Apr 28, 2017 - 5th International Symposium on Digital Forensic and Security. âPetru Maiorâ ... Examined Android permissions, their groups and formal.
Clustering and Visualization of Mobile Application Permissions for End Users and Malware Analysts Gürol Canbek, Nazife Baykal, and Seref Sagiroglu 5th International Symposium on Digital Forensic and Security “Petru Maior” University of Tîrgu Mureș, Romania April 26-28, 2017
Full text available online: http://bit.ly/clustervisualize
Abstract › Mobile application permissions – At the core of Android security mechanism
› The first leading transparent feature – for end users
› to assess any mobile application before download or installation
– for experts
› to analyse any malware.
› Representing
– vast and dispersed permissions and – achieving clarity
› is not a trivial matter.
(…Abstract) In this study, we › Examined Android permissions, their groups and formal representations with the limitations;
› Surveyed limited studies on clustering/visualization of permissions; › Grouped 251 Android permissions into 12 clusters semantically; and › Proposed a new visualization approach – that looks more conventional to both end users and experts – helps comprehending permissions easily and quickly
(…Abstract) In this study, we › Applied the proposed clustering and visualization on calculated discriminative malign permissions concept for malware analysis; › Demonstrated potential effectiveness of the approach. › Our approach – Improves expressing and understanding of large number of mobile application permissions in a better context, – Provides more understanding and insight, and – Helps interpreting or inferring interesting patterns related to permissions for malware classification.
Introduction
Android application permission mechanism › As a Discretionary Access Control (DAC), – Limits the specific operations performed by applications and/or – provides ad hoc access to specific pieces of data at end user’s discretion.
› Users have a total control over the access via permissions. › Least-privilege principle › Easy to use and implement
What is behind a permission request? To give a permission? ACCESS_FINE_LOCATION
Or not to give a permission?
› Any permission request is a signal to indicate the adverse impact on user experience or any data on device.
› Reviewing the permissions is very critical in this regard.
Refer to the article more information about › Android permission mechanism, › And user issues regarding to – Difficulties on understanding meaning of large number of permissions – App permissions dialog limitations, – User behaviours on accepting the permissions
› Using permission as a primary feature category for static malware analysis
Existing Permission Representations
Existing (Formal) and Proposed Permission Representations
Permission Representation in GUI scope DOWNLOAD TIME AT GOOGLE PLAY ON THE WEB
INSTALL TIME ON DEVICE
Visual Elements for Android Permission Groups
Review of Permission Visualization Studies
Self-Organizing Map (SOM)
D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, “A methodology for empirical analysis of permission-based security models and its application to Android,” in ACM conference on Computer and communications security. New York, New York, USA: ACM, 2010, pp. 73–84.
Modularized Network Diagram
I. Rassameeroj and Y. Tanahashi, “Various approaches in analyzing Android applications with its permissionbased security models,” in IEEE International Conference on Electro/Information Technology (EIT). Mankato, MN: IEEE, 2011, pp. 1–6.
Papilio visualization tool
M. H. Loorak, P. W. L. Fong, and S. Carpendale, “Papilio: Visualizing Android application permissions,” in Eurographics Conference on Visualization (EuroVis), vol. 33, no. 3, 2014.
The Proposed Permission Clustering and Visualization Application at first glance!
PROPOSED PERMİSSİON CLUSTERS We semantically and spatially combine the permission sets into a narrowed 12 clusters: •
hardware,
•
system,
•
configuration,
•
visual,
•
data,
•
personal,
•
sensory,
•
communicative,
•
social,
•
network,
•
cloud, and
•
ungrouped
Tabular Form
- Device -
- User -
2nd dimension
Data 5
Cloud
Social
8
8
V isual
Personal 4
Network 15
Communicative 20
Configuration 0
11
Sensory 6
System 63
H ardware 12
PI I Personaly Identifiable Information 50
Ungrouped 99
1st dimension
- M edium -
Demonstration of Proposed Clustering and Visualization Approach on Static Malware Analysis
The Top Discriminative Malign Permissions › The highest inter-class deviation (from malign to benign) › subtracting benign frequencies from corresponding malign frequencies per permissions in malign and benign datasets.
- M edium -
- Device -
- User -
Data (20%)
Cloud (13%)
Social
1
(38%) 3
V isual (25%)
Network (33%) 5
1 Communicative (40%) 8
Personal 1
Configuration 0
0
Sensory 0
System (22%) 14
H ardware (17%)
2
PI I Personaly Identifiable Information (24%)
U ngrouped (5%)
5
12
Still valuable on new Permission Model
Thank You › Questions?
G. Canbek, N. Baykal and S. Sagiroglu, "Clustering and visualization of mobile application permissions for end users and malware analysts," 2017 5th International Symposium on Digital Forensic and Security (ISDFS), Tirgu Mures, Romania, 2017, pp. 1-10. doi: 10.1109/ISDFS.2017.7916512 keywords: {Android; Google; Malware; Mobile applications; Security; Visualization}, URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7916512&isnumber=7916489