2013.38B.5.368
  7. K. Kim and M. Choi, "Linear SVM-based android malware detection and feature selection for performance improvement," J. KICS, vol. 39C, no. 8, pp. 738-745, 2014. https://doi.org/10.7840/kics.2014.39C.8.738
  8. S. Arzt, et al., "FlowDroid: precise context, flow, field, object-sensitive and lifecycleaware taint analysis for android apps," in Proc. 35th ACM SIGPLAN Conf. Programing Language Design and Implementation, pp. 259-269, Edinburgh, UK, Jun. 2014.
  9. K. Woo and C. Kim, "Internet worm propagation modeling using a statistical method," J. KICS, vol. 37B, no. 3, pp. 212-218, 2012.
  10. H. Akaike, "Maximum likelihood identification of gaussian autoregressive moving average models," Biometrika, vol. 60, no. 2, pp. 255-265, 1973. https://doi.org/10.1093/biomet/60.2.255
  11. A. M. Bahaa-Eldin, "Time series analysis based models for network abnormal traffic detection," Int. Conf. Computer Engineering & Systems(ICCES), pp. 64-70, Cairo, 2011.
  12. Y. Lai, et al., "On monitoring and predicting mobile network traffic abnormality," Simulation Modeling Practice and Theory, vol. 50, pp. 176-188, 2014.
  13. Ahnlab, Ahnlab ASEC Report 2013, 2013.
  14. Bell Lab, CRAN R, Retrieved Nov. 12, 2014, from http://www.r-project.org.

Cited by

  1. Research on Malware Classification with Network Activity for Classification and Attack Prediction of Attack Groups vol.42, pp.1, 2015, https://doi.org/10.7840/kics.2017.42.1.193
  2. SMS 기반 인증의 보안 취약점을 개선한 스마트폰 소유 및 위치 확인 기법 vol.42, pp.2, 2017, https://doi.org/10.7840/kics.2017.42.2.349