Mobile phones are currently the main targets of continuous malware attacks. Usually, new malicious code is generated conveniently changing the existing one. According to this, it becomes very useful to identify new approaches for the analysis of malware phylogeny. This paper proposes a data-aware process mining approach performing a malware dynamic analysis. The process mining is performed by using a multiperspective declarative approach allowing to model a malware family as a set of constraints (within their data attributes) among the system call traces gathered from infected applications. The models are used to detect execution patterns or other relationships among families. The obtained models can be used to verify if a checked malware is a potential member of a known malware family and its difference with respect to other malware variants of the family. The approach is implemented and applied on a dataset composed of 5648 trusted and malicious applications across 39 malware families. The obtained results show great performance in malware phylogeny generation.
Malware Phylogeny Analysis using Data-Aware Declarative Process Mining
Ardimento P.;Cimitile M.
2020-01-01
Abstract
Mobile phones are currently the main targets of continuous malware attacks. Usually, new malicious code is generated conveniently changing the existing one. According to this, it becomes very useful to identify new approaches for the analysis of malware phylogeny. This paper proposes a data-aware process mining approach performing a malware dynamic analysis. The process mining is performed by using a multiperspective declarative approach allowing to model a malware family as a set of constraints (within their data attributes) among the system call traces gathered from infected applications. The models are used to detect execution patterns or other relationships among families. The obtained models can be used to verify if a checked malware is a potential member of a known malware family and its difference with respect to other malware variants of the family. The approach is implemented and applied on a dataset composed of 5648 trusted and malicious applications across 39 malware families. The obtained results show great performance in malware phylogeny generation.I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
