skip to main content
US FlagAn official website of the United States government
dot gov icon
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
https lock icon
Secure .gov websites use HTTPS
A lock ( lock ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Explore Research Products in the PAR
It may take a few hours for recently added research products to appear in PAR search results.


This content will become publicly available on December 5, 2025

Title: Multimedia-Based Testbot for Detecting Malware-Hiding Behaviors
Abstract—Less attention has been paid to the deceptive mechanisms of malware on smart devices. Smart device malware uses various techniques to conceal itself, e.g., hiding activity, muting the phone, and deleting call logs. In this work, we developed a novel approach to semi-automatically detect malware hiding behaviors. To more effectively and thoroughly detect malware hiding behaviors, our prototype checks multiple mediums, including vision, sound, vibration, phone calls, messages, and system logs. Our experiments show that the approach can detect malware hiding behaviors. The F-measure is 87.7%, indicating that our approach is quite effective.  more » « less
Award ID(s):
2154483
PAR ID:
10590834
Author(s) / Creator(s):
;
Publisher / Repository:
Publisher IEEE, 28th ACIS International Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD-Winter 2024)
Date Published:
ISBN:
979-8-3315-3930-6
Format(s):
Medium: X
Location:
Taiwan
Sponsoring Org:
National Science Foundation
More Like this
  1. ; (, The 26th IEEE/ACIS International Winter Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing)
    Security research on smart devices mostly focuses on malware installation and activation, privilege escalation, remote control, financial charges, personal information stealing, and permission use. Less attention has been paid to the deceptive mechanisms, which are critical for the success of malware on smart devices. Generally, malware first gets installed and then continues operating on the device without attracting suspicion from users. To do so, smart device malware uses various techniques to conceal itself, e.g., hiding activity, muting the phone, and deleting call logs. In this work, we developed an approach to semi-automatically reveal unknown malware hiding techniques. First, it extracts SMH behaviors from malware descriptions by using natural language processing techniques. Second, it maps SMH behaviors to SMH-related APIs based on the analysis of API documents. Third, it performs static analysis on the malware apps that contain unknown SMH behaviors to extract the code segments related to the SMH API calls. For those verified SMH code segments, we describe the techniques used for unknown SMH behaviors based on the code segments. Our experiment tested 119 malware apps with hiding behaviors. The F-measure is 85.58%, indicating that our approach is quite effective. 
    more » « less
  2. ; ; (, IEEE MASS)
    null (Ed.)
    Certain Android applications, such as but not limited to malware, conceal their presence from the user, exhibiting a self-hiding behavior. Consequently, these apps put the user's security and privacy at risk by performing tasks without the user's awareness. Static analysis has been used to analyze apps for self-hiding behavior, but this approach is prone to false positives and suffers from code obfuscation. This research proposes a set of three tools utilizing a dynamic analysis method of detecting self-hiding behavior of an app in the home, installed, and running application lists on an Android emulator. Our approach proves both highly accurate and efficient, providing tools usable by the Android marketplace for enhanced security screening. 
    more » « less
  3. ; ; (, Applied Cryptography and Network Security Workshops)
    null (Ed.)
    Detecting the OS-level malware (e.g., rootkit) is an especially challenging problem, as this type of malware can compromise the OS, and can then easily hide their intrusion behaviors or directly subvert the traditional malware detectors running in either the user or the kernel space. In this work, we propose mobiDOM to solve this problem for mobile computing devices. The key idea of mobiDOM is to securely detect the OS-level malware by fully utilizing the existing secure features of a mobile device in the hardware. Specifically, we integrate a malware detector in the flash translation layer (FTL), a firmware layer embedded into the external flash storage which is inaccessible to the OS; in addition, we build a trusted application in the Arm TrustZone secure world, which acts as a user-level controller of the malware detector. The FTL-based malware detector and the TrustZone-based controller communicate with each other stealthily via steganography. Security analysis and experimental evaluation confirm that mobiDOM can securely and effectively detect the OS-level malware. 
    more » « less
  4. ; ; ; (, Proceedings of the 8th Software Security, Protection, and Reverse Engineering Workshop (SSPREW))
    Malware authors make use of several techniques to obfuscate code from reverse engineering tools such as IdaPro. Typically, these techniques tend to be effective for about three to six instructions, but eventually the tools can properly disassemble the remaining code once the tool is again synchronized with the operation codes. But this loss of synchronization can be used to hide information within the instructions – steganography. Our research explores an approach to this by presenting “Weaver”, a framework for executable steganography. “Weaver” differs from other techniques in how it hides malicious instructions: the hiding instructions are prepared by generating an assembly listing of the program and finding candidate hiding locations, the steganography instructions are prepared by creating an assembly listing of the program to obtain the operation codes to be hidden, and the “weaving” process merges the two. This “weaving” attempts to place all the steganography instructions into candidate locations found in the hiding instructions. 
    more » « less
  5. ; ; ; (, International Conference on Software Engineering: Companion Proceedings)
    Logging is a significant programming practice. Due to the highly transactional nature of modern software applications, massive amount of logs are generated every day, which may overwhelm developers. Logging information overload can be dangerous to software applications. Using log levels, developers can print the useful information while hiding the verbose logs during software runtime. As software evolves, the log levels of logging statements associated with the surrounding software feature implementation may also need to be altered. Maintaining log levels necessitates a significant amount of manual effort. In this paper, we demonstrate an automated approach that can rejuvenate feature log levels by matching the interest level of developers in the surrounding features. The approach is implemented as an open-source Eclipse plugin, using two external plug-ins (JGit and Mylyn). It was tested on 18 open-source Java projects consisting of ~3 million lines of code and ~4K log statements. Our tool successfully analyzes 99.22\% of logging statements, increases log level distributions by ~20\%, and increases the focus of logs in bug fix contexts ~83\% of the time. For further details, interested readers can watch our demonstration video (https://www.youtube.com/watch?v=qIULoAXoDv4). 
    more » « less
  • Citation Formats
  • MLA
  • APA
  • Chicago
  • BibTeX
  • Save / Share this Record
  • Send to Email