SEMANTICS-AWARE ANDROID MALWARE CLASSIFICATION
First Claim
Patent Images
1. A malware detection system, comprising:
- a detection server interconnected to an application market for receiving an unknown application and to a database containing a plurality of behavior graphs associated with known malware and known benign ware, wherein the detection server includes;
a first module programmed to receive a unknown application and to generate a behavior graph of the unknown application using static analysis;
a second module programmed to perform a similarity query between the behavior graph of the unknown application and the plurality of behavior graphs in the database; and
a third module programmed to determine whether the unknown application is malware based on the results of the similarity query.
1 Assignment
0 Petitions
Accused Products
Abstract
A semantic-based approach that classifies Android malware via dependency graphs. To battle transformation attacks, a weighted contextual API dependency graph is extracted as program semantics to construct feature sets. To fight against malware variants and zero-day malware, graph similarity metrics are used to uncover homogeneous application behaviors while tolerating minor implementation differences.
-
Citations
12 Claims
-
1. A malware detection system, comprising:
-
a detection server interconnected to an application market for receiving an unknown application and to a database containing a plurality of behavior graphs associated with known malware and known benign ware, wherein the detection server includes; a first module programmed to receive a unknown application and to generate a behavior graph of the unknown application using static analysis; a second module programmed to perform a similarity query between the behavior graph of the unknown application and the plurality of behavior graphs in the database; and a third module programmed to determine whether the unknown application is malware based on the results of the similarity query. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method of determining whether an unknown application is malware, comprising the steps of:
-
providing a detection server interconnected to an application market for receiving an unknown application and to a database containing a plurality of behavior graphs associated with known malware and known benign ware, wherein the detection server includes a first module programmed to receive a unknown application and to generate a behavior graph of the unknown application using static analysis, a second module programmed to perform a similarity query between the behavior graph of the unknown application and the plurality of behavior graphs in the database, and a third module programmed to determine whether the unknown application is malware based on the results of the similarity query; receiving an unknown application from an application marketplace by the detection server; evaluating the unknown application with the first module of the detection server to produce a behavior graph; performing a similarity query with the second module of the server to identify a matching behavior graph in the plurality of graphs in the database; and determining whether the unknown application is malware based on the results of the similarity query. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification