Clustering and Visualization of Mobile Application ...

5 downloads 66132 Views 2MB Size Report
Apr 28, 2017 - 5th International Symposium on Digital Forensic and Security. “Petru Maior” ... Examined Android permissions, their groups and formal.
Clustering and Visualization of Mobile Application Permissions for End Users and Malware Analysts Gürol Canbek, Nazife Baykal, and Seref Sagiroglu 5th International Symposium on Digital Forensic and Security “Petru Maior” University of Tîrgu Mureș, Romania April 26-28, 2017

Full text available online: http://bit.ly/clustervisualize

Abstract › Mobile application permissions – At the core of Android security mechanism

› The first leading transparent feature – for end users

› to assess any mobile application before download or installation

– for experts

› to analyse any malware.

› Representing

– vast and dispersed permissions and – achieving clarity

› is not a trivial matter.

(…Abstract) In this study, we › Examined Android permissions, their groups and formal representations with the limitations;

› Surveyed limited studies on clustering/visualization of permissions; › Grouped 251 Android permissions into 12 clusters semantically; and › Proposed a new visualization approach – that looks more conventional to both end users and experts – helps comprehending permissions easily and quickly

(…Abstract) In this study, we › Applied the proposed clustering and visualization on calculated discriminative malign permissions concept for malware analysis; › Demonstrated potential effectiveness of the approach. › Our approach – Improves expressing and understanding of large number of mobile application permissions in a better context, – Provides more understanding and insight, and – Helps interpreting or inferring interesting patterns related to permissions for malware classification.

Introduction

Android application permission mechanism › As a Discretionary Access Control (DAC), – Limits the specific operations performed by applications and/or – provides ad hoc access to specific pieces of data at end user’s discretion.

› Users have a total control over the access via permissions. › Least-privilege principle › Easy to use and implement

What is behind a permission request? To give a permission? ACCESS_FINE_LOCATION

Or not to give a permission?

› Any permission request is a signal to indicate the adverse impact on user experience or any data on device.

› Reviewing the permissions is very critical in this regard.

Refer to the article more information about › Android permission mechanism, › And user issues regarding to – Difficulties on understanding meaning of large number of permissions – App permissions dialog limitations, – User behaviours on accepting the permissions

› Using permission as a primary feature category for static malware analysis

Existing Permission Representations

Existing (Formal) and Proposed Permission Representations

Permission Representation in GUI scope DOWNLOAD TIME AT GOOGLE PLAY ON THE WEB

INSTALL TIME ON DEVICE

Visual Elements for Android Permission Groups

Review of Permission Visualization Studies

Self-Organizing Map (SOM)

D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, “A methodology for empirical analysis of permission-based security models and its application to Android,” in ACM conference on Computer and communications security. New York, New York, USA: ACM, 2010, pp. 73–84.

Modularized Network Diagram

I. Rassameeroj and Y. Tanahashi, “Various approaches in analyzing Android applications with its permissionbased security models,” in IEEE International Conference on Electro/Information Technology (EIT). Mankato, MN: IEEE, 2011, pp. 1–6.

Papilio visualization tool

M. H. Loorak, P. W. L. Fong, and S. Carpendale, “Papilio: Visualizing Android application permissions,” in Eurographics Conference on Visualization (EuroVis), vol. 33, no. 3, 2014.

The Proposed Permission Clustering and Visualization Application at first glance!

PROPOSED PERMİSSİON CLUSTERS We semantically and spatially combine the permission sets into a narrowed 12 clusters: •

hardware,



system,



configuration,



visual,



data,



personal,



sensory,



communicative,



social,



network,



cloud, and



ungrouped

Tabular Form

- Device -

- User -

2nd dimension

Data 5

Cloud

Social

8

8

V isual

Personal 4

Network 15

Communicative 20

Configuration 0

11

Sensory 6

System 63

H ardware 12

PI I Personaly Identifiable Information 50

Ungrouped 99

1st dimension

- M edium -

Demonstration of Proposed Clustering and Visualization Approach on Static Malware Analysis

The Top Discriminative Malign Permissions › The highest inter-class deviation (from malign to benign) › subtracting benign frequencies from corresponding malign frequencies per permissions in malign and benign datasets.

- M edium -

- Device -

- User -

Data (20%)

Cloud (13%)

Social

1

(38%) 3

V isual (25%)

Network (33%) 5

1 Communicative (40%) 8

Personal 1

Configuration 0

0

Sensory 0

System (22%) 14

H ardware (17%)

2

PI I Personaly Identifiable Information (24%)

U ngrouped (5%)

5

12

Still valuable on new Permission Model

Thank You › Questions?

G. Canbek, N. Baykal and S. Sagiroglu, "Clustering and visualization of mobile application permissions for end users and malware analysts," 2017 5th International Symposium on Digital Forensic and Security (ISDFS), Tirgu Mures, Romania, 2017, pp. 1-10. doi: 10.1109/ISDFS.2017.7916512 keywords: {Android; Google; Malware; Mobile applications; Security; Visualization}, URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7916512&isnumber=7916489