ACE Seminar: CopperDroid: Automatic Android Malware Analysis and Classification

Speaker: Dr Lorenzo Cavallaro

Date/Time: 07-Dec-2016, 14:00 UTC

Venue: Anatomy G29 - JZ Young LT



Rapid advent of Android platforms has dawned an era of sophisticated malware that attack these systems. Static approaches developed to detect malware are often left wanting as malware writers take to increasingly obfuscated code that bypass static detection. This has triggered research into Android sandboxes that derive meaningful semantic information about malware by running them.
To better understand this slew of threats, in this talk I will first introduce CopperDroid, an automatic VMI-based dynamic analysis system to reconstruct the behaviors of Android malware, developed within the Systems Security Research Lab at Royal Holloway, University of London. The novelty of CopperDroid lies in its agnostic approach to identify interesting OS- and high-level Android-specific behaviors. It reconstructs these behaviors by observing and dissecting system calls and, therefore, is resistant to the multitude of alterations the Android runtime is subjected to over its life-cycle. CopperDroid automatically and accurately reconstructs events of interest that describe not only well-known process-OS interactions (e.g., file and process creations), but also complex intra- and inter-process communications (e.g., sending and receiving text messages, accessing GPS coordinates, camera, and contacts list), whose semantics are typically contextualized through complex Android objects. Because CopperDroid's reconstruction mechanisms are agnostic to the underlying action invocation methods, it is able to capture actions initiated both from Java and native code execution. CopperDroid's analysis generates detailed behavioral profiles that abstract a large stream of low-level---often uninteresting---events into concise, high-level semantics, which are well-suited to provide insightful behavioral traits and open the possibility to further research directions. To this end, I will then show our current research efforts to investigate the efficacy of behavioral profiles of different abstractions to differentiate between families of malware. Our experiments report an accuracy, precision and recall of 94.5%, 99.2% and 97.8%, respectively, in a multi-class Android malware family classification setting. In addition, in a significant departure from traditional classification techniques, we further apply a statistical classification approach to include samples showing poor behavior counts and depict a means to achieve near-perfect accuracy by considering a prediction set of top few matches than a singular choice.


Lorenzo "Gigi Sullivan" Cavallaro was raised in a fantastic epoch where information and knowledge was meant for those who were just curious enough. He grew up on pizza, spaghetti, Phrack (do "smashing the stack for fun and profit" and "IP spoofing demystified" ring a bell to you?), and W. Richard Stevens' TCP/IP illustrated masterpieces. Underground and academic research interests followed shortly thereafter and he has never stopped wondering and having fun ever since.
Lorenzo is a Reader (Associate Professor) of Information Security in the Information Security Group (ISG) at Royal Holloway, University of London. Prior joining the ISG, Lorenzoproudly spent time at Stony Brook University (Prof. R. Sekar), as a visiting PhD scholar from University of Milan, and UC Santa Barbara (Profs Giovanni Vigna and Christopher Kruegel) and Vrije Universiteit Amsterdam (Prof.  Andrew S. Tanenbaum) as a PostDoc Researcher---amazing and intense years he still remembers vividly.  Lorenzo's research focuses largely on systems security. To this end, he has founded and is leading the recently-established Systems Security Research Lab (S2Lab) within the ISG, which focuses on devising novel techniques built around program analysis and machine learning to protect systems from a broad range of threats, including those perpetrated by malicious software. In particular, Lorenzo's lab aims ultimately at building practical tools and providing security services to the community at large. He is Principal Investigator and co-Investigator on a number of UK EPSRC- and EU-funded research projects, sits in technical program committee of top and well-established information security academic conferences and workshops, and has published in top and well-known venues. Lorenzo's Coursera MOOC on "Malicious Software and its Underground Economy: Two Sides to Every Story" attracted more than 100,000 students since its pilot in 2013, which makes him shamelessly bragging on his pizza, spaghetti, and Phrack heritage furthermore.

Add to Calendar

This page was last modified on 27 Mar 2014.