ABSTRACT
Mobile users of computation and communication services have been rapidly adopting battery-powered mobile handhelds, such as PocketPCs and SmartPhones, for their work. However, the limited battery-lifetime of these devices restricts their portability and applicability, and this weakness can be exacerbated by mobile malware targeting depletion of battery energy. Such malware are usually difficult to detect and prevent, and frequent outbreaks of new malware variants also reduce the effectiveness of commonly-seen signature-based detection. To alleviate these problems, we propose a power-aware malware-detection framework that monitors, detects, and analyzes previously unknown energy-depletion threats. The framework is composed of (1) a power monitor which collects power samples and builds a power consumption history from the collected samples, and (2) a data analyzer which generates a power signature from the constructed history. To generate a power signature, simple and effective noise-filtering and data-compression are applied, thus reducing the detection overhead. Similarities between power signatures are measured by the χ2-distance, reducing both false-positive and false-negative detection rates. According to our experimental results on an HP iPAQ running a Windows Mobile OS, the proposed framework achieves significant (up to 95%) storage-savings without losing the detection accuracy, and a 99% true-positive rate in classifying mobile malware.
- http://www.gartner.com/it/page.jsp?id=501734.Google Scholar
- Battery university - the high-power lithium-ion. http://www.batteryuniversity.com/partone-22.htm.Google Scholar
- Battery university - the high-power lithium-ion. http://www.batteryuniversity.com/partone-5A.htm.Google Scholar
- Btaccess.net. http://www.high-point.com.Google Scholar
- Making handheld security a priority. http://www.symantec.com/norton/products/library/article.jsp?aid=handheld_security.Google Scholar
- The secrets of battery runtime 2. http://www.technick.net/public/code/cp_dpage.php\\?aiocp_dp=guide_bpw2_c06_03.Google Scholar
- UPX: the Ultimate Packer for eXecutables. http://upx.sourceforge.net/.Google Scholar
- Bluetooth Worms: Models, Dynamics, and Defense Implications, Dec. 2006.Google Scholar
- Manish Anand, Edmund B. Nightingale, and Jason Flinn. Ghosts in the machine: interfaces for better power management. In MobiSys, pages 23--35, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
- A. Bose and K. G. Shin. On mobile viruses exploiting messaging and bluetooth services. In SecureComm, pages 1--10. IEEE, Aug. 2006.Google ScholarCross Ref
- T. K. Buennemeyer, M. Gora, R. C. Marchany, and J. G. Tront. Battery exhaustion attack detection with small handheld mobile computers. In PORTABLE, pages 1--5. IEEE, May 2007.Google ScholarCross Ref
- Branislav Kisa canin, Vladimir Pavlović, and Thomas S. Huang, editors. Real-time vision for human-computer interaction. ISBN 387276971. Springer, 1 edition, 2005. Google ScholarDigital Library
- Jerry Cheng, Starsky Wong, Hao Yang, and Songwu Lu. Smartsiren: virus detection and alert for smartphones. In MobiSys, pages 258--271, San Juan, Puerto Rico, Jun. 2007. ACM. Google ScholarDigital Library
- David Dagon, Tom Martin, and Thad Starner. Mobile phones as computing devices: The viruses are coming. Pervasive Computing, 3(4):11--15, Oct. 2004. Google ScholarDigital Library
- Marc Damashek. Gauging similarity with n-grams: Language-independent categorization of text. Science, 267(5199):843--848, Feb. 1995.Google ScholarCross Ref
- Richard O. Duda, Peter E. Hart, and David G. Stork. Pattern Classification. ISBN 0-471-05669-3. A Wiley-Interscience Publication, second edition, 2001. Google ScholarDigital Library
- Robert D. Edwards and John Magee. Technical analysis of stock trends. ISBN 0814406807. AMACOM, New York, NY, 8th edition, 2001.Google Scholar
- Daniel R. Ellis, John G. Aiken, Kira S. Attwood, and Scott D. Tenaglia. A behavioral approach to worm detection. In WORM, pages 43--53, Washington DC, USA, 2004. ACM. Google ScholarDigital Library
- William Enck, Patrick Traynor, Patrick McDaniel, and Thomas La Porta. Exploiting open functionality in sms-capable cellular networks. In CCS, pages 393--404, Alexandria, VA, USA, 2005. ACM. Google ScholarDigital Library
- F-secure. Cabir. http://www.f-secure.com/v-descs/cabir.shtml.Google Scholar
- Keith Farkas, Jason Flinn, Godmar Back, Dirk Grunwald, and Jennifer Anderson. Quantifying the energy consumption of a pocket computer and a java virtual machine. SIGMETRICS: PER, 28(1):252--263, June 2000. Google ScholarDigital Library
- Henry Hanping Feng, Oleg M. Kolesnikov, Prahlad Fogla, Wenke Lee, and Weibo Gong. Anomaly detection using call stack information. In SP, Oakland, CA, USA, May 2003. IEEE.Google ScholarCross Ref
- Jason Flinn and M. Satyanarayanan. Powerscope: A tool for profiling the energy usage of mobile applications. In WMCSA, New Orleans, Louisiana, Feb. 1999. IEEE. Google ScholarDigital Library
- Prahlad Fogla, Monirul Sharif, Roberto Perdisci, Oleg Kolesnikov, and Wenke Lee. Polymorphic blending attacks. In Security Symposium, pages 17--17, Berkeley, CA, USA, 2006. USENIX. Google ScholarDigital Library
- R. M. Ford, C. Robson, D. Temple, and M. Gerlach. Metrics for scene change detection in digital video sequences. In ICMCS, pages 610--611, Los Alamitos, CA, USA, 1997. IEEE. Google ScholarDigital Library
- Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for unix processes. In SP, page 120, Oakland, CA, USA, May 1996. IEEE. Google ScholarDigital Library
- Mikko Hypponen. Malware goes mobile. Nov. 2006.Google Scholar
- Wenke Lee and Salvatore J. Stolfo. Data mining approaches for intrusion detection. In Security Symposium, volume 7, San Antonio, Texas, USA, Jan. 1998. USENIX. Google ScholarDigital Library
- S. Macaulay. Admmutate: Polymorphic shellcode engine. http://www.ktwo.ca/security.html.Google Scholar
- Thomas Martin, Michael Hsiao, Dong Ha, and Jayan Krishnaswami. Denial-of-service attacks on battery-powered mobile computers. In PerCom, page 309, Washington, DC, USA, 2004. IEEE Computer Society. Google ScholarDigital Library
- M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In SP, pages 32--46, Oakland, CA, USA, May 2005. IEEE. Google ScholarDigital Library
- James W. Mickens and Brian D. Noble. Modeling epidemic spreading in mobile environments. In WiSe, pages 77--86, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- Jose A. Morales, Peter J. Clarke, Yi Deng, and B. M. Golam Kibria. Testing and evaluating virus detectors for handheld devices. Journal in Computer Virology, 2(2):135--147, Nov. 2006.Google ScholarCross Ref
- Srinivas Mukkamala and Andrew H. Sung. Identifying key features for intrusion detection using neural networks. In ICCC, pages 1132--1138, Mumbai, Maharashtra, India, 2002. Google ScholarDigital Library
- Darren Mutz, Fredrik Valeur, Giovanni Vigna, and Christopher Kruegel. Anomalous system call detection. TISSEC, 9(1):61--93, 2006. Google ScholarDigital Library
- Carey Nachenberg. Computer virus-antivirus coevolution. Communications of the ACM, 40(1):46--51, 1997. Google ScholarDigital Library
- James Newsome, Brad Karp, and Dawn Song. Polygraph: Automatically generating signatures for polymorphic worms. In SP, pages 133--145, Oakland, CA, USA, May 2005. IEEE. Google ScholarDigital Library
- Taejoon Park and Kang G. Shin. Soft tamper-proofing via program integrity verification in wireless sensor networks. TMC, 4(3):297--309, May 2005. Google ScholarDigital Library
- N. V. Patel and I. K. Sethi. Compressed video processing for cut detection. Vision, Image and Signal Processing, 143(5):315--323, October 1996.Google ScholarCross Ref
- Matthew Pirretti, Sencun Zhu, N. Vijaykrishnan, Patrick McDaniel, Mahmut Kandemir, and Richard Brooks. The sleep deprivation attack in sensor networks: Analysis and methods of defense. IJSNet, 2(3):267--287, Sept. 2006.Google Scholar
- Radmilo Racic, Denys Ma, and Hao Chen. Exploiting mms vulnerabilities to stealthily exhaust mobile phone's battery. In SecureComm, pages 1--10, Baltimore, MD, Sep. 2006. IEEE.Google ScholarCross Ref
- C. Reyes-Aldasoro and A. Bhalerao. The bhattacharyya space for feature selection and its application to texture segmentation. Pattern Recognition, 39(5):812--826, May 2006. Google ScholarDigital Library
- R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In SP, page 144, Oakland, CA, USA, Apr. 2001. IEEE. Google ScholarDigital Library
- S. P. Shukla, Y. W. Suen, and M. Shayegan. Magnetic-field-induced triple-layer to bilayer transition. Phys. Rev. Lett., 81(3):693--696, Jul 1998.Google ScholarCross Ref
- Bluetooth SIG. Specification of the Bluetooth system, Core Version 1.1. http://www.bluetooth.com/, Feb. 2001.Google Scholar
- Ed Skoudis and Lenny Zeltser. Malware: Fighting Malicious Code. ISBN 0131014056. Prentice Hall PTR, Upper Saddle River, New Jersey 07458, 2004. Google ScholarDigital Library
- Anil Somayaji and Stephanie Forrest. Automated response using system-call delays. In SP, page 14, Oakland, CA, USA, May 2000. IEEE. Google ScholarDigital Library
- Thad Starner. Thick clients for personal wireless devices. Computer, 35(1):133--135, 2002. Google ScholarDigital Library
- Symantec. Commwarrior description available at. http://securityresponse.symantec.com.Google Scholar
- Camilo Tenorio, Francisco de Carvalho, and Julio Pimentel. A partitioning fuzzy clustering algorithm for symbolic interval data based on adaptive mahalanobis distances. In HIS, pages 174--179. IEEE, July 2007. Google ScholarDigital Library
- Sampo Töyssy and Marko Helenius. About malicious software in smartphones. Journal in Computer Virology, 2(2):109--119, Nov. 2006.Google ScholarCross Ref
- Ke Wang and Salvatore J. Stolfo. Anomalous payload-based network intrusion detection. In RAID, volume 3224, pages 203--222. LNCS, Oct. 2004.Google Scholar
- Xinran Wang, Chi-Chun Pan, Peng Liu, and Sencun Zhu. Sigfree: a signature-free buffer overflow attack blocker. In Security Symposium, Vancouver, Canada, Jan. 2006. USENIX. Google ScholarDigital Library
- Christina Warrender, Stephanie Forrest, and Barak Pearlmutter. Detecting intrusions using system calls: Alternative data models. In SP, pages 133--145, Oakland, CA, USA, Apr. 1999. IEEE.Google ScholarCross Ref
- Carsten Willems, Thorsten Holz, and Felix Freiling. Toward automated dynamic malware analysis using cwsandbox. Security & Privacy, 5(2):32--39, March 2007. Google ScholarDigital Library
- Nong Ye and Qiang Chen. An anomaly detection technique based on a chi-square statistic for detecting intrusions into information systems. Quality and Reliability Eng. Int'l, 17(2):105--112, October 2001.Google ScholarCross Ref
Index Terms
- Detecting energy-greedy anomalies and mobile malware variants
Recommendations
Detecting environment-sensitive malware
RAID'11: Proceedings of the 14th international conference on Recent Advances in Intrusion DetectionThe execution of malware in an instrumented sandbox is a widespread approach for the analysis of malicious code, largely because it sidesteps the difficulties involved in the static analysis of obfuscated code. As malware analysis sandboxes increase in ...
Detecting PE infection-based malware
Organisations have employed multiple layers of defence mechanisms, while numerous attacks still take place every day. Malware is a major vehicle to perform attacks such as stealing confidential information, disrupting services, or sabotaging industrial ...
A Syntactic Approach for Detecting Viral Polymorphic Malware Variants
Proceedings of the 11th Pacific Asia Workshop on Intelligence and Security Informatics - Volume 9650Polymorphic malware is currently difficult to identify. Such malware is able to mutate into functionally equivalent variants of themselves. Modern detection techniques are not adequate against this rapidly-mutating polymorphic malware. The age-old ...
Comments