Signature-Based Detection

A method that is commonly used in current anti-virus and anti-malware solutions is based on generation of representative signatures for existing malware samples and maintenance of a database consisting of them. Once the signature is recognised, malware is detected with high confidence. Although the number of false positives with such systems is low, they heavily rely on the maintenance of the database with signatures. Namely, it has to be frequently updated with new signatures that appear on the market. In mobile environment, this might be difficult due to the fact that the device is not constantly connected to the Internet, that sometimes is connected with mobile data that is charged, or that the device does not contain enough memory to store all available malware signatures.

Static Detection

These methods are focused on analysis of static features of applications (e.g. granted permissions, API calls, source code debagging) and discrimination between malware and trusted based on them.

One approach to static malware detection is proposed in [8] where high detection accuracy is achieved by using features from the manifest file and feature sets from disassembled code. Reported overhead is sub-linear. Its performance increases with O(Vm), where m is the number of analysed bytes. Also the mechanism presented in [35] uses static features including permissions, Intent messages passing and API calls to detect malicious Android applications.

Apple, Google, and Nokia use application permissions and review to protect users from malware. The effectiveness of these mechanisms against malware in a given data set is evaluated in [16]. In [16], sending SMS messages without confirmation or accessing unique phone identifiers like the IMEI are identified as promising features for malware detection as legitimate applications ask for these permissions less often [17]. For example, nearly one third of applications request access to user location but far fewer request access to user location, and to launch at boot time. The authors concluded that although the number of permissions alone is not sufficient to identify malware, they could be used as part of a set of classification features, provided that all permissions common to the malware set are infrequent among nonmalicious applications.

In [34], as a feature for detecting susceptibility of a device to malware infection, a set of identifiers representing the applications on a device is used. The assumption is that the set of applications used on a device may predict the likelihood of the device being classified as infected in the future. Nevertheless, observing just this feature is not enough to give precise answer about device being attacked due to low precision and recall [34].

In the nutshell, static detection is an effective approach in terms of resource consumption. However, due to the nature of this approach that analyses the applications only based on their static features, it is not able to detect malware that appears at run-time, it is prone to obfuscation [26], and cannot detect variations of existing malware samples that are easy to create and distribute.

< Prev   CONTENTS   Source   Next >