WEBVTT 1 00:00:00.040 --> 00:00:03.600 Hey, everyone, welcome to another deep dive. This time we're 2 00:00:03.600 --> 00:00:08.400 tackling intelligent Mobile malware detection. Okay, you sent over some 3 00:00:08.480 --> 00:00:13.160 really interesting excerpts from the book Intelligent Mobile Malware Detection. Yes, 4 00:00:13.400 --> 00:00:16.239 and we're ready to unpack those, correct. But before we 5 00:00:16.359 --> 00:00:18.920 jump in, yeah, we should probably mention that we'll be 6 00:00:18.920 --> 00:00:23.079 focusing specifically on Android malware, right, and that makes sense, right, 7 00:00:23.519 --> 00:00:27.600 I mean, Android is like the dominant mobile platform globally. Shoot, 8 00:00:27.960 --> 00:00:30.519 so this is a topic that affects a ton of people. 9 00:00:30.640 --> 00:00:31.079 Totally. 10 00:00:31.079 --> 00:00:33.799 We're gonna look at how malware has made that jump 11 00:00:33.880 --> 00:00:37.799 from PCs to our smartphones. Yeah, we're even going to 12 00:00:37.880 --> 00:00:41.039 try to get inside the heads of these malware developers 13 00:00:41.079 --> 00:00:44.240 and figure out the tricks they use to bypass security. 14 00:00:44.479 --> 00:00:45.280 That's a good one. 15 00:00:45.320 --> 00:00:48.039 I'm pretty excited to dig into this me too. One 16 00:00:48.039 --> 00:00:49.520 thing that really stood out to me when I was 17 00:00:49.560 --> 00:00:52.679 reading the book excerpts you sent over was how the 18 00:00:52.719 --> 00:00:58.000 author emphasizes the unique challenges posed by Android's open source nature. 19 00:00:58.200 --> 00:00:59.320 That's a huge factor. 20 00:00:59.439 --> 00:01:03.200 It's that openness that makes Android so versatile. Absolutely, yeah, 21 00:01:03.240 --> 00:01:08.840 but it also creates these opportunities for uh, well, for exploitation. Yeah, exactly, 22 00:01:09.359 --> 00:01:12.159 So how do we even start wrapping our heads around 23 00:01:12.159 --> 00:01:14.439 this complex world of mobile malware. 24 00:01:15.079 --> 00:01:17.959 Well, the book starts with a pretty good overview of 25 00:01:18.120 --> 00:01:21.200 Android's architecture. Okay, it's kind of like a layered cake. 26 00:01:21.239 --> 00:01:22.560 Right, I like cake analogies. 27 00:01:22.760 --> 00:01:25.719 Each layer has a specific purpose, gotcha. And we're going 28 00:01:25.799 --> 00:01:29.200 to be zeroing in on the application layer because that's 29 00:01:29.200 --> 00:01:31.680 where all those apps you download and use actually live. 30 00:01:31.920 --> 00:01:34.560 So that's where all the action happens pretty much. Yeah, Now, 31 00:01:34.599 --> 00:01:36.480 remind me how are those acts created? 32 00:01:37.000 --> 00:01:39.120 So it all begins with the source code, which is 33 00:01:39.239 --> 00:01:42.079 like the recipe for the app. Okay, developers use that 34 00:01:42.200 --> 00:01:46.079 code to build the app's functionality, and then it gets 35 00:01:46.079 --> 00:01:48.920 packaged up into a nice, neat little file. Okay, call 36 00:01:48.959 --> 00:01:51.480 it dot appk file, right, that's what you download from 37 00:01:51.480 --> 00:01:52.000 the app store. 38 00:01:52.079 --> 00:01:54.799 Oh, the dot app k file. That's what brings us 39 00:01:54.840 --> 00:01:58.519 all those games, productivity tools, all this social media stuff. 40 00:01:58.640 --> 00:01:59.280 It does it all. 41 00:01:59.480 --> 00:02:02.280 It's like a little bundle of digital joy, you know. 42 00:02:03.000 --> 00:02:05.040 But those files, I mean they can also be used 43 00:02:05.040 --> 00:02:05.959 to carry malware. 44 00:02:06.040 --> 00:02:07.319 Right, it's the donside. Yeah. 45 00:02:07.760 --> 00:02:10.360 Even though Google play Store has things like what is 46 00:02:10.400 --> 00:02:13.800 it the bouncer system, it's not like one hundred percent 47 00:02:13.840 --> 00:02:17.240 fool proof. These malware developers, they're finding new ways to 48 00:02:17.280 --> 00:02:19.759 slip through the cracks all the time. Oh yeah, it 49 00:02:19.840 --> 00:02:22.719 really makes you think twice about downloading apps from those 50 00:02:22.759 --> 00:02:25.599 third party app stores, for sure. You know, one thing 51 00:02:25.639 --> 00:02:28.000 that really stuck with me from the reading was how 52 00:02:28.080 --> 00:02:33.360 much those malware infection methods have changed since the PC 53 00:02:33.560 --> 00:02:36.680 virus days. Oh yeah, remember those spam emails with the 54 00:02:36.719 --> 00:02:40.919 attachments like you've won a million dollars click here? Yeah, totally, 55 00:02:41.080 --> 00:02:44.199 but those seem almost quaint compared to what's going on 56 00:02:44.319 --> 00:02:48.360 now right. Definitely, malware has gotten way more sophisticated on Android, 57 00:02:48.439 --> 00:02:50.919 oh for sure, And it seems like it's taking advantage 58 00:02:50.919 --> 00:02:54.479 of those unique features of mobile devices. So it's not 59 00:02:54.879 --> 00:02:56.840 just about downloading a bad app anymore. 60 00:02:57.159 --> 00:02:58.560 No, No, it's way more than that. 61 00:02:58.680 --> 00:02:59.879 So like, what else is there? 62 00:03:00.120 --> 00:03:01.960 Okay, So the book talks about these drive. 63 00:03:01.879 --> 00:03:03.520 By download drive by download. 64 00:03:03.599 --> 00:03:06.520 Yeah, basically, you visit a malicious website and bam, okay, 65 00:03:06.759 --> 00:03:09.199 malware gets downloaded without you even knowing it. 66 00:03:09.560 --> 00:03:10.960 Wow, that's scary. 67 00:03:11.039 --> 00:03:11.960 It is pretty sneaky. 68 00:03:12.080 --> 00:03:13.680 Like, are there any examples of that? 69 00:03:14.319 --> 00:03:17.520 Um, you know, off the top of my head, I 70 00:03:17.560 --> 00:03:20.240 can't think of a specific one, no worries, but it's 71 00:03:20.240 --> 00:03:21.360 definitely a common tactic. 72 00:03:21.439 --> 00:03:25.479 And then there's malvertising, right where those ads online are 73 00:03:25.520 --> 00:03:26.560 actually infected. 74 00:03:26.800 --> 00:03:27.719 Yeah, exactly. 75 00:03:27.840 --> 00:03:31.360 It's like, can you trust anything you see online anymore? 76 00:03:32.360 --> 00:03:32.919 It's tough. 77 00:03:33.000 --> 00:03:35.400 I mean even those app updates. The book talked. 78 00:03:35.120 --> 00:03:37.280 About that too, Yeah, the update attacks. 79 00:03:37.319 --> 00:03:39.520 An app might start out totally fine and then. 80 00:03:39.599 --> 00:03:41.000 Boom, it turns malicious. 81 00:03:41.280 --> 00:03:44.879 Yeah, after an update, talk about a betrayal. It's rough, 82 00:03:45.159 --> 00:03:46.960 you know, it makes you think twice about just hitting 83 00:03:47.120 --> 00:03:49.360 accept on those update permissions. 84 00:03:49.439 --> 00:03:51.240 Definitely, you gotta read those carefully. 85 00:03:51.319 --> 00:03:53.479 Yeah, even for apps you've been using for a while, exactly. 86 00:03:53.560 --> 00:03:56.039 And then remember it talked about repacking attacks. 87 00:03:56.120 --> 00:03:57.800 Well, yeah, those are sneaky where. 88 00:03:57.639 --> 00:04:00.719 They take a good app and in it with some 89 00:04:00.840 --> 00:04:01.639 bad code. 90 00:04:01.800 --> 00:04:03.439 It's like a wolf in sheep's clothing. 91 00:04:03.759 --> 00:04:07.240 It's like someone taking your favorite recipe and adding a secret, 92 00:04:07.319 --> 00:04:08.360 harmful ingredient. 93 00:04:08.560 --> 00:04:10.599 Right, you'd never know until it's too late. 94 00:04:10.840 --> 00:04:13.319 And it seems like malware has gotten sneakier in other 95 00:04:13.360 --> 00:04:16.600 ways too. It's not just these broad attacks anymore. They're 96 00:04:16.639 --> 00:04:19.279 going after specific organizations. 97 00:04:18.519 --> 00:04:21.160 Now, right, targeted attacks, Yeah. 98 00:04:20.920 --> 00:04:23.560 Like businesses or even government agencies. 99 00:04:23.800 --> 00:04:26.160 Exactly. They're getting more strategic. 100 00:04:25.680 --> 00:04:28.519 And they're using all these advanced techniques to stay hidden. 101 00:04:28.680 --> 00:04:30.240 They're getting smarter, for sure. 102 00:04:30.319 --> 00:04:33.680 The book mentioned polymorphic malware. Oh yeah, I thought that 103 00:04:33.800 --> 00:04:35.399 was fascinating. 104 00:04:34.720 --> 00:04:38.000 To change their appearance, you know, like chameleons. 105 00:04:38.120 --> 00:04:40.759 Exactly. They're constantly changing to avoid detection. 106 00:04:40.839 --> 00:04:42.720 It makes it much harder to catch them, like. 107 00:04:42.639 --> 00:04:44.920 Trying to hit a moving target exactly. And then there 108 00:04:44.959 --> 00:04:48.120 was that plug x malware. Oh yeah, with those plug 109 00:04:48.120 --> 00:04:48.600 in interface. 110 00:04:48.680 --> 00:04:53.399 Yeah, like add ons, right, but for bad stuff. 111 00:04:53.279 --> 00:04:56.000 Yeah, like for a web browser. But they're constantly updating. 112 00:04:56.800 --> 00:04:58.240 It's like they're always one step ahead. 113 00:04:58.399 --> 00:05:00.839 It's like they have this whole tool box of ways 114 00:05:00.879 --> 00:05:02.920 to make their malware even more powerful. 115 00:05:03.120 --> 00:05:04.800 Exactly. They're very adaptable. 116 00:05:04.879 --> 00:05:06.600 It's not just Android either, right. 117 00:05:06.680 --> 00:05:07.519 Nope, not at all. 118 00:05:07.680 --> 00:05:10.399 The book even mentioned how Windows malware has gotten pretty 119 00:05:10.399 --> 00:05:11.279 sophisticated too. 120 00:05:12.160 --> 00:05:12.519 Definitely. 121 00:05:12.600 --> 00:05:15.000 They talked about fileless malware. 122 00:05:15.360 --> 00:05:16.959 That's a tricky one, yeah. 123 00:05:16.680 --> 00:05:20.839 Which uses legitimate programs on your computer to do bad things. 124 00:05:21.199 --> 00:05:22.639 It's like they're hiding in plain sight. 125 00:05:22.839 --> 00:05:24.959 So it's not enough to just scan for the bad 126 00:05:25.000 --> 00:05:26.480 files anymore, right. 127 00:05:26.399 --> 00:05:29.120 We need to look deeper at the behavior of programs. 128 00:05:29.399 --> 00:05:31.759 You have to be like a detective exactly, look for 129 00:05:31.879 --> 00:05:33.279 anything that seems out of place. 130 00:05:33.319 --> 00:05:34.680 And then, of course there's ransomware. 131 00:05:35.000 --> 00:05:36.639 Ugh, don't even get me started. 132 00:05:36.720 --> 00:05:38.839 It seems like everyone's talking about it these days. 133 00:05:38.920 --> 00:05:40.040 It's a huge problem. 134 00:05:40.120 --> 00:05:41.319 It's scary stuff. 135 00:05:41.360 --> 00:05:43.959 It's really impacting both individuals and organizations. 136 00:05:44.319 --> 00:05:47.480 And the book even mentioned how academic institutions were hit 137 00:05:47.600 --> 00:05:48.680 hard during the pandemic. 138 00:05:48.759 --> 00:05:50.600 Oh yeah, especially when everyone went online for. 139 00:05:50.560 --> 00:05:53.040 Classes, because they were probably more vulnerable. 140 00:05:53.160 --> 00:05:54.480 Exactly, they weren't prepared. 141 00:05:54.720 --> 00:05:56.800 It's almost like they wait for us to be at 142 00:05:56.839 --> 00:05:57.920 our weakest. 143 00:05:58.360 --> 00:05:59.319 It's pretty ruthless. 144 00:05:59.560 --> 00:06:03.639 What's more unsettling is that these ransomware kits are popping 145 00:06:03.720 --> 00:06:06.000 up on the dark web, right, the dark web? Yeah, 146 00:06:06.040 --> 00:06:07.439 like ransomware is a service. 147 00:06:07.600 --> 00:06:10.120 Yeah, it's like they're making it easier for anyone to 148 00:06:10.199 --> 00:06:11.439 launch attacks. 149 00:06:11.079 --> 00:06:13.120 So you don't even need to be a tech genius 150 00:06:13.120 --> 00:06:13.920 to do it anymore. 151 00:06:14.079 --> 00:06:15.040 That's the scary part. 152 00:06:15.120 --> 00:06:18.480 Okay, so we've got this whole army of malware threats 153 00:06:18.480 --> 00:06:18.920 out there. 154 00:06:19.079 --> 00:06:20.480 It's like a digital battlefield. 155 00:06:20.480 --> 00:06:22.920 But how do we actually detect these sneaky apps before 156 00:06:22.959 --> 00:06:24.079 they can do any damage? 157 00:06:24.199 --> 00:06:25.720 That's the million dollar question. 158 00:06:25.800 --> 00:06:28.319 Well, that's exactly what we're going to tackle next. Stay 159 00:06:28.360 --> 00:06:32.040 tuned as we continue our deep dive into intelligent mobile 160 00:06:32.079 --> 00:06:33.000 malware detection. 161 00:06:33.759 --> 00:06:36.199 All right, so now that we've met some of those 162 00:06:36.480 --> 00:06:40.040 bad guys in the world of Android malware, Yeah, let's 163 00:06:40.079 --> 00:06:41.399 look at how we can fight back. 164 00:06:41.680 --> 00:06:42.360 Let's do it. 165 00:06:42.759 --> 00:06:46.759 The book dives into something called static malware detection. 166 00:06:47.160 --> 00:06:50.240 Okay, static malware detection, what is that? 167 00:06:50.759 --> 00:06:53.920 It's basically analyzing the source code of an app without 168 00:06:53.959 --> 00:06:54.759 actually running it. 169 00:06:54.800 --> 00:06:55.120 Gotcha. 170 00:06:55.240 --> 00:06:58.160 It's like you're checking the blueprints of a building for weaknesses. 171 00:06:58.399 --> 00:07:00.720 Interesting before you even start construt So. 172 00:07:00.600 --> 00:07:04.360 You're looking for those red flags early on. Exactly proactive. 173 00:07:04.439 --> 00:07:05.000 I like it. 174 00:07:05.120 --> 00:07:07.720 But to do that, we need the source. 175 00:07:07.439 --> 00:07:09.000 Code, right, how do we get that? 176 00:07:09.519 --> 00:07:13.160 Well, there are tools like app tool and dex two jar. 177 00:07:14.000 --> 00:07:18.079 They let security researchers reverse engineer the app and get 178 00:07:18.079 --> 00:07:18.800 that source code. 179 00:07:18.839 --> 00:07:21.600 Sounds pretty high tech it is, So what exactly were 180 00:07:21.600 --> 00:07:22.759 they looking for in that code? 181 00:07:22.800 --> 00:07:26.240 They're examining various parts of the app, like detectives at 182 00:07:26.240 --> 00:07:28.839 a crime scene. I like that analogy. They might look 183 00:07:28.879 --> 00:07:31.839 at the java files, the core logic of the app, 184 00:07:32.600 --> 00:07:35.480 or the resource files, things like images, and text okay, 185 00:07:35.639 --> 00:07:38.720 But one of the most important things is the Android 186 00:07:38.720 --> 00:07:40.279 manifest dot XML file. 187 00:07:40.480 --> 00:07:45.120 Android Manifest dot xml. Yeah, that sounds familiar, But it's. 188 00:07:44.759 --> 00:07:45.959 Like the app sid card. 189 00:07:46.199 --> 00:07:46.480 Okay. 190 00:07:46.639 --> 00:07:49.399 It tells you the permissions the app wants, right, the 191 00:07:49.399 --> 00:07:52.839 intense it uses intense. Yeah, we'll get to those, and 192 00:07:53.399 --> 00:07:54.759 the different parts of the app itself. 193 00:07:55.000 --> 00:07:57.800 So it's basically a roadmap of what the app can 194 00:07:57.879 --> 00:08:00.720 potentially do. Exactly, and I bet you can find some 195 00:08:00.800 --> 00:08:04.199 clues about malicious intent in there. Absolutely, you mentioned intents. 196 00:08:04.279 --> 00:08:04.920 What are those? 197 00:08:05.120 --> 00:08:09.120 Intents? Are messages that allow apps to talk to each other, okay, 198 00:08:09.240 --> 00:08:13.600 and to the Android system itself. Gotcha, like messengers carrying instructions? 199 00:08:13.720 --> 00:08:14.279 Interesting. 200 00:08:14.439 --> 00:08:16.759 For example, an intent might be used to open a 201 00:08:16.800 --> 00:08:20.079 web page okay, or send an email, or even launch 202 00:08:20.120 --> 00:08:20.759 another app. 203 00:08:20.839 --> 00:08:23.120 So they're kind of like the glue that holds everything 204 00:08:23.160 --> 00:08:26.319 together in a way. Yeah, but I'm guessing malware can 205 00:08:26.319 --> 00:08:29.120 take advantage of these intents too, unfortunately. 206 00:08:29.240 --> 00:08:32.600 Yes, how so they can trigger malicious actions or try 207 00:08:32.600 --> 00:08:33.840 to get sensitive information. 208 00:08:34.080 --> 00:08:34.480 Oh no. 209 00:08:35.120 --> 00:08:38.399 For example, there's an intent called action power Connected. 210 00:08:38.720 --> 00:08:39.320 What does that do? 211 00:08:39.559 --> 00:08:42.960 It gets triggered when your device is plugged into charge. Okay, 212 00:08:43.240 --> 00:08:45.759 Some malware will use that to launch updates or steal 213 00:08:45.799 --> 00:08:46.879 data while you're not looking. 214 00:08:47.120 --> 00:08:50.159 Sneaky Rrey, that's like when burglars wait for you to 215 00:08:50.200 --> 00:08:53.720 go on vacation, right to break into your house. What 216 00:08:53.840 --> 00:08:55.000 other examples are there? 217 00:08:55.080 --> 00:08:57.039 There's the SMPS received intent. 218 00:08:57.279 --> 00:08:58.039 What's that one for? 219 00:08:58.559 --> 00:09:01.240 Triggered when you get a text message? Okay. Malware can 220 00:09:01.320 --> 00:09:04.559 use it to intercept your messages. Oh no, and steal 221 00:09:04.600 --> 00:09:05.559 things like bank codes. 222 00:09:05.799 --> 00:09:09.080 So it's like they're spying on your conversations essentially. Yes, 223 00:09:09.120 --> 00:09:10.759 And there's more, right, there's. 224 00:09:10.720 --> 00:09:14.240 User present What does that mean? Triggered when you unlock 225 00:09:14.279 --> 00:09:17.559 your device. Oh, malware might use it to launch bad 226 00:09:17.600 --> 00:09:20.120 stuff when you're actively using your phone. 227 00:09:19.799 --> 00:09:22.559 So you're less likely to notice exactly. It's like they're 228 00:09:22.559 --> 00:09:23.519 watching our every move. 229 00:09:23.639 --> 00:09:25.399 They're trying to be as sneaky as possible. 230 00:09:25.519 --> 00:09:28.639 This is all pretty scary stuff. It is so understanding 231 00:09:28.720 --> 00:09:33.840 these permissions and intense is really important, absolutely protecting ourselves. 232 00:09:34.840 --> 00:09:38.240 But static analysis that's not the only way to detect malware, 233 00:09:38.360 --> 00:09:40.120 right right, What else is there? 234 00:09:40.240 --> 00:09:42.519 There's dynamic analysis. 235 00:09:41.919 --> 00:09:43.000 Okay, tell me about that. 236 00:09:43.120 --> 00:09:47.080 It involves actually running the app ah okay, but in 237 00:09:47.120 --> 00:09:50.120 a controlled environment like a sandbox. A sandbox, yeah, so 238 00:09:50.159 --> 00:09:53.360 it can't actually harm your device, gotcha, And then you 239 00:09:53.399 --> 00:09:54.320 watch how it behaves. 240 00:09:54.399 --> 00:09:56.919 But it's like a controlled experiment to see what the 241 00:09:57.000 --> 00:09:57.759 malware does. 242 00:09:57.840 --> 00:09:58.919 That's the ideas, and this is. 243 00:09:58.919 --> 00:10:01.480 Good for catching stuff that hides its true nature. 244 00:10:01.879 --> 00:10:04.120 Yes, things like dynamic code loading. 245 00:10:04.399 --> 00:10:06.559 Dynamic code loading. 246 00:10:06.240 --> 00:10:08.200 It's where the bad code is hidden until the app 247 00:10:08.240 --> 00:10:08.720 is running. 248 00:10:08.960 --> 00:10:13.240 A tricky but I bet those malware developers have some 249 00:10:13.320 --> 00:10:14.600 tricks up their sleeves. 250 00:10:14.600 --> 00:10:18.879 Oh they always do, like what things like anti emulation. 251 00:10:18.480 --> 00:10:20.240 Methods anti emulation. 252 00:10:20.519 --> 00:10:22.759 Yeah, they try to detect if they're in a sandbox. 253 00:10:22.960 --> 00:10:25.759 Oh wow, and then they change your behavior. 254 00:10:25.360 --> 00:10:27.720 So they're like, oh, we're being watched, let's act nice. 255 00:10:28.039 --> 00:10:29.360 That's so sneaky. 256 00:10:29.480 --> 00:10:31.279 It is a constant cat and mouse game, so. 257 00:10:31.279 --> 00:10:32.799 What can we do to stay ahead. 258 00:10:33.080 --> 00:10:35.039 That's where hybrid analysis comes in. 259 00:10:35.279 --> 00:10:36.600 Hybrid analysis it. 260 00:10:36.519 --> 00:10:39.320 Combined static and dynamic analysis. 261 00:10:38.720 --> 00:10:40.840 So the best of both worlds. You get a much 262 00:10:40.879 --> 00:10:44.720 more complete picture. There's something else, right, system call monitoring, 263 00:10:44.759 --> 00:10:45.759 System call monitoring? 264 00:10:45.799 --> 00:10:49.279 What's that? System calls are low level requests and app 265 00:10:49.320 --> 00:10:52.759 makes to the operating system, things like accessing a file, 266 00:10:53.200 --> 00:10:56.360 setting data over the network, or allocating memory. 267 00:10:56.639 --> 00:10:59.039 So it's like the app is asking permission from the 268 00:10:59.080 --> 00:11:01.600 operating system exactly to do certain things. 269 00:11:01.639 --> 00:11:04.440 And by monitoring those calls, yeah, we can get a 270 00:11:04.480 --> 00:11:06.200 better idea of what the app is really doing. 271 00:11:06.279 --> 00:11:09.279 It's like eavesdropping on their conversation exactly to see if 272 00:11:09.279 --> 00:11:10.159 they're up to no good. 273 00:11:10.320 --> 00:11:12.559 And there are a few ways to analyze those calls, 274 00:11:12.600 --> 00:11:16.799 like what there's frequency analysis okay, looking at how often 275 00:11:16.840 --> 00:11:19.519 certain calls are made. Right, If an app makes a 276 00:11:19.519 --> 00:11:22.960 lot of calls related to sensitive data, that's a red flag. 277 00:11:23.000 --> 00:11:25.039 It's like someone making way too many trips to the 278 00:11:25.080 --> 00:11:27.519 bank vault exactly. What else? 279 00:11:27.679 --> 00:11:30.639 Sequence analysis, what's that? It looks at the order of 280 00:11:30.679 --> 00:11:36.080 the system calls. Okay, Certain sequences can point to bad behavior, even. 281 00:11:35.919 --> 00:11:38.440 If the individual calls seem normal. 282 00:11:38.639 --> 00:11:38.879 Right. 283 00:11:39.039 --> 00:11:42.120 It's like noticing someone always enters the same code on 284 00:11:42.159 --> 00:11:45.000 a keypad. Good analogy makes you think they're trying to 285 00:11:45.000 --> 00:11:45.519 break in. 286 00:11:45.840 --> 00:11:49.919 And then there's graph based analysis, Okay. Graphs we represent 287 00:11:50.000 --> 00:11:52.960 the system calls as a graph, okay, to see the 288 00:11:53.000 --> 00:11:54.360 relationships between them. 289 00:11:54.440 --> 00:11:57.519 So like dots and lines showing connections, and that helps 290 00:11:57.559 --> 00:11:59.320 you spot patterns, right. 291 00:11:59.200 --> 00:12:01.440 Patterns in a nonmas that you wouldn't see otherwise. 292 00:12:01.480 --> 00:12:03.919 It's like mapping out the app's network, yeah, to see 293 00:12:03.960 --> 00:12:05.360 if there are any suspicious links. 294 00:12:05.720 --> 00:12:08.440 And this brings us to some of the more advanced 295 00:12:08.440 --> 00:12:09.360 techniques in the book. 296 00:12:09.480 --> 00:12:10.480 Ooh, like what. 297 00:12:10.919 --> 00:12:12.799 Things like graph centrality measures. 298 00:12:13.000 --> 00:12:14.639 Graph centrality measures. 299 00:12:14.720 --> 00:12:18.480 Yeah, it sounds complicated, it does, but it's basically math 300 00:12:18.879 --> 00:12:21.519 that helps us find the most important calls. 301 00:12:21.240 --> 00:12:24.279 The most important system calls right within that graph. Okay, 302 00:12:24.279 --> 00:12:27.799 so you're ranking them based on how influential they are, exactly, 303 00:12:27.840 --> 00:12:29.759 like the key players and a network. 304 00:12:29.960 --> 00:12:32.320 And the book talks about a few different types of 305 00:12:32.360 --> 00:12:38.000 centrality measures, like what there's eigenvector centrality. Eigenvector centrality it 306 00:12:38.039 --> 00:12:42.039 measures influence based on connections to other influential calls. 307 00:12:42.399 --> 00:12:47.200 So if a system call has a high eigenvector centrality score, 308 00:12:47.600 --> 00:12:50.600 it means it's a big deal in that network exactly, 309 00:12:50.639 --> 00:12:54.799 and if it's doing something suspicious, that's a huge red flag. 310 00:12:54.559 --> 00:12:55.200 Big problem. 311 00:12:55.240 --> 00:12:56.320 What other types are there? 312 00:12:56.960 --> 00:13:02.720 There's between maldness central Okay, what's that one? It measures 313 00:13:02.720 --> 00:13:05.919 how often a call lies on the shortest path between 314 00:13:05.960 --> 00:13:06.559 two other. 315 00:13:06.399 --> 00:13:09.159 Calls, so it's like a busy interception. 316 00:13:08.759 --> 00:13:10.480 Yeah, connecting different parts of the network. 317 00:13:10.519 --> 00:13:12.679 If that call is malicious, it can cause. 318 00:13:12.480 --> 00:13:14.440 A lot of disruption, a lot of damage. 319 00:13:14.480 --> 00:13:15.600 And what's the last one? 320 00:13:15.879 --> 00:13:17.120 Closeness centrality. 321 00:13:17.320 --> 00:13:18.720 Closeness centrality, What's that? 322 00:13:19.200 --> 00:13:21.159 It measures how close a call is to all the 323 00:13:21.200 --> 00:13:25.000 other calls. Okay, like a central hub ah, gotcha, easy 324 00:13:25.039 --> 00:13:26.240 access to the whole network. 325 00:13:26.360 --> 00:13:29.440 So if it's malicious, it can spread quickly. And these 326 00:13:29.519 --> 00:13:32.919 centrality measures, yeah, they become even more powerful when you 327 00:13:32.919 --> 00:13:36.240 combine them with machine learning. That's right, Okay, machine learning, 328 00:13:36.679 --> 00:13:38.639 that's where things get really futuristic. 329 00:13:38.759 --> 00:13:40.159 It's definitely changing the game. 330 00:13:40.440 --> 00:13:42.399 But how does it work for malware detection? 331 00:13:42.960 --> 00:13:46.639 We feed a machine learning algorithm tons of data system 332 00:13:46.720 --> 00:13:51.080 called graphs from both malware and good apps, gotcha, and 333 00:13:51.120 --> 00:13:52.519 it learns to recognize patterns. 334 00:13:52.559 --> 00:13:55.720 It's like showing a detective thousands of crime scene. 335 00:13:55.399 --> 00:13:58.240 Photos, right, so they can spot the clues exactly. And 336 00:13:58.279 --> 00:14:00.320 the more data it sees, the better it gets it 337 00:14:00.440 --> 00:14:01.919 recognizing those patterns like. 338 00:14:01.840 --> 00:14:04.200 A digital detective, getting better with experience. 339 00:14:04.519 --> 00:14:07.759 And there are some cutting edge techniques using machine learning, 340 00:14:08.159 --> 00:14:13.960 like what graph convolutional networks GCNS for shorts and graph 341 00:14:14.120 --> 00:14:16.639 signal processing GSP GSP. 342 00:14:16.799 --> 00:14:18.639 Okay, those sounds super high tech. 343 00:14:18.919 --> 00:14:20.879 They are but they're also really effective. 344 00:14:21.080 --> 00:14:22.039 Break those down for me. 345 00:14:22.159 --> 00:14:27.679 Okay, so imagine a huge system called graph hundreds maybe 346 00:14:27.679 --> 00:14:31.639 thousands of nodes. A GCN can look at that whole graph, 347 00:14:32.120 --> 00:14:34.679 not just individual calls, but the relationships between them. 348 00:14:34.720 --> 00:14:37.840 So it's like a superpowered version of those centrality measures. 349 00:14:38.080 --> 00:14:39.440 You could say that it's. 350 00:14:39.279 --> 00:14:41.200 Finding those hidden connections and. 351 00:14:41.080 --> 00:14:43.840 That helps it spot even the sneakiest malware. 352 00:14:44.120 --> 00:14:45.039 What about GSP. 353 00:14:45.399 --> 00:14:49.000 GSP transforms the data. It's like turning that graph into 354 00:14:49.039 --> 00:14:50.440 a series of signals. 355 00:14:50.240 --> 00:14:51.600 Signals like what like an. 356 00:14:51.559 --> 00:14:54.360 Audio wave form, and then we can use signal processing 357 00:14:54.399 --> 00:14:58.399 techniques to analyze those signals in and find hidden patterns. 358 00:14:58.440 --> 00:15:00.440 It's like using a special lens to see things we. 359 00:15:00.399 --> 00:15:01.919 Couldn't before exactly. 360 00:15:02.120 --> 00:15:04.799 And you can combine GSP with machine learning too. 361 00:15:04.720 --> 00:15:07.000 Yeah, to create even more powerful systems. 362 00:15:07.039 --> 00:15:10.080 So we've got all these high tech ways to find malware. 363 00:15:10.320 --> 00:15:10.720 We do. 364 00:15:11.120 --> 00:15:15.159 But the book also mentioned something called system call pattern detection, oh, 365 00:15:15.200 --> 00:15:16.679 which sounds a bit simpler. 366 00:15:16.879 --> 00:15:19.919 It's based on the idea that malware often uses specific 367 00:15:20.000 --> 00:15:23.240 patterns of system calls, okay, when it's trying to do 368 00:15:23.360 --> 00:15:24.399 bad stuff. 369 00:15:24.120 --> 00:15:25.799 So it's like those telltale signs. 370 00:15:25.919 --> 00:15:28.399 Yeah, like a fingerpres give away a criminal exactly. 371 00:15:28.480 --> 00:15:30.120 But how do you compare those patterns? 372 00:15:30.279 --> 00:15:32.960 We use something called the Jerro Winkler. 373 00:15:32.600 --> 00:15:34.759 Similarity Narrowinkler similarity. 374 00:15:34.840 --> 00:15:38.080 It measures how similar two sequences of characters are. 375 00:15:38.559 --> 00:15:42.639 So you're comparing the patterns of an unknown app to 376 00:15:43.039 --> 00:15:46.639 a database of known malware patterns exactly, and if the 377 00:15:46.679 --> 00:15:48.039 score is high enough. 378 00:15:48.080 --> 00:15:49.840 Yeah, red flag, big red flag. 379 00:15:50.000 --> 00:15:53.039 It's amazing how all these different techniques are being used 380 00:15:53.360 --> 00:15:54.759 to fight malware. 381 00:15:54.919 --> 00:15:56.679 It's a fascinating field, it really is. 382 00:15:56.720 --> 00:15:59.480 It's like a constant battle between good and evil, and 383 00:15:59.519 --> 00:16:02.080 the stakes are higher than ever, especially with how much 384 00:16:02.120 --> 00:16:04.759 we rely on our smartphones these days. It's our connection 385 00:16:04.799 --> 00:16:07.399 to the world, and that's why this whole topic of 386 00:16:07.559 --> 00:16:11.159 intelligent mobile malware detection is so important. 387 00:16:11.200 --> 00:16:14.519 Absolutely, we need to be aware of the threats and 388 00:16:14.519 --> 00:16:16.440 the ways to protect ourselves, and that's. 389 00:16:16.240 --> 00:16:19.799 What we're trying to do here today. Knowledge is power, right, 390 00:16:19.919 --> 00:16:22.720 and the more we know, yeah, the better equipped we 391 00:16:22.759 --> 00:16:24.799 are to stay safe in this digital world. 392 00:16:24.960 --> 00:16:26.320 Couldn't have said it better myself. 393 00:16:26.559 --> 00:16:29.000 It's a wild world out there in the digital frontier, 394 00:16:29.120 --> 00:16:32.159 it really is. As we wrap up our deep dive here, 395 00:16:32.559 --> 00:16:34.039 any final thoughts for our. 396 00:16:33.919 --> 00:16:36.799 Listener, I think the biggest thing is just awareness. 397 00:16:36.919 --> 00:16:37.480 Awareness. 398 00:16:37.759 --> 00:16:41.559 The more you know about how this malware works and 399 00:16:41.600 --> 00:16:44.200 how it gets on your phone, the better you'll be 400 00:16:44.200 --> 00:16:45.120 able to protect yourself. 401 00:16:45.159 --> 00:16:48.879