"Mining sandboxes: Are we there yet?" by Lingfeng BAO

Article

Mining sandboxes: Are we there yet?

2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER): Campobasso, Italy, March 20-23: Proceedings

Lingfeng BAO, Singapore Management University
Tien Duy B. LE, Singapore Management University
David LO, Singapore Management University

Download Find in your library

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

3-2018

Abstract

The popularity of Android platform on mobile devices has attracted much attention from many developers and researchers, as well as malware writers. Recently, Jamrozik et al. proposed a technique to secure Android applications referred to as mining sandboxes. They used an automated test case generation technique to explore the behavior of the app under test and then extracted a set of sensitive APIs that were called. Based on the extracted sensitive APIs, they built a sandbox that can block access to APIs not used during testing. However, they only evaluated the proposed technique with benign apps but not investigated whether it was effective in detecting malicious behavior of malware that infects benign apps. Furthermore, they only investigated one test case generation tool (i.e., Droidmate) to build the sandbox, while many others have been proposed in the literature. In this work, we complement Jamrozik et al.'s work in two ways: (1) we evaluate the effectiveness of mining sandboxes on detecting malicious behaviors; (2) we investigate the effectiveness of multiple automated test case generation tools to mine sandboxes. To investigate effectiveness of mining sandboxes in detecting malicious behaviors, we make use of pairs of malware and benign app it infects. We build a sandbox based on sensitive APIs called by the benign app and check if it can identify malicious behaviors in the corresponding malware. To generate inputs to apps, we investigate five popular test case generation tools: Monkey, Droidmate, Droidbot, GUIRipper, and PUMA. We conduct two experiments to evaluate the effectiveness and efficiency of these test case generation tools on detecting malicious behavior. In the first experiment, we select 10 apps and allow test case generation tools to run for one hour; while in the second experiment, we select 102 pairs of apps and allow the test case generation tools to run for one minute. Our experiments highlight that 75.5%-77.2% of malware in our dataset can be uncovered by mining sandboxes - showing its power to protect Android apps. We also find that Droidbot performs best in generating test cases for mining sandboxes, and its effectiveness can be further boosted when coupled with other test case generation tools.

Keywords

Android Malware,
Automated Test Case Generation,
Mining Sandboxing

Discipline

ISBN

9781538649695

Identifier

10.1109/SANER.2018.8330231

Publisher

IEEE Computer Society

City or Country

Los Alamitos, CA

Authors

Creative Commons License

Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International

Additional URL

https://doi.org/10.1109/SANER.2018.8330231

Citation Information

Lingfeng BAO, Tien Duy B. LE and David LO. "Mining sandboxes: Are we there yet?" 2018 IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER): Campobasso, Italy, March 20-23: Proceedings (2018) p. 445 - 455
Available at: http://works.bepress.com/david_lo/291/