Deep Learning for Android Application Ransomware Detection

Unknown Date

Smartphones and mobile tablets are rapidly growing, and very important nowadays. The most popular mobile operating system since 2012 has been Android. Android is an open source platform that allows developers to take full advantage of both the operating system and the applications itself. However, due to the open source community of an Android platform, some Android developers took advantage of this and created countless malicious applications such as Trojan, Malware, and Ransomware. All which are currently hidden in a large number of benign apps in official Android markets, such as Google PlayStore, and Amazon. Ransomware is a malware that once infected the victim’s device. It will encrypt files, unlock device system, and display a popup message which asks the victim to pay ransom in order to unlock their device or system which may include medical devices that connect through the internet. In this research, we propose to combine permission and API calls, then use Deep Learning techniques to detect ransomware apps from the Android market. Permissions setting and API calls are extracted from each app file by using a python library called AndroGuard. We are using Permissions and API call features to characterize each application, which can identify which application has potential to be ransomware or is benign. We implement our Android Ransomware Detection framework based on Keras, which uses MLP with back-propagation and a supervised algorithm. We used our method with experiments based on real-world applications with over 2000 benign applications and 1000 ransomware applications. The dataset came from ARGUS’s lab [1] which validated algorithm performance and selected the best architecture for the multi-layer perceptron (MLP) by trained our dataset with 6 various of MLP structures. Our experiments and validations show that the MLPs have over 3 hidden layers with medium sized of neurons achieved good results on both accuracy and AUC score of 98%. The worst score is approximately 45% to 60% and are from MLPs that have 2 hidden layers with large number of neurons. / Includes bibliography. / Thesis (M.S.)--Florida Atlantic University, 2018. / FAU Electronic Theses and Dissertations Collection

Deep learning

Malware (Computer software)--Prevention

Hitch-hiking attacks in online social networks and their defense via malicious URL classification. / CUHK electronic theses & dissertations collection

January 2012

近年來，網絡的犯罪數量一直在迅速增加。現在，惡意軟件作者編寫惡意程序竊取用戶的個人信息，或提供基於垃圾郵件的營銷服務為利潤的地方。為了更有效地傳播惡意軟件，黑客已經開始瞄準流行的在線社交網絡服務（SNS）的 SNS用戶和服務的互動性之間固有的信任關係。一種常見的攻擊方法是惡意軟件自動登錄使用偷來的 SNS用戶憑據，然後提供接觸/被盜的用戶帳戶的朋友名單，他們通過在一些短消息嵌入惡意 URL（鏈接）。受害人然後認為是他們的朋友提供的鏈接，按一下被感染。然而，這種方法是有效的，惡意軟件來模仿人類類似的行為，它可以超越任何一個/兩個班輪對話。在這篇論文中，我們首先介紹一個新類型的攻擊，提供惡意網址 SNS用戶之間的合法對話。為了證明其概念，我們設計和實施名為 Hitchbot惡意軟件[1]，其中包括多個攻擊源，為實現我們所提出的攻擊。特別是，當一個 SNS用戶發送一個鏈接/ URL到他/她的朋友，Hitchbot悄悄地取代類似，但惡意攔截在幾個可能的點之一，互動式輸入/輸出鏈接系統。由於惡意鏈接在一些適當的對話上下文之間的合法用戶交付，這使得它更難以對受害者（以及吊具）來實現攻擊，從而可以大幅增加轉換率。這方法也使 Hitchbot的繞過大多數現有的防禦計劃，主要是靠對用戶的行為或流量異常檢測。 Hitchbot是基於客戶端模塊的形式可以順利上常見的社交網絡服務，包括雅虎和微軟的郵件客戶端和其他基於 Web瀏覽器，如 Facebook和 MySpace的社交網絡服務的加息。為量化 Hitchbot的效力，我們已經研究，交換和處理對 URL操作時用戶的行為。最後，我們研究通過自動在線分類 /識別惡意網址的可行性。尤其是不同類型的屬性/惡意 URL分類功能的有效性進行量化，從不同的惡意網址數據庫中獲得數據的基礎上，我們也考慮實時的準確性，嚴格的延遲要求影響和權衡需求的惡意網址分類。 / The number of cyber crimes has continued to increase rapidly in the recent years. It is now commonplace for malware authors to write malicious programs for prot by stealing user personal information or providing spam-based marketing services. In order to spread malware more effectively, hackers have started to target popular online social networking services (SNS) due to the inherent trust-relationship between the SNS users and the interactive nature of the services. A common attacking approach is for a malware to automatically login using stolen SNS user cre¬dentials and then deliver malicious URLs (links) to the people on the contact/friend-list of the stolen user account by embedding them in some short messages. The victim then gets infected by clicking on the links thought to be delivered by their friends. However, for this approach to be effective, the malware has to mimic human-like behavior which can be quite challenging for anything beyond one/two-liner conversations. In this thesis, we first introduce a new type of attacks called the social hitch-hiking attacks which use a stealthier way to deliver malicious URLs by hitch-hiking on legitimate conversations among SNS users. As a proof-of-concept, we have designed and implemented a malware named Hitchbot [1] which incorporates multiple attack vectors for the realization of our proposed social hitch-hiking attacks. In particular, when a SNS user sends a link/URL to his/her friends, Hitchbot quietly replaces it with a similar-looking, but malicious one by intercepting the link at one of the several pos¬sible points along the interactive-input/output chain of the system. Since the malicious link is delivered within some proper conversation context between the legitimate users, this makes it much more difficult for the victim (which is also the spreader) to realize the attack and thus can increase the conversion rate substantially. The hitch-hiking approach also enables Hitchbot to bypass most existing defense schemes which mainly rely on user-behavior or traffic anomaly detection. Hitchbot is in form of a client-based module which can hitch-hike on common social networking services including the Yahoo and Microsoft Messaging clients and other web-browser-based social-networking services such as Facebook and Myspace. To quantify the effectiveness of Hitchbot, we have studied the behavior of users in exchanging, handling and operating on URLs. Lastly, we study the feasibility of defending hitching-hiking attacks via automated online classification/identification of malicious URLs. In particular, the effectiveness of different types of attributes/features used in malicious URL classification are quantified based on a data obtained from various malicious URL databases. We also consider the implications and trade-offis of stringent latency requirement on the accuracy of real-time, on-demand malicious URL classifications. / Detailed summary in vernacular field only. / Lam, Ka Chun. / Thesis (M.Phil.)--Chinese University of Hong Kong, 2012. / Includes bibliographical references (leaves 43-48). / Electronic reproduction. Hong Kong : Chinese University of Hong Kong, [2012] System requirements: Adobe Acrobat Reader. Available via World Wide Web. / Abstracts also in Chinese. / Abstract --- p.i / Acknowledgement --- p.iv / Chapter 1 --- Introduction --- p.1 / Chapter 1.1 --- Background --- p.1 / Chapter 1.2 --- Organization --- p.4 / Chapter 2 --- Related Work --- p.6 / Chapter 2.1 --- Exploiting Social Networking Services --- p.6 / Chapter 2.1.1 --- Malware Spreading Channels in SNS --- p.7 / Chapter 2.1.2 --- Common Exploits on SNS platforms --- p.10 / Chapter 2.2 --- Recent defense mechanisms of Malware --- p.12 / Chapter 3 --- A New Class of Attacks via Social Hitch-hiking --- p.14 / Chapter 3.1 --- The Social Hitch-hiking Attack --- p.14 / Chapter 3.1.1 --- The Interactive User Input/Output Chain --- p.16 / Chapter 3.1.2 --- Four Attack Vectors --- p.17 / Chapter 4 --- Attack Evaluation and Measurement --- p.26 / Chapter 4.1 --- Comparison of Attack Vectors --- p.26 / Chapter 4.2 --- Attack Measurement --- p.27 / Chapter 4.3 --- Defense against Hitch-hiking Attacks --- p.29 / Chapter 5 --- Defense via Malicious URL Classification --- p.31 / Chapter 5.1 --- Methodology --- p.31 / Chapter 5.2 --- Attributes --- p.33 / Chapter 5.2.1 --- Lexical attributes --- p.34 / Chapter 5.2.2 --- Webpage content attributes --- p.34 / Chapter 5.2.3 --- Network attributes --- p.34 / Chapter 5.2.4 --- Host-based attributes --- p.35 / Chapter 5.2.5 --- Link popularity attributes --- p.36 / Chapter 5.3 --- Performance Evaluation and Discussions --- p.36 / Chapter 6 --- Conclusion and Future work --- p.41

Computer networks--Security measures

Computer security

Malware (Computer software)--Prevention