Homepage > Catalog > Computer Science - IT-Security

Mobile Malware Anti-malware Coevolution

Name: Mobile Malware Anti-malware Coevolution
Price: 0.99 EUR
Availability: InStock
Author: Alexios Iosif Kotsis
ISBN: 9783346510921

Project Report, 2020

10 Pages, Grade: 4.0

Alexios Iosif Kotsis (Author)

Excerpt

Mobile Malware/Anti-malware Coevolution

Kotsis Alexios

I. Background Overview

The secret service states that the average loss from a bank robbery is about $3,000. The average loss from a successful business email compromise attack is nearly $130,000. Nearly 69.3% of the USA's population have a smartphone or a mobile device. These devices are only becoming more critical to the extent that companies like Ericsson predict that by 2020 over six billion users worldwide will have a mobile device. This trend presents a tremendous privacy and security concern as increased use of these devices brings an explosion of mobile malware.

Not surprisingly, hackers have been shifting their focus to mobile device attacks and IoT attacks. Mobile malware authors are constantly trying to remain one step ahead of cybersecurity experts and industries; hence antimalware experts need to find a way to keep up to date in terms of antimalware solutions. The continuous evolution of malware is a constant in our world. We often hear about a new attack method, a new trick or tactic utilized by cybercriminals to infect Mobile devices, steal their personal information, and generally cause havoc. It is crucial that antimalware experts find methods to update and coevolve along with malware techniques.

The term coevolution refers to a process of reciprocal evolutionary change between a pair of species that interacts with one another. The relationship between malware and antimalware is similar to a relationship between predator (malware)- prey (Mobile device-antimalware), there is a selective pressure on the prey to avoid capture, and at the same time, the predator has to evolve to become a lifetime hunter.

Figure 1: Typical Mobile threat model - Please see end of document

Cybercriminals are always in motion; they attempt different techniques, and if something works, they will repeat it,and if it fails, they quickly adapt at speeds much faster than the capabilities of traditional software. Phishing consistently remains the top attack method for criminals because they can be done with no cost while yielding devastating results to their victims.

II. Mobile Malware/Anti-malware Techniques I

Malware detection techniques and analysis tend to provide mixed results. The most common tools are the dynamic and static analysis or a hybrid between the two. The dynamic analysis has the limitation of power connection, so the preferred option is the static analysis. For that reason, new attacks are focused on the vulnerabilities of static analysis. These attacks are not based on known malware families but on new variants, which automatically generate in cases. These recent attacks created the need for automatically developing antimalware software using coevolutionary techniques.

There are three types of static malware analysis 9:

- Source Code Analysis
- Static Taint Analysis
- System Call Based

The way this analysis works is presented in the following figures.

Figure 2: Source Code Analysis - Please see end of document.

Figure 3: Static Code Analysis - Please see end of document.

Figure 4: System Call Based - Please see end of document.

The new malware variants use genetic programming (GP) to evaluate how the existing analysis tools perform in order to mimic them. Antimalware systems should be strengthened not only by updating signature databases (which happens when they face unknown malware) but also by automatically improving through evolution-based detection systems.

Figure 5: GP based Coevolution - Please see end of document.

This leads to a cyclical race between malware writers and antimalware solutions, causing coevolution automated techniques to be required to create a robust antimalware system [Figure 6].

Figure 6: Malware analysis and detection using coevolution - Please see end of document.

Malware creators are using an automated system of developing new malware. This automation utilizes genetic operators in addition to genetic programming on codes of existing malware. Studies have revealed that robust malware uses this genetic programming method, which circumvents even the best and the most successful antimalware systems. Globally there isn't anything mentioned in the literature suggesting there is a generic programming malware detection system in existence. In light of these findings, antimalware companies began integrating coevolutionary computation by creating more robust detection systems based on automatic models and static futures of mobile applications.

Malware authors love the mobile market because smartphones are sophisticated and complex handheld computers, and they contain massive amounts of personal information and financial details. Throughout the years, malware has evolved with different techniques to become undetectable by antimalware; it seems that cybercriminals are always working on techniques that can bypass actual antimalware software procedures. Cybersecurity resulted in the need for protective measures against malicious code.

Mobile malware targets, specifically OS on Mobile devices, are fast becoming a growing concern. Malware spreading, evasion techniques, and the techniques used by antimalware to detect the malicious code have dramatically changed in recent years. We will discuss some of the latest techniques below.

Spreading Techniques include the following:

- Repackaging: Popular Mobile applications are repackaged and distributed by other less monitored third party markets. Popular benign apps are disassembled then appended with malicious content and finally reassembled. This process uses the reverse-engineering techniques, 77% of the top 50 free apps available in google play get rebranded, as per a Trend Micro report.
- Drive-by download: This happens when a user visits a website that contains malicious content and downloads malware into the device unintentionally.
- Dynamic Payloads: An embedded encrypted source in an application is downloaded using Dynamic Payloads. After installation, the application decrypts the encrypted malicious payload and executes the malicious code.
- Stealth Malware Techniques: exploit hardware vulnerabilities to obfuscate the malicious code and bypass the antimalware easily.

III. Malware Evasion Techniques

Malware creators need to continually monitor mobile security techniques to develop new methodologies to bypass mobile protection mechanisms. These methods are called evasion techniques and are listed below [Figure 7].

- Anti-security techniques: avoid detection of security devices such as antimalware, firewalls, and other tools that protect the environment.
- Anti-sandbox techniques: used to detect automatic analysis and to avoid reports on the behavior of malware.
- Anti-Analyst Technique: a monitoring tool is used to avoid reverse engineering.

Figure 7: Evasion Techniques used by Cybercriminals - Please see end of document.

It is easy to believe that a single security product can provide protection from all the threats in cyberspace; however, most of the time, highly dynamic attacks are modified to avoid detection by antimalware products. Some traditional security solutions are lacking features that need to be taken into consideration when protecting new threads.

Issue #1: Looking at only files:

When traditional antimalware looks for traditional data and on malware files, they see only half of the problem. Modern and future security software should not only be looking through files and process memory but also monitoring network traffic. This has been used as a beneficial indicator of compromise and a useful tool to identify the attribution of hacker groups and malware developers.

Issue #2: Signatures:

Signatures are Probably the most common and traditional security measures. They rely heavily on human-created signatures. These are created to help the product's detection engine identify cyber threats from established rules created by observing the code of previous malware. Although beneficial in some instances, if a solution is using signature-based detection as its unique method of detection, that product would not be able to survive the cybercrime war. With the evolution in the methodology of malware development, it would be hard for a signature only approach to be prepared for the next generation of threats.

Issue #3: Not checking process memory:

One of the most basic difference between traditional antimalware and the "next-generation" antimalware is the capacity to monitor process memory. Every program that runs on a system has been assigned a certain amount of dynamic memory space, where it can store the necessary data for its processes. Modern malware uses process memory to hack legitimate processes for the sake of hiding network traffic or malware. In some cases, malicious code is introduced directly into a process from a script like PowerShell without a file. This is how file-less malware gets its name.

IV. Performance of Evolved Malware

To generate new GP based malware, the evolutionary computation was used not only on specific attacks (like overflow attacks) but additional obfuscation techniques. The GP algorithm is a population-based search and is based on natural evolution. In a study, "Mystique: evasive and attack futures of Android were extracted, and a meta-model of malware was created. A more evasive, aggressive, and undetectable malware variant was created by using a multi-objective evolutionary algorithm. Antimalware companies effectively used the coevolution of antimalware techniques. In two central studies, these convoluted techniques were analyzed.

The first study, called ADAM, proposed by Zheng et al. evaluated how effective these systems were when used against malware, which was created by using automatic obfuscation techniques and by keeping the initial malicious function. The second study, called "DroidChameleon," proposed by Rastogi et al., evaluated antimalware systems performance against metamorphic and polymorphic automatically mutating Android Apps.

The coevolution of the antimalware techniques proved to be active to have a constant decrease in malicious package installation in Android platforms from the year 2015 to 2019 [Figure 8].

Figure 8: Mobile malware installation packages for Android in 2015-2019 - Please see end of document

The findings of Christoderescu and Jha sparked further research. Later, Morales evaluated the flexibility of the antimalware platforms to malware obfuscation techniques, and four of them produced high false-negative rates because of the elementary signature detection algorithm, which was used. The malware evolution was additionally explored by Wu et al., which suggested a more sophisticated model based on Immune Genetic Algorithm and Noreen et al. by applying generic operators on Beagle malware.

When GP is applied to Android, the apk files transform into their source codes, which is essential for making proper evaluations of the generated malware used on mobile emulators. Small files use an open-source program (ApkTool), and their call graphs (CGs) are extracted [Figure 1]. The call graphs (flow graphs) are of different sizes using nodes and show the way of the flow each method uses. Mutation operations are used by the call graphs, then presented in each application and are characterized by a variable number of functions.

The GP algorithm creates a population of random subjects, which are potential solutions to a specific problem. Then the program evaluates each subject and assigns a value corresponding to the percentage of proper solving of the problem. Until a termination benchmark is satisfied new populations of subjects are created by using mutation operators, crossover, and selection. Each subject is an Android application in generic programming, and the initial population is random malware. Each generation creates better evasive malware by implementing genetic operators that are applied to CGs then to Smali and finally to apk files.

V. Performance of Coevolved AntiMalware

To counteract genetic programming(GP) evolved malware, many companies answer the threat by introducing security solutions based on static analysis and by using machine learning techniques. Some of them use a comparison of genetic programming with other machine learning methods such as artificial neural networks, Decision trees, support vector machines, and Bayesian networks. The outcome proves that genetic programming surpasses all other methods; therefore, it is suggested that it was the solution for proper malware detection [1].

The performance of antimalware systems is not equal between programs, as some of them show good results, while others do not. In a study published by Kaspersky, the best antimalware systems proved to be Defense Wall, Emisoft, and Kaspersky, and the worst were Microsoft and McAfee.

As GP-based malware evolves, the percentage of failures in detection will increase; therefore, the coevolution of antimalware to malware is generally proposed to be useful towards an effective security scheme [Figure 8].

A fully automated GP has not yet been achieved. A security expert is required to analyze the code and extract the various frameworks and design guidelines that will change the various aspects of the malware. In the study of reference one, the malware was created by using mutation crossover operators or only the mutation operator to create a proper evasive malware that proved influential. There is also not enough malware to create enough samples for the learning machine; however, using iterative methods instead of recursive can help overcome this problem.

Figure 9: Malware passed/fail percentage of major anti-malware platforms - Please see end of document.

In general, GP is considered a machine learning algorithm used in malware analysis. Artificial intelligence makes decisions regarding how harmful the malware is designed and analyzes code based on a series of characteristics. Some characteristics rank higher than others in terms of impact, allowing the AI to determine the severity of the malware.

Antimalware software cannot be client- driven because mobile devices are exposed to a small sample of malware. Proper machine learning requires cloud-based systems and big data processing to provide protection on a larger scale. When it comes to the money required, prices of cloud-based servers are falling, so the accessibility of proper antimalware is higher [4].

There is also a controversy regarding the claim that some Anti Malware vendors are using heuristic technology that is superior to machine learning techniques, especially in signature evading malware. This claim has not been proven since many years of research will be required before a declaration can be made of which method is superior.

VI. Conclusion

The fight between malware and antimalware is a repetitive cycle. Mobile malware is evolving rapidly and stealthily, and in the last few years, even becoming more malicious, expanding its capabilities in obfuscation and encryption. Machine learning techniques have evolved in a way that helps hackers to achieve their purposes since the work is done automatically with less effort required on their end.

New evolved malware is created using known malware as a basis and applying genetic programming to develop it. This advanced malware has had positive results in beating known antimalware systems that are available to the mass market. The purpose is to create malware that is automated and has the potential of future evolution using renaming techniques and dynamic code loading.

To counteract negative attacks, new antimalware techniques have coevolved. These protection methods are mostly based on static analysis techniques showing higher-level performance on new data sets and developing more robust systems.

It must be emphasized that to achieve proper coevolution, numerous issues have yet to be resolved. Training sets, at the present time, do not exist in sufficient numbers to facilitate an algorithm's learning and creation of the results needed to decrease the false positive rate. Further research must continue on these topics, to maintain an edge against the ever-growing number of attackers who strive to benefit from the corruption of mobile device security.

References

1. Sevil Sen*, Emre Aydogan, Ahmet I. Aysan "Coevolution of Mobile Malware and AntiMalware" https://ieeexplore.ieee.org/document/8332973

2. Brian Witten, January 2007 "Malware Evolution: A Snapshot of Threats and Countermeasures in 2005", https://www.researchgate.net/publication/22601

3. Srikanth Ramu APRIL 2012, "Mobile Malware Evolution, Detection, and Defense" The Institute for Computing, Information and Cognitive Systems (ICICS), University of British Columbia Vancouver, BC V6T 1Z4 Canada sramu@mss.icics.ubc.ca

4. Kim Crawley "What You Must Know About Machine Learning Malware Analysis," https://www.ccsinet.com/blog/machine-learning- malware-analysis/

5. Kaspersky, W. (2019, November 08). "Mobile Malware." Retrieved June 17, 2020, from https://usa.kaspersky.com/resource- center/threats/mobile

6. Enterprise, C. (2018, November 30). What is Anti Malware?: How Anti Malware Software Works? Retrieved June 17, 2020, from https://enterprise.comodo.com/what-is-anti- malware.php

7. What is Mobile Malware? (2020, March 25). Retrieved June 17, 2020, from https://www.forcepoint.com/cyber-edu/mobile- malware

8. Touchette, F. (2015, October 02). "The Evolution Of Malware." Retrieved June 17, 2020, from https://www.darkreading.com/risk/the- evolution-of-malware/a/d-id/1322461

9. Srikanth Ramu (April 2012) "Mobile Malware Evolution, Detection and Defense" from https://pdfslide.net/documents/mobile-malware-evolution-detection-and-malware-evolution- detection-and-defense.html

Table 1

Malware detection techniques: