CISPA
Browse

Improving Logic Bomb Identification in Android Apps via Context-Aware Anomaly Detection

Download (809.83 kB)
journal contribution
posted on 2024-03-19, 12:31 authored by Marco Alecci, Jordan Samhi, Li Li, Tegawendé Bissyandé, Jacques Klein
One prominent tactic used to keep malicious behavior from being detected during dynamic test campaigns is logic bombs, where malicious operations are triggered only when specific conditions are satisfied. Defusing logic bombs remains an unsolved problem in the literature. In this work, we propose to investigate Suspicious Hidden Sensitive Operations (SHSOs) as a step toward triaging logic bombs. To that end, we develop a novel hybrid approach that combines static analysis and context-aware anomaly detection techniques to uncover SHSOs, which we predict as likely implementations of logic bombs. Concretely, DIFUZER++ identifies SHSO entry-points using an instrumentation engine and conducting an inter-procedural data-flow analysis. Subsequently, it extracts trigger-specific features to characterize SHSOs. To detect abnormal triggers, we utilize multiple One-Class SVM models, each trained on distinct sets of similar apps to more effectively capture normal behavior patterns. To assess the added value of the context-aware analysis, we compare DIFUZER++ against a baseline approach with no context (that we name DIFUZER). We show that the context-aware analysis leads to a significant improvement in both the precision and F1 score. Furthermore, the probability of successfully triaging logic bombs among HSOs increases from 29.7% to 58.8%. All our artifacts are released to the community.

History

Primary Research Area

  • Secure Connected and Mobile Systems

Journal

IEEE Transactions on Dependable and Secure Computing

Publisher

IEEE

Sub Type

  • Article

BibTeX

@article{Alecci:Samhi:Li:Bissyandé:Klein:2024, title = "Improving Logic Bomb Identification in Android Apps via Context-Aware Anomaly Detection", author = "Alecci, Marco" AND "Samhi, Jordan" AND "Li, Li" AND "Bissyandé, Tegawendé" AND "Klein, Jacques", year = 2024, month = 1, journal = "IEEE Transactions on Dependable and Secure Computing", publisher = "IEEE", issn = "1545-5971" }