Evasion Is Not Enough: A Case Study of Android Malware

Harel Berger; Chen Hajaj; Amit Dvir

doi:10.1007/978-3-030-49785-9_11

Evasion Is Not Enough: A Case Study of Android Malware

Harel Berger, Chen Hajaj, Amit Dvir

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Scopus citations

Abstract

A growing number of Android malware detection systems are based on Machine Learning (ML) methods. However, ML methods are often vulnerable to evasion attacks, in which an adversary manipulates malicious instances so they are classified as benign. Here, we present a novel evaluation scheme for evasion attack generation that exploits the weak spots of known Android malware detection systems. We implement an innovative evasion attack on Drebin [3]. After our novel evasion attack, Drebin’s detection rate decreased by 12%. However, when inspecting the functionality and maliciousness of the manipulated instances, the maliciousness rate increased, whereas the functionality rate decreased by 72%. We show that non-functional apps, do not constitute a threat to users and are thus useless from an attacker’s point of view. Hence, future evaluations of attacks against Android malware detection systems should also address functionality and maliciousness tests.

Original language	English
Title of host publication	Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings
Editors	Shlomi Dolev, Gera Weiss, Vladimir Kolesnikov, Sachin Lodha
Publisher	Springer
Pages	167-174
Number of pages	8
ISBN (Print)	9783030497842
DOIs	https://doi.org/10.1007/978-3-030-49785-9_11
State	Published - 1 Jan 2020
Externally published	Yes
Event	4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020 - Beersheba, Israel Duration: 2 Jul 2020 → 3 Jul 2020

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	12161 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020
Country/Territory	Israel
City	Beersheba
Period	2/07/20 → 3/07/20

Keywords

Android security
Cyber security
Malware detection

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-030-49785-9_11

Cite this

Berger, H., Hajaj, C., & Dvir, A. (2020). Evasion Is Not Enough: A Case Study of Android Malware. In S. Dolev, G. Weiss, V. Kolesnikov, & S. Lodha (Eds.), Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings (pp. 167-174). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12161 LNCS). Springer. https://doi.org/10.1007/978-3-030-49785-9_11

Berger, Harel ; Hajaj, Chen ; Dvir, Amit. / Evasion Is Not Enough : A Case Study of Android Malware. Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. editor / Shlomi Dolev ; Gera Weiss ; Vladimir Kolesnikov ; Sachin Lodha. Springer, 2020. pp. 167-174 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{01428c0ce4c04736aa1a96451ca288aa,

title = "Evasion Is Not Enough: A Case Study of Android Malware",

abstract = "A growing number of Android malware detection systems are based on Machine Learning (ML) methods. However, ML methods are often vulnerable to evasion attacks, in which an adversary manipulates malicious instances so they are classified as benign. Here, we present a novel evaluation scheme for evasion attack generation that exploits the weak spots of known Android malware detection systems. We implement an innovative evasion attack on Drebin [3]. After our novel evasion attack, Drebin{\textquoteright}s detection rate decreased by 12%. However, when inspecting the functionality and maliciousness of the manipulated instances, the maliciousness rate increased, whereas the functionality rate decreased by 72%. We show that non-functional apps, do not constitute a threat to users and are thus useless from an attacker{\textquoteright}s point of view. Hence, future evaluations of attacks against Android malware detection systems should also address functionality and maliciousness tests.",

keywords = "Android security, Cyber security, Malware detection",

author = "Harel Berger and Chen Hajaj and Amit Dvir",

note = "Publisher Copyright: {\textcopyright} 2020, Springer Nature Switzerland AG.; 4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020 ; Conference date: 02-07-2020 Through 03-07-2020",

year = "2020",

month = jan,

day = "1",

doi = "10.1007/978-3-030-49785-9_11",

language = "English",

isbn = "9783030497842",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "167--174",

editor = "Shlomi Dolev and Gera Weiss and Vladimir Kolesnikov and Sachin Lodha",

booktitle = "Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings",

address = "Germany",

}

Berger, H, Hajaj, C & Dvir, A 2020, Evasion Is Not Enough: A Case Study of Android Malware. in S Dolev, G Weiss, V Kolesnikov & S Lodha (eds), Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12161 LNCS, Springer, pp. 167-174, 4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020, Beersheba, Israel, 2/07/20. https://doi.org/10.1007/978-3-030-49785-9_11

Evasion Is Not Enough: A Case Study of Android Malware. / Berger, Harel; Hajaj, Chen; Dvir, Amit.
Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. ed. / Shlomi Dolev; Gera Weiss; Vladimir Kolesnikov; Sachin Lodha. Springer, 2020. p. 167-174 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12161 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Evasion Is Not Enough

T2 - 4th International Symposium on Cyber Security Cryptography and Machine Learning, CSCML 2020

AU - Berger, Harel

AU - Hajaj, Chen

AU - Dvir, Amit

PY - 2020/1/1

Y1 - 2020/1/1

N2 - A growing number of Android malware detection systems are based on Machine Learning (ML) methods. However, ML methods are often vulnerable to evasion attacks, in which an adversary manipulates malicious instances so they are classified as benign. Here, we present a novel evaluation scheme for evasion attack generation that exploits the weak spots of known Android malware detection systems. We implement an innovative evasion attack on Drebin [3]. After our novel evasion attack, Drebin’s detection rate decreased by 12%. However, when inspecting the functionality and maliciousness of the manipulated instances, the maliciousness rate increased, whereas the functionality rate decreased by 72%. We show that non-functional apps, do not constitute a threat to users and are thus useless from an attacker’s point of view. Hence, future evaluations of attacks against Android malware detection systems should also address functionality and maliciousness tests.

AB - A growing number of Android malware detection systems are based on Machine Learning (ML) methods. However, ML methods are often vulnerable to evasion attacks, in which an adversary manipulates malicious instances so they are classified as benign. Here, we present a novel evaluation scheme for evasion attack generation that exploits the weak spots of known Android malware detection systems. We implement an innovative evasion attack on Drebin [3]. After our novel evasion attack, Drebin’s detection rate decreased by 12%. However, when inspecting the functionality and maliciousness of the manipulated instances, the maliciousness rate increased, whereas the functionality rate decreased by 72%. We show that non-functional apps, do not constitute a threat to users and are thus useless from an attacker’s point of view. Hence, future evaluations of attacks against Android malware detection systems should also address functionality and maliciousness tests.

KW - Android security

KW - Cyber security

KW - Malware detection

UR - http://www.scopus.com/inward/record.url?scp=85087785958&partnerID=8YFLogxK

U2 - 10.1007/978-3-030-49785-9_11

DO - 10.1007/978-3-030-49785-9_11

M3 - Conference contribution

AN - SCOPUS:85087785958

SN - 9783030497842

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 167

EP - 174

BT - Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings

A2 - Dolev, Shlomi

A2 - Weiss, Gera

A2 - Kolesnikov, Vladimir

A2 - Lodha, Sachin

PB - Springer

Y2 - 2 July 2020 through 3 July 2020

ER -

Berger H, Hajaj C, Dvir A. Evasion Is Not Enough: A Case Study of Android Malware. In Dolev S, Weiss G, Kolesnikov V, Lodha S, editors, Cyber Security Cryptography and Machine Learning - 4th International Symposium, CSCML 2020, Proceedings. Springer. 2020. p. 167-174. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-49785-9_11