Context

The tremendous growth of Android malware in recent years is a strong motivation for the vast endeavor in detection and analysis of malware apps. A prominent approach for this purpose is dynamic analysis in which providing complex interactions with the samples under analysis is a need. Event generation tools are almost used to provide such interactions, but they have deficiencies for effective malware analysis. For example, anti-static and anti-dynamic analysis techniques employed by the malware prevent event generators to extract sufficient information for generating appropriate events. As a result, they fail to trigger malicious payloads or obtain high code coverage in most cases.

Objective

In this paper, we aim to present a new framework to improve the event generation process for dynamic analysis of Android malware.

Method

We propose MEGDroid, a Model Driven Engineering (MDE) framework in which malware-related information is automatically extracted and represented as a domain-specific model. This model, then is used to generate appropriate events for malware analysis using model-to-model and model-to-code transformations. The proposed model-driven artifacts also provide required facilities to put the human in the loop for properly taking his/her knowledge into account.

Results

The proposed framework has been realized as an Eclipse plugin and we performed extensive practical analysis on a set of malware samples selected from the AMD dataset. The experimental results showed that MEGDroid considerably increases the number of triggered malicious payloads as well as the execution code coverage compared with Monkey and DroidBot, as two state of the art general-purpose and malware specific event generators respectively.

Conclusion

The proposed MDE approach, enhances the event generation process through both automatic event generation and analyzer user involvement who can efficiently direct the process to increase the effectiveness of the generated events considering small amount of information that is extractable from the malware code.

中文翻译：

---

MEGDroid：模型驱动的事件生成框架，用于动态android恶意软件分析

语境

近年来，Android恶意软件的迅猛增长是对恶意软件应用程序进行检测和分析的巨大动力。用于此目的的一种突出方法是动态分析，其中需要与被分析的样品提供复杂的相互作用。事件生成工具几乎用于提供此类交互，但它们缺乏有效进行恶意软件分析的能力。例如，恶意软件所采用的抗静电和抗动态分析技术会阻止事件生成器提取足够的信息以生成适当的事件。结果，在大多数情况下，它们无法触发恶意有效负载或获得较高的代码覆盖率。

客观的

在本文中，我们旨在提出一个新的框架，以改进事件生成过程，以对Android恶意软件进行动态分析。

方法

我们建议使用MEGDroid，一种模型驱动工程（MDE）框架，在该框架中，将自动提取与恶意软件相关的信息并将其表示为特定于域的模型。然后，使用此模型使用模型到模型和模型到代码的转换来生成适当的事件，以进行恶意软件分析。所提出的模型驱动的人工制品还提供了必要的功能，以使人处于循环中，以适当地考虑其知识。

结果

拟议的框架已实现为Eclipse插件，并且我们对选自AMD数据集的一组恶意软件样本进行了广泛的实际分析。实验结果表明，与Monkey和DroidBot分别作为两个最先进的通用和特定于恶意软件的事件生成器相比，MEGDroid大大提高了触发的恶意有效负载的数量以及执行代码的覆盖范围。

结论

提出的MDE方法通过自动事件生成和分析人员用户参与来增强事件生成过程，考虑到可从恶意软件代码中提取的少量信息，分析人员可以有效地指导该过程以提高生成事件的有效性。