Skip to main content
SpringerLink
Log in

Generating Lightweight Behavioral Signature for Malware Detection in People-Centric Sensing

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

People-centric sensing (PCS) is an emerging paradigm of sensor network which turns daily used mobile devices (such as smartphones and PDAs) to sensors. It is promising but faces severe security problems. As smartphones are already and will keep up to be attractive targets to attackers, even more, with strong connectivity and homogeneous applications, all mobile devices in PCS will risk being infected by malware more rapidly. Even worse, attackers usually obfuscate their malwares in order to avoid simple (syntactic signature based) detection. Thus, more intelligent (behavioral signature based) detection is needed. But in the field of network security, the state-of-the-art behavioral signature—behavior graph—is too complicated to be used in mobile devices. This paper proposes a novel behavioral signature generation system—SimBehavior—to generate lightweight behavioral signature for malware detection in PCS. Generated lightweight behavioral signature is a bit like regex (regular expression) rules. And thus, unlike malware detection using behavior graph is NP-Complete, using our lightweight behavioral signature is efficient and very suitable for malware detection in PCS. Our experimental results show that SimBehavior can extract behavioral signatures effectively, and generated lightweight behavioral signatures can be used to detect new malware samples in PCS efficiently and effectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4

Similar content being viewed by others

References

  1. Johnson, P., Kapadia, A., Kotz, D., & Triandopoulos, N. (2007). People-centric urban sensing: Security challenges for the new paradigm. Dartmouth Computer Science Technical Report TR2007-586.

  2. Felt, A. P., Finifter, M., Chin, E., et al. (2011). A survey of mobile malware in the wild. In First workshop on security and privacy in smartphones and mobile devices (CCS-SPSM’11). Chicago, Illinois, USA.

  3. Symantec Corporation (2012). Internet Security Threat Report-2011 Trends Volume 17. Available: http://www.symantec.com/threatreport/

  4. Symantec Corporation (2013). Internet Security Threat Report-2012 Trends Volume 18. Available: http://www.symantec.com/threatreport/

  5. Rastogi, V., Chen, Y., & Jiang, X. (2013). DroidChameleon: Evaluating android anti-malware against transformation attacks. Short Paper. In Proceedings of the 8th ACM symposium on information, computer and communications Security (ASIACCS).

  6. You, I., & Yim, K. (2010). Malware obfuscation techniques: A brief survey. In 2010 International conference on broadband, wireless computing, communication and applications.

  7. Forrest, S., Longstaff, T. A., & Hofmeyr, S. A. (1996). A sense of self for unix processes. In Proceedings of the 1996 IEEE symposium on security and privacy.

  8. Christodorescu, M., Jha, S., & Kruegel, C. (2007). Mining specifications of malicious behavior. In Proceedings of the 6th joint meeting of the European software engineering conference and the ACM SIGSOFT symposium on the foundations of software engineering.

  9. Clemens, K., Paolo, M. C., Christopher, K., et al. (2009). Effective and efficient malware detection at the end host. In USENIX Security’09.

  10. Fredrikson, M., Christodorescu, M., & Jha, S. (2011). Dynamic behavior matching: A complexity analysis and new approximation algorithms. In 23rd international conference on Automated deduction, LNAI 6803 (pp. 252–267).

  11. Hoglund, G., & Butler, J. (2005). Rootkits: subverting the Windows kernel. Reading, MA: Addison-Wesley Professional.

    Google Scholar 

  12. Lanzi, A., Balzarotti, D., Kruegel, C. et al. (2010). AccessMiner: Using system-centric models for malware protection. In CCS’10.

  13. Wikipedia. System call [Online]. Available: http://en.wikipedia.org/wiki/System_call, September, 2012

  14. Srivastava, A., Lanzi, A., & Giffin, J. (2008). System call API obfuscation (Extended Abstract). In RAID’08.

  15. Fredrikson, M., Jha, S., Christodorescu, M. et al. (2010). Synthesizing near-optimal malware specifications from suspicious behaviors. In Proceedings of the 2010 IEEE symposium on security and privacy.

  16. Mark Russinovich. Inside the Native API [Online]. Available: http://netcode.cz/img/83/nativeapi.html, September, 2012

  17. Wikipedia. Handle (computing) [Online]. Available: http://en.wikipedia.org/wiki/Handle_(computing), September, 2012

  18. Bayer, U., Habibi, I., & Balzarotti, D. (2009). A view on current malware behaviors. In 2nd USENIX workshop on large-scale exploits and emergent threats (LEET’09).

  19. Dreger, H., Feldmann, A., Mai, M., Paxson, V., & Sommer, R. (2005). Dynamic application-layer protocol analysis for network intrusion detection. In 15th USENIX security symposium.

  20. Wikipedia. Sequence alignment [Online]. Available: http://en.wikipedia.org/wiki/Sequence_alignment, May, 2013

  21. Tang, Y., Xiao, B., & Lu, X. (2009). Using a bioinformatics approach to generate accurate exploit-based signatures for polymorphic worms. Computers & Security, 28, 827–842.

    Article  Google Scholar 

  22. Needleman, S. B., & Wunsch, C. D. (1970). A general method applicable to the search for similarities in the amino acid sequence of two proteins. Journal of Molecular Biology, 48(3), 4430453.

    Article  Google Scholar 

  23. Notredame, C., Higgins, D. G., & Heringa, J. (2000). T-coffee: A novel method for fast and accurate multiple sequence alignment. Journal of Molecular Biology, 302(1), 2050217.

    Article  Google Scholar 

  24. Li, Z., Sanghi, M., Chen, Y., et al. (2006). Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In IEEE symposium on security and privacy 2006.

  25. mwanalysis. [Online]. http://mwanalysis.org/

  26. [Online]. http://code.google.com/p/wusstrace/

Download references

Acknowledgments

This work is supported by Program No. IRT 1012, the NSF of China Program No. 61202488, the Research Fund for the Doctoral Program of Higher Education of China No. 20124307120032, the NSF of China Program No. 61103194, the 863 Program of China Nos. 2009AA01A346 and 2011AA01A103, and the NSF of China Program No. 61003303. We appreciate anonymous reviewers for their valuable suggestions and comments.

Author information

Authors and Affiliations

  1. School of Computer, National University of Defense Technology, Changsha, China

    Huabiao Lu, Baokang Zhao, Jinshu Su & Peidai Xie

Authors
  1. Huabiao Lu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Baokang Zhao
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jinshu Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Peidai Xie
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Baokang Zhao.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lu, H., Zhao, B., Su, J. et al. Generating Lightweight Behavioral Signature for Malware Detection in People-Centric Sensing. Wireless Pers Commun 75, 1591–1609 (2014). https://doi.org/10.1007/s11277-013-1400-9

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-013-1400-9

Keywords

Search

Navigation