Hayan Salman-Hasan is a Ph.D. candidate in the department of Computer Engineering at University of Isfahan (UI) under supervision of Dr. Behrouz Tork Ladani & Dr. Bahman Zamani from 2017. He received his B.Sc. in Automatic Control and Computer Engineering from Al-Baath University-Syria in August 2011 and M.Sc. in Software Engineering from Imam-Khomeini International University (IKIU) in September 2016. His Ph.D. research is focusing on Model-Driven Development and Android Malwares. He is a member of Model-Driven Software Engineering Research Group (MDSERG) at University of Isfahan.
Dynamic analysis is a prominent approach for understanding the real behavior of Android malware. However, malware mostly use evasions to prevent dynamic analysis and to hide their real malicious behavior. Although different approaches have been proposed to tackle evasive malware, they suffer from a number of limitations in practice. For example, most of the works use static analysis to detect the evasions, which can be easily defeated when malware uses anti static analysis techniques. On the other hand, although dynamic analysis approaches provide some techniques to resist against the evasions, those techniques may not be enough in case of complex evasions and cause crashes in some cases.
In this research, we propose novel solutions for the problem of detecting and defeating malware evasion techniques, particularly when dealing with complex evasive malware. For this purpose, we first try to handle event triggering evasions. We propose MEGDroid, a framework based on advanced compiler techniques, Model-Driven Engineering (MDE) transformations in particular, for this purpose. Using MEGDroid, malware-related information is automatically extracted and represented as a domain-specific model, which in turn is used to generate appropriate events for malware analysis. After that, we use and extend MEGDroid as an underlying component to develop Maaker for addressing the problem of detecting and defeating evasion techniques comprehensively. Maaker again takes advantages of MDE transformations and utilizes both static and dynamic analyses along with the human-in-the-loop approach to tackle the evasions. Actually, MDE artifacts are used in Maaker to facilitate putting the human in the loop in order to use his/her knowledge and expertise for effectively extracting the real malicious behavior of the malware.
Both tools have been implemented as Eclipse plugins. In case of MEGDroid we performed extensive practical analysis on a set of malware samples selected from the AMD dataset. MEGDroid compared with Monkey and DroidBot, as two state of the art general-purpose and malware-specific event generators respectively. The experimental results showed that MEGDroid considerably increases the execution code coverage with less number of events which reflects the effectiveness and the efficiency of MEGDroid. Furthermore, we experimentally evaluated and compared the Maaker with two main rival tools, i.e., Ares and IntelliDroid. We used malware samples from Evadroid benchmark and AMD dataset to evaluate the tools. Evaluation results show that Maaker outperforms both rival tools regarding effectiveness, efficiency, and scalability.
Papers in English
- A machine learning approach for detecting and categorizing evasion sources in Android malware
- Curious-Monkey: Evolved Monkey for triggering malicious payloads in Android malware
- MEGDroid: A Model-Driven Event Generation Framework for Dynamic Android Malware Analysis
- Enhancing Monkey to trigger malicious payloads in Android malware