DARPA-funded team says it can SMELL Android malware

There once was a racehorse called 'Hoof-Hearted'


A trio of DARPA-backed Iowa State University researchers have developed a tool to help speed up android malware analysis.

The Security Toolbox developed by the DARPA blue team uses features including 'smells' which sport stronger heuristics to flag possible signs of hidden malware badness.

Benjamin Holland, Tom Deering, and Suresh Kothari produced the platform described as 'human-in-the-loop program analysis', to be presented at ICSE next month, that can detect malware from Android app source or Java bytecode.

The toolbox is built on the team's Atlas general purpose code analysis tool they birthed at last year's conference.

"We have to go through (USAF Colonel) John Boyd's OODA loop of observe, orient, decide and act several times throughout an audit -- the key point is that the Security Toolbox helps us iterate through that loop faster which is what determines success," Holland says.

In the paper Security Toolbox for Detecting Novel and Sophisticated Android Malware (PDF) the team say the Toolbox uses the best avilable automation andf iteration techniques landing them top of the class for DARPA's defensive blue team.

Here's how the team say it works:

"Our novel human-in-loop approach to detect Android malware minimises human effort by allowing the human to use the evidence produced by the machine to focus their effort on further machine-assisted reasoning. This affords greater opportunity to detect malware that is not on the radar of an automated analyser; the what-if experimentation capability provided by the machine enables the user to posit attacker intentions, hypothesise about the attacker’s modus operandi and tailor queries to detect sophisticated malware. Thus, our approach increases automation, reduces human effort and error, and provides valuable machine assistance to detect novel and sophisticated malware."

This approach accurately detected 66 Android apps developed by DARPA's red offensive team as either malicious or benign six as having unintended bad behaviours , landing a commendable 85.7 percent accuracy and "consistently" beating the control team using current top tools.

The project goals to minimise human effort while allowing for rich semantics that Android provides developers. It is useful for almost all Android malware analysis including what-if experiments to detect hypothesised new malware with no known priori. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2022