cloud-based android botnet malware detection android botnet malware detection system. ... flow...
Post on 22-Apr-2018
Embed Size (px)
Cloud-based Android Botnet Malware Detection System
Suyash Jadhav*, Shobhit Dutia+, Kedarnath Calangutkar+, Tae Oh*+, Young Ho Kim**, Joeng Nyeo Kim**
*Dept. of Information Sciences and Technologies, ^Dept. of Computing Security,
+Dept. of Computer Science Rochester Institute of Technology,
152 Lomb Memorial Dr, Rochester, NY, USA **Cyber Security System Research Dept., Electronics and Telecommunication Research Institute,
218 Gajeong-ro, Yuseong-gu, Daejeon, 305-700, KOREA email@example.com, , firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Abstract Increased use of Android devices and its open source development framework has attracted many digital crime groups to use Android devices as one of the key attack surfaces. Due to the extensive connectivity and multiple sources of network connections, Android devices are most suitable to botnet based malware attacks. The research focuses on developing a cloud-based Android botnet malware detection system. A prototype of the proposed system is deployed which provides a runtime Android malware analysis. The paper explains architectural implementation of the developed system using a botnet detection learning dataset and multi-layered algorithm used to predict botnet family of a particular application. Keywords Android botnet, Cloud-based malware detection, Vyatta, Android on VirtualBox, Android botnet family detection, Android Sandbox.
According to Gartner report  on January 7 2014, there are around 2.6 billion mobile devices worldwide out of which approximately 48% are Android. Nowadays, people prefer to store sensitive data on mobile devices than on computers. Day-by-day, smartphone based applications are preferred for online banking and other activities involving critical user data. This is the primary reason why underworld digital crime groups are focusing more on mobile-based trojans and botnets. Due to the extensive connectivity and multiple sources of communication, Android enabled devices are most suitable for botnet based malware attacks. Also, recent surveys show an increase in botnet malware in Android application stores. The research focuses on developing a cloud-based system for security testing of untrusted Android applications. Further, the research is focused on finding Android based botnets. Also, an attempt is made to subcategorize the botnets into specific families considering their feature similarity. A prototype of the system is implemented successfully. This paper focuses on presenting the architectural details for the system and an overview of multilayered botnet detection algorithms.
The system consists of two main stages, malware analysis stage and data clustering stage. In malware analysis stage, the system accepts an application from the user, performs malware analysis and data collection. In data clustering stage, system performs multi-layer clustering based on data collected in the first stage. Malware analysis stage consists of client side application to upload an untrusted Android application and a server side Java application for database and malware repository management. The system performs malware analysis on VirtualBox environment; real devices can also be attached. Flow controlling, virtual routing and data collection from different tools is implemented using modularized Perl scripts. In data clustering stage, initially two output values are generated representing maliciousness and botnet characteristics of application using the feature values collected during analysis. These two values are used to plot a data point on a 2D graph having data points corresponding to the training dataset. Further phase provides multi-layer clustering using a newly proposed data density based clustering algorithm on 2D graph. At the highest level, the clustering mechanism will be able to distinguish botnets, general malware, and benign applications. At a deeper level, the clustering will allow grouping of botnets into different families. Few important features of the developed system are, system can handle multiple clients simultaneously and is resource flexible. JAVA and Perl programming languages are used to achieve functional segregation and platform independence. VirtualBox and a virtual Vyatta router are used for multiple Android OS instantiation and networking respectively. During the analysis phase, different tools are used for collecting data specific to application under review. Data collected is used to find out malicious behavioural pattern. The training data set created for Android botnet malware is used to perform malicious behaviour detection and binning of botnet application to a specific botnet family.
339ISBN 978-89-968650-4-9 July 1-3, 2015 ICACT2015
II. LITERATURE SURV Malware detection can be classified
Signature-based malware detection, and malware detection. DroidAnalytics  signatures at OPCODE level to identifySignature-based detection. Whereas, thifocuses on behavior-based malware detectiAlam et al.  discuss about a behavidetection technique. They have used rclassification of applications. They used Sthe number of malicious and benign apdataset. Abdullah J. Alzahrani et al.  dibased botnet detection. They use an adaptivdetection using signature-based and behaviodetection techniques.
Ali Feizollah et al.  use 3 features: and no_parameter to detect the maliapplication. Their research was focusedbotnets. They have compared their result ofclassification algorithms. The best results K-nearest neighbours.
Zurutuza et al.  discuss the use of strcompare the characteristics of a benign application using K-Means clustering. Thecharacteristics successfully allow an applicaas a malware or a benign application. limited to detection of a malware using bothas malicious counterpart which is previously
Khattak et al.  provide a well-strucclassify botnet detection, features and dacross three primary areas viz. botmastedetection and bot detection. Various apprdetection have been discussed which provifor employing a botnet detection mechanism
Pieterse et al.  describe the characspecifically by an Android based botnets sof code via repackaged applications, recfrom the C&C server, using SMS to premstealing information from IMEI, IMSI etccharacteristics aid in the identification of botnet.
Choi et al.  devise an approach usingbotnet using its traffic flows. Lee et al.  use kernel level detection apprmonitoring IPC messages to detect a application.
Although, there was quite a bit of researof botnets, none of the related work focusthe family of the botnet.
III. ARCHITECTURE OF SY A resource flexible cloud based
implemented to create a platform where useapplication for a security review and the sy
into two parts: 1. 2. Behavior-based uses multilevel y malwares using is research paper ion. Mohammed S. ior-based malware random forest for SMOTE to balance plications in their iscuss about SMS-
ve hybrid model for our-based malware
tcp_size, duration, iciousness of an
d on detection of f classification on 5
were obtained for
race to successfully and a malicious
e difference in the ation to be inferred This, however, is h its benign as well y known. ctured approach to defense in general er detection, C&C roaches for botnet ide a useful insight m. cteristics employed such as distribution ceiving commands
mium rate numbers, c. and more. These
an Android based
g a VPN to detect a
roach coupled with malicious android
rch on the detection sed on detection of
d architecture is ers can submit their ystem will return a
tested copy of the application brief report of the test analvirtualization challenges have bof such a system.
Figure 1. Cloud-based
Figure 1 shows the implemeThe system can be divided intJava application, Perl scriptsenvironment and the VirtualBoapplication receives Android and manages the storage. Thistrack and determine whether thbeen tested before. The applicatdata to predict the applicationbotnet family. The VirtualBmultiple Android OS with a Vthe network configurations and
Control flow of the system: start state and end state on thanalysis process with request tattaching the APK file as therequest and analysis the submittchecks for a pre-analysed copyavoids any redundant analysis. Ain the file system along with a value to uniquely identify themthe Perl scripts to perform apcollection from different tools. Aapplication and collection of dthe control to the Java serveranalysis. Java application probehavioural symptoms of an abotnet. For this purpose, the Javalgorithm and a learning data sewith existing botnet malwarmalicious application to differeFinally, the results of the analyresulting in a completion of clie
being submitted along with a lysis. Many networking and been overcome in the creation
d system architecture
ented framework of the system. to three main components viz. s controlling the VirtualBox x environment itself. The Java application(s) from the client s includes a database to keep e same application has already tion also analyses the collected s malicious behaviour and its
Box environment instantiates Vyatta virtual router controlling
traffic forwarding. The systems control flow has e client side. Client starts the to analyse Android application e payload. Server accepts the ted application. The server also y of the same application and Android applications are stored new database entry and a hash
m. Next, the control is passed to plication installation and data After a successful execution of
data, the Perl scripts send back r application to perform data oces