Skip to main content
QUICK REVIEW

[论文解读] The Company You Keep: Mobile Malware Infection Rates and Inexpensive Risk Indicators

Hien Thi Thu Truong, Eemil Lagerspetz|arXiv (Cornell University)|Dec 11, 2013
Advanced Malware Detection Techniques参考文献 21被引用 48
一句话总结

本论文首次基于超过55,000台设备的真实数据,直接测量了Android恶意软件感染率,发现感染率分别为0.26%和0.28%,显著高于以往的间接估算。论文提出使用低成本的设备级指标(如已安装应用和电池使用情况)来识别易受感染的设备,以进行针对性的恶意软件分析,其精度最高可达随机选择的五倍。

ABSTRACT

There is little information from independent sources in the public domain about mobile malware infection rates. The only previous independent estimate (0.0009%) [12], was based on indirect measurements obtained from domain name resolution traces. In this paper, we present the first independent study of malware infection rates and associated risk factors using data collected directly from over 55,000 Android devices. We find that the malware infection rates in Android devices estimated using two malware datasets (0.28% and 0.26%), though small, are significantly higher than the previous independent estimate. Using our datasets, we investigate how indicators extracted inexpensively from the devices correlate with malware infection. Based on the hypothesis that some application stores have a greater density of malicious applications and that advertising within applications and cross-promotional deals may act as infection vectors, we investigate whether the set of applications used on a device can serve as an indicator for infection of that device. Our analysis indicates that this alone is not an accurate indicator for pinpointing infection. However, it is a very inexpensive but surprisingly useful way for significantly narrowing down the pool of devices on which expensive monitoring and analysis mechanisms must be deployed. Using our two malware datasets we show that this indicator performs 4.8 and 4.6 times (respectively) better at identifying infected devices than the baseline of random checks. Such indicators can be used, for example, in the search for new or previously undetected malware. It is therefore a technique that can complement standard malware scanning by anti-malware tools. Our analysis also demonstrates a marginally significant difference in battery use between infected and clean devices.

研究动机与目标

  • 提供首个独立、直接测量的移动恶意软件感染率估算,解决公开来源缺乏实证数据的问题。
  • 调查低成本、设备级指标(如已安装应用和电池消耗)是否可预测恶意软件感染的易感性。
  • 通过识别一小部分高风险设备,为部署昂贵监控工具提供更高效的恶意软件检测方法。
  • 支持反恶意软件厂商和企业IT部门,使其能将资源集中于易受攻击的用户,特别是在BYOD政策下。

提出的方法

  • 在Carat应用中集成代码,从超过55,000台真实环境中的Android设备实时收集已安装应用数据。
  • 将设备的应用集合与两个独立的恶意软件数据集(McAfee和Mobile Sandbox)进行比对,以识别感染设备。
  • 使用统计建模方法,比较感染设备与干净设备的电池续航时间估计值,评估能耗作为恶意软件存在的代理指标。
  • 使用精确率和召回率指标,评估已安装应用集合作为未来感染的轻量级预测指标的有效性。
  • 将模型性能与随机基线进行对比,量化其在识别易感设备方面的改进程度。
  • 采用设备为中心的方法,与传统的软件为中心的恶意软件检测形成对比,旨在估计感染易感性,而非对单个应用进行分类。

实验结果

研究问题

  • RQ1基于真实设备的直接测量,Android设备上移动恶意软件的真实感染率是多少?
  • RQ2设备上安装的应用集合能否作为识别高感染风险设备的低成本代理指标?
  • RQ3恶意软件感染是否对设备电池续航产生可测量的影响,这一影响能否用作检测信号?
  • RQ4基于应用集合的指标在识别感染设备方面,相比随机选择的性能提升多少?

主要发现

  • 基于超过55,000台Android设备的直接测量,得出的恶意软件感染率估计为0.26%(Mobile Sandbox)和0.28%(McAfee),显著高于以往间接估算的0.0009%。
  • 设备上安装的应用集合是衡量感染易感性的有效且低成本的指标,其检测精度最高可达随机选择的五倍。
  • 感染设备与干净设备之间在电池续航时间上存在微弱但显著的差异,表明能耗可作为恶意软件存在的潜在代理指标。
  • 所提出的方法可高效地定位高风险设备进行深度分析,支持反恶意软件厂商和企业IT在资源受限环境中的工作。
  • 设备为中心的方法补充了传统恶意软件扫描,其重点在于感染易感性,而非单个应用的分析。

更好的研究,从现在开始

从论文设计到论文写作,大幅缩短您的研究时间。

无需绑定信用卡

本解读由 AI 生成,并经人工编辑审核。