SEMANTICS-AWARE ANDROID MALWARE CLASSIFICATION

US 20160057159A1
Filed: 08/24/2015
Published: 02/25/2016
Est. Priority Date: 08/22/2014
Status: Abandoned Application

First Claim

Patent Images

1. A malware detection system, comprising:

a detection server interconnected to an application market for receiving an unknown application and to a database containing a plurality of behavior graphs associated with known malware and known benign ware, wherein the detection server includes;

a first module programmed to receive a unknown application and to generate a behavior graph of the unknown application using static analysis;

a second module programmed to perform a similarity query between the behavior graph of the unknown application and the plurality of behavior graphs in the database; and

a third module programmed to determine whether the unknown application is malware based on the results of the similarity query.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A semantic-based approach that classifies Android malware via dependency graphs. To battle transformation attacks, a weighted contextual API dependency graph is extracted as program semantics to construct feature sets. To fight against malware variants and zero-day malware, graph similarity metrics are used to uncover homogeneous application behaviors while tolerating minor implementation differences.

Citations

12 Claims

1. A malware detection system, comprising:
- a detection server interconnected to an application market for receiving an unknown application and to a database containing a plurality of behavior graphs associated with known malware and known benign ware, wherein the detection server includes;
  
  a first module programmed to receive a unknown application and to generate a behavior graph of the unknown application using static analysis;
  
  a second module programmed to perform a similarity query between the behavior graph of the unknown application and the plurality of behavior graphs in the database; and
  
  a third module programmed to determine whether the unknown application is malware based on the results of the similarity query.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system of claim 1, wherein the first module is programmed to generate the behavior graph based on application program interface (API) dependency.
  - 3. The system of claim 2, wherein the second module is programmed to use a bucket based indexing scheme.
  - 4. The system of claim 3, wherein the second module is programmed to identify a matching bucket having less graphs than all of the plurality of behavior graphs and to further iterate the matching bucket to find a best matching graph from the graphs in the bucket.
  - 5. The system of claim 4, wherein the second module finds a best matching graph using feature vectors.
  - 6. The system of claim 5, wherein the feature vectors are weighted.

7. A method of determining whether an unknown application is malware, comprising the steps of:
- providing a detection server interconnected to an application market for receiving an unknown application and to a database containing a plurality of behavior graphs associated with known malware and known benign ware, wherein the detection server includes a first module programmed to receive a unknown application and to generate a behavior graph of the unknown application using static analysis, a second module programmed to perform a similarity query between the behavior graph of the unknown application and the plurality of behavior graphs in the database, and a third module programmed to determine whether the unknown application is malware based on the results of the similarity query;
  
  receiving an unknown application from an application marketplace by the detection server;
  
  evaluating the unknown application with the first module of the detection server to produce a behavior graph;
  
  performing a similarity query with the second module of the server to identify a matching behavior graph in the plurality of graphs in the database; and
  
  determining whether the unknown application is malware based on the results of the similarity query.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The method of claim 7, wherein the first module is programmed to generate the behavior graph based on application program interface (API) dependency.
  - 9. The method of claim 8, wherein the second module is programmed to use a bucket based indexing scheme.
  - 10. The method of claim 9, wherein the second module is programmed to identify a matching bucket having less graphs than all of the plurality of behavior graphs and to further iterate the matching bucket to find a best matching graph from the graphs in the bucket.
  - 11. The method of claim 10, wherein the second module finds a best matching graph using feature vectors.
  - 12. The method of claim 11, wherein the feature vectors are weighted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Syracuse University
Original Assignee
Syracuse University
Inventors
Yin, Heng, Zhang, Mu, Duan, Yu, Zhao, Zhiruo

Application Number

US14/833,491
Publication Number

US 20160057159A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 16/9024 Graphs; Linked lists G06F16...

H04L 63/145 the attack involving the pr...

SEMANTICS-AWARE ANDROID MALWARE CLASSIFICATION

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

SEMANTICS-AWARE ANDROID MALWARE CLASSIFICATION

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links