›› 2015, Vol. 30 ›› Issue (6): 1318-1343.doi: 10.1007/s11390-015-1601-7

Special Issue: Software Systems; Theory and Algorithms

• Theory and Algorithms • Previous Articles     Next Articles

Privacy Petri Net and Privacy Leak Software

Le-Jun Fan1(范乐君), Member, IEEE, Yuan-Zhuo Wang2,*(王元卓), Senior Member, CCF, ACM, IEEE, Jing-Yuan Li2(李静远), Xue-Qi Cheng2(程学旗), Distinguished Member, CCF, Chuang Lin3(林闯), Fellow, CCF, Senior Member, IEEE   

  1. 1 National Computer Network Emergency Response Technical Team/Coordination Center of China, Beijing 100029, China;
    2 Institute of Computing Technology, Chinese Academy of Sciences, Beijing 100190, China;
    3 Department of Computer Science and Technology, Tsinghua University, Beijing 100083, China
  • Received:2014-03-27 Revised:2015-06-02 Online:2015-11-05 Published:2015-11-05
  • About author:Le-Jun Fan received his B.S. and M.S. degrees in circuit and system from the University of Science and Technology of China, Hefei, in 2004 and 2007 respectively. He received his Ph.D. degree in information security in 2013 from the Research Center of Web Data Science & Engineering of the Institute of Computing Technology, Chinese Academy of Sciences, Beijing. His research interests include software malicious behavior analysis, data privacy and Petri nets. He is a member of IEEE. He is now working at National Computer Network Emergency Response Technical Team/Coordination Center of China.
  • Supported by:

    This work is supported by the National Natural Science Foundation of China under Grant Nos. 61402124, 61402022, 61173008, 60933005, and 61572469, the National Key Technology Research and Development Program of China under Grant No. 2012BAH39B02, the 242 Projects of China under Grant No. 2011F45, and Beijing Nova Program under Grant No. Z121101002512063.

Private information leak behavior has been widely discovered in malware and suspicious applications. We refer to such software as privacy leak software (PLS). Nowadays, PLS has become a serious and challenging problem to cyber security. Previous methodologies are of two categories: one focuses on the outbound network traffic of the applications; the other dives into the inside information flow of the applications. We present an abstract model called Privacy Petri Net (PPN) which is more applicable to various applications and more intuitive and vivid to users. We apply our approach to both malware and suspicious applications in real world. The experimental result shows that our approach can effectively find categories, content, procedure, destination and severity of the private information leaks for the target software.

[1] Backes M, Kopf B, Rybalchenko A. Automatic discovery and quantification of information leaks. In Proc. the 30th IEEE Symposium on Security and Privacy, May 2009, pp.141-153.

[2] Borders K, Prakash A. Quantifying information leaks in outbound Web traffic. In Proc. the 30th IEEE Symposium on Security and Privacy, May 2009, pp.129-140.

[3] Jung J, Sheth A, Greenstein B, Wetherall D, Maganis G, Kohno T. Privacy oracle: A system for finding application leaks with black box differential testing. In Proc. the 15th ACM Conference on Computer and Communications Security, Oct. 2008, pp.279-288.

[4] Egele M, Kruegel C, Kirda E, Vigna G. PiOS: Detecting privacy leaks in IOS applications. In Proc. the 18th Annual Network & Distributed System Security Symposium, Feb. 2011.

[5] Enck W, Gilbert P, Chun B G, Cox L P, Jung J, McDaniel P, Sheth A. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. the 9th USENIX Symposium on Operating Systems Design and Implementation, Oct. 2010, pp.393-407.

[6] Kirda E, Kruegel C. Behavior-based spyware detection. In Proc. the 15th USENIX Security Symposium, July 31- August 4, 2006.

[7] Egele M, Kruegel C, Kirda E, Yin H, Song D. Dynamic spyware analysis. In Proc. the 2007 USENIX Annual Technical Conference, June 2007, pp.233-246.

[8] Kruegel C, Kirda E, Mutz D, Robertson W, Vigna G. Polymorphic worm detection using structural information of executables. In Proc. the 8th International Symposium on Recent Advances in Intrusion Detection, Sept. 2005, pp.207- 226.

[9] Kinder J, Katzenbeisser S, Schallhart C, Veith H. Detecting malicious code by model checking. In Proc. the 2nd International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, July 2005, pp.174-187.

[10] Kruegel C, Robertson W, Vigna G. Detecting kernel-level rootkits through binary analysis. In Proc. the 20th Annual Computer Security Applications Conference, Dec. 2004, pp.91-100.

[11] Christodorescu M, Jha S. Static analysis of executables to detect malicious patterns. In Proc. the 12th USENIX Security Symposium, Aug. 2003.

[12] Moser A, Kruegel C, Kirda E. Limits of static analysis for malware detection. In Proc. the 23rd Annual Computer Security Applications Conference, Dec. 2007, pp.421-430.

[13] Sharif M, Lanzi A, Giffin J, Lee W. Impeding malware analysis using conditional code obfuscation. In Proc. the 15th Annual Network and Distributed System Security Symposium, Feb. 2008.

[14] Sharif M, Lanzi A, Giffin J, Lee W. Automatic reverse engineering of malware emulators. In Proc. the 30th IEEE Symposium on Security and Privacy, May 2009, pp.94-109.

[15] Rhee J, Riley R, Xu D, Jiang X. Kernel malware analysis with un-tampered and temporal views of dynamic kernel memory. In Proc. the 13th International Symposium on Recent Advances in Intrusion Detection, Sept. 2010, pp.178- 197.

[16] Lanzi A, Sharif M, Lee W. K-tracer: A system for extracting kernel malware behavior. In Proc. the 16th Annual Network & Distributed System Security Symposium, Feb. 2009.

[17] Yin H, Liang Z, Song D. HookFinder: Identifying and understanding malware hooking behaviors. In Proc. the 15th Annual Network & Distributed System Security Symposium, Feb. 2008.

[18] Moser A, Kruegel C, Kirda E. Exploring multiple execution paths for malware analysis. In Proc. the 28th IEEE Symposium on Security and Privacy, May 2007, pp.231-245.

[19] Comparetti P M, Salvaneschi G, Kirda E, Kolbitsch C, Kruegel C, Zanero S. Identifying dormant functionality in malware programs. In Proc. the 31st IEEE Symposium on Security and Privacy, May 2010, pp.61-76.

[20] Christodorescu M, Jha S, Seshia S A, Song D, Bryant R E. Semantics-aware malware detection. In Proc. the 26th IEEE Symposium on Security and Privacy, May 2005, pp.32-46.

[21] Bruschi D, Martignoni L, Monga M. Detecting selfmutating malware using control-flow graph matching. In Proc. the 3rd International Conference on Detection of Intrusions and Malware & Vulnerability Assessment, July 2006, pp.129-143.

[22] Christodorescu M, Jha S, Kruegel C. Mining specifications of malicious behavior. In Proc. the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT Symposium on the Foundations of Software Engineering, Sept. 2007, pp.5-14.

[23] Martignoni L, Stinson E, Fredrikson M, Jha S, Mitchell J. A layered architecture for detecting malicious behaviors. In Proc. the 11th International Symposium on Recent Advances in Intrusion Detection, Sept. 2008, pp.78-97.

[24] Fredrikson M, Jha S, Christodorescu M, Sailer R, Yan X. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. the 31st IEEE Symposium on Security and Privacy, May 2010, pp.45-60.

[25] Wang Y, Lin C, Ungsunan P D, Huang X. Modeling and survivability analysis of service composition using Stochastic Petri Nets. The Journal of Supercomputing, 2011, 56(1): 79-105.

[26] Yu M, Wang Y, Liu L, Cheng X. Modeling and analysis of email worm propagation based on stochastic game nets. In Proc. the 12th International Conference on Parallel and Distributed Computing, Applications and Technologies, Oct. 2011, pp.381-386.

[27] Fan L,Wang Y, Jin X, Li J, Cheng X, Jin S. Comprehensive quantitative analysis on privacy leak behavior. PloS One, 2013, 8(9): e73410.

[28] Fan L,Wang Y, Cheng X, Li J, Jin S. Privacy theft malware multi-process collaboration analysis. Security and Communication Networks, 2015, 8(1): 51-67.

[29] Wang Y, Lin C, Meng K, Yang H, Lv J. Security analysis for online banking system using hierarchical stochastic game nets model. In Proc. IEEE Global Communications Conference, Nov. 30-Dec. 4, 2009.

[30] Wang Y, Lin C, Wang Y, Meng K. Security analysis of enterprise network based on stochastic game nets model. In Proc. IEEE International Conference on Communications, June 2009.

[31] Wang Y, Lin C, Meng K, Lv J. Analysis of attack actions for e-commerce based on stochastic game nets model. Journal of Computers, 2009, 4(6): 461-468.

[32] Wang Y, Yu M, Li J, Meng K, Lin C, Cheng X. Stochastic game net and applications in security analysis for enterprise network. International Journal of Information Security, 2012, 11(1): 41-52.

[33] Gao H, Wang Y, Wang L, Liu L, Li J, Cheng X. Trojan characteristics analysis based on Stochastic Petri Nets. In Proc. IEEE International Conference on Intelligence and Security Informatics, July 2011, pp.213-215.

[34] Tokhtabayev A, Skormin V, Dolgikh A. Dynamic, resilient detection of complex malicious functionalities in the system call domain. In Proc. Military Communications Conference, Oct. 31-Nov. 3, 2010, pp.1349-1356.

[35] Tokhtabayev A, Skormin V, Dolgikh A. Expressive, efficient and obfuscation resilient behavior based IDs. In Proc. the 15th European Symposium on Research in Computer Security, Sept. 2010, pp.698-715.

[36] Liu P, Wang J, He D. Worm detection using CPN. In Proc. IEEE International Conference on Systems, Man and Cybernetics, Oct. 2004, pp.4941-4946.

[37] Ho Y, Frincke D, Tobin D. Planning, Petri nets, and intrusion detection. In Proc. the 21st National Information Systems Security Conference, Oct. 1998.

[38] Johnson N M, Caballero J, Chen K Z, McCamant S, Poosankam P, Reynaud D, Song D. Differential slicing: Identifying causal execution differences for security applications. In Proc. the 32nd IEEE Symposium on Security and Privacy, May 2011, pp.347-362.

[39] Jacob G, Debar H, Filiol E. Malware behavioral detection by attribute-automata using abstraction from platform and language. In Proc. the 12th International Symposium on Recent Advances in Intrusion Detection, Sept. 2009, pp.81- 100.

[40] Lanzi A, Balzarotti D, Kruegel C, Christodorescu M, Kirda E. AccessMiner: Using system-centric models for malware protection. In Proc. the 17th ACM Conference on Computer and Communications Security, Oct. 2010, pp.399- 412.

[41] Lou W, Ren K. Security, privacy, and accountability in wireless access networks. IEEE Wireless Communications, 2009, 16(4): 80-87.

[42] Liu X, Zhao H, Pan M, Yue H, Li X, Fang Y. Traffic-aware multiple mix zone placement for protecting location privacy. In Proc. INFOCOM, Mar. 2012, pp.972-980.

[43] Lin X, Lu R, Liang X, Shen X. STAP: A social-tier-assisted packet forwarding protocol for achieving receiver-location privacy preservation in VANETs. In Proc. INFOCOM, Apr. 2011, pp.2147-2155.

[44] Gilbert P, Chun B G, Cox L P, Jung J. Automating privacy testing of smartphone applications. Technical Report, TR-CS-2011-02, Duke University, 2011.

[45] Enck W, Ongtang M, McDaniel P. Understanding Android security. IEEE Security & Privacy, 2009, 7(1): 50-57.
No related articles found!
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
[1] Liu Mingye; Hong Enyu;. Some Covering Problems and Their Solutions in Automatic Logic Synthesis Systems[J]. , 1986, 1(2): 83 -92 .
[2] Chen Shihua;. On the Structure of (Weak) Inverses of an (Weakly) Invertible Finite Automaton[J]. , 1986, 1(3): 92 -100 .
[3] Gao Qingshi; Zhang Xiang; Yang Shufan; Chen Shuqing;. Vector Computer 757[J]. , 1986, 1(3): 1 -14 .
[4] Chen Zhaoxiong; Gao Qingshi;. A Substitution Based Model for the Implementation of PROLOG——The Design and Implementation of LPROLOG[J]. , 1986, 1(4): 17 -26 .
[5] Huang Heyan;. A Parallel Implementation Model of HPARLOG[J]. , 1986, 1(4): 27 -38 .
[6] Min Yinghua; Han Zhide;. A Built-in Test Pattern Generator[J]. , 1986, 1(4): 62 -74 .
[7] Tang Tonggao; Zhao Zhaokeng;. Stack Method in Program Semantics[J]. , 1987, 2(1): 51 -63 .
[8] Min Yinghua;. Easy Test Generation PLAs[J]. , 1987, 2(1): 72 -80 .
[9] Zhu Hong;. Some Mathematical Properties of the Functional Programming Language FP[J]. , 1987, 2(3): 202 -216 .
[10] Li Minghui;. CAD System of Microprogrammed Digital Systems[J]. , 1987, 2(3): 226 -235 .

ISSN 1000-9000(Print)

         1860-4749(Online)
CN 11-2296/TP

Home
Editorial Board
Author Guidelines
Subscription
Journal of Computer Science and Technology
Institute of Computing Technology, Chinese Academy of Sciences
P.O. Box 2704, Beijing 100190 P.R. China
Tel.:86-10-62610746
E-mail: jcst@ict.ac.cn
 
  Copyright ©2015 JCST, All Rights Reserved