Mobile systems have become essential for communication and productivity but are also becoming target of continuous malware attacks. New malware are often obtained as variants ofexisting malicious code. This work describes an approach for dynamic malware detection based on the combination of Process Mining (PM) and Fuzzy Logic (FL) techniques. The firsts are used to characterize the behavior of an application identifying some recurring execution expressed as a set of declarativeconstraints between the system calls. Fuzzy logic is used to classify the analyzed malware applications and verify their relations with the existing malware variants. The combination of the two techniques allows to obtain a fingerprint of an application that is used to verify its maliciousness/trustfulness, establish if it belongs from a known malware family and identify the differences between the detected malware behavior and the other variants of the some malware family. The approach is applied on a dataset of 3000 trusted and malicious applications across twelve malware families and has shown a very good discrimination ability that can be exploited for malware detection and family identification.
A Fuzzy-based Process Mining Approach for Dynamic Malware Detection
F Martinelli;F Mercaldo;
2017
Abstract
Mobile systems have become essential for communication and productivity but are also becoming target of continuous malware attacks. New malware are often obtained as variants ofexisting malicious code. This work describes an approach for dynamic malware detection based on the combination of Process Mining (PM) and Fuzzy Logic (FL) techniques. The firsts are used to characterize the behavior of an application identifying some recurring execution expressed as a set of declarativeconstraints between the system calls. Fuzzy logic is used to classify the analyzed malware applications and verify their relations with the existing malware variants. The combination of the two techniques allows to obtain a fingerprint of an application that is used to verify its maliciousness/trustfulness, establish if it belongs from a known malware family and identify the differences between the detected malware behavior and the other variants of the some malware family. The approach is applied on a dataset of 3000 trusted and malicious applications across twelve malware families and has shown a very good discrimination ability that can be exploited for malware detection and family identification.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
