ABSTRACT
Computing environments on cellphones, especially smartphones, are becoming more open and general-purpose, thus they also become attractive targets of malware. Cellphone malware not only causes privacy leakage, extra charges, and depletion of battery power, but also generates malicious traffic and drains down mobile network and service capacity. In this work we devise a novel behavior-based malware detection system named pBMDS, which adopts a probabilistic approach through correlating user inputs with system calls to detect anomalous activities in cellphones. pBMDS observes unique behaviors of the mobile phone applications and the operating users on input and output constrained devices, and leverages a Hidden Markov Model (HMM) to learn application and user behaviors from two major aspects: process state transitions and user operational patterns. Built on these, pBDMS identifies behavioral differences between malware and human users. Through extensive experiments on major smartphone platforms, we show that pBMDS can be easily deployed to existing smartphone hardware and it achieves high detection accuracy and low false positive rates in protecting major applications in smartphones.
- http://en.wikipedia.org/wiki/cross_validation.Google Scholar
- http://trolltech.com/products/qtopia.Google Scholar
- http://trolltech.com/products/qtopia/qtopiainuse/qtopiadevices.Google Scholar
- http://www.elinux.org/osk.Google Scholar
- http://www.f-secure.com/v-descs/flexispy_a.shtml.Google Scholar
- http://www.us-cert.gov/press_room/trendsandanalysisq108.pdf.Google Scholar
- http://www.virtuallogix.com/.Google Scholar
- Mcafee mobile security report 2008, mcafee.com/us/research/mobile_security_report_2008.html.Google Scholar
- Mcafee mobile security report 2009, mcafee.com/us/local_content/reports/mobile_security_report_2009.pdf.Google Scholar
- Mobile device ui design, http://blueflavor.com/blog/2006/apr/04/mobile-device-ui-design/.Google Scholar
- OpenMoko. http://wiki.openmoko.org.Google Scholar
- TCG mobile reference architecture specification version 1.0. https://www.trustedcomputinggroup.org/specs/mobilephone.Google Scholar
- Virtualization for embedded systems, http://www.ok-labs.com/.Google Scholar
- A. Bose and et al. Behavioral detection of malware on mobile handsets. In Proc. of MobiSys, 2008. Google ScholarDigital Library
- A. Bose and K. Shin. Proactive security for mobile messaging networks. In Proc. of WiSe, 2006. Google ScholarDigital Library
- J. Chen, S. Wongand, H. Yang, and S. Lu. Smartsiren: Virus detection and alert for smartphones. In Proc. of MobiSys, 2007. Google ScholarDigital Library
- E. Chien. Security response: Symbos.lasco.a, symantec, 2005.Google Scholar
- E. Chien. Security response: Symbos.mabir, symantec, 2005.Google Scholar
- E. Chien. Security response: Symbos.skull, symantec, 2004.Google Scholar
- P. Ferrie, P. Szor, R. Stanev, and R. Mouritzen. Security response: Symbos.cabir. Symantec Corporation, 2004.Google Scholar
- S. Forrest, S. Hofmeyr, A. Somayaji, and T. longstaff. A sense of self for unix processes. In Proc. of the IEEE Symposium in Security and Privacy, 1996. Google ScholarDigital Library
- S. Forrest and B. Pearlmutter. Detecting instructions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, 1999.Google Scholar
- C. Guo, H. Wang, and W. Zhu. Smartphone attacks and defenses. In HotNets-III, UCSD, Nov. 2004.Google Scholar
- C. Heath. Symbian os platform security. In Symbian Press, 2006. Google ScholarDigital Library
- M. Hypponen. State of cell phone malware in 2007, http://www.usenix.org/events/sec07/tech/hypponen.pdf.Google Scholar
- A.K. Karlson and B.B. Bederson. One-handed touchscreen input for legacy applications. In Proc. of CHI, pages 1399--1408, 2008. Google ScholarDigital Library
- E. Kirda and et al. Behavior-based spyware detection. In Proc of USENIX Security Symposium, 2006. Google ScholarDigital Library
- M. Lactaotao. Security information: Virus encyclopedia: Symbos_comwar.a: Technical details. Trend Micro Inc., 2005.Google Scholar
- W. Lee, S. Stolfo, and P. Chan. Learning patterns from unix process execution traces for intrustion detection. In Proc. of AAAI, 1997.Google Scholar
- C. Mulliner and G. Vigna. Vulnerability analysis of mms user agents. In Proc. of ACM ACSAC, 2006. Google ScholarDigital Library
- C. Mulliner, G. Vigna, D. Dagon, and W. Lee. Using labeling to prevent cross-service attacks against smartphones. In DIMVA, 2006. Google ScholarDigital Library
- D. Muthukumaran, A. Sawani, J. Schiffman, B.M. Jung, and T. Jaeger. Measuring integrity on mobile phone systems. In Proc. of the 13th ACM Symposium on Access Control Models and Technologies, 2008. Google ScholarDigital Library
- L. Rabiner. A tutorial on hidden markov models and selected applications in speech recognition. In Proc. of the IEEE, 1989.Google Scholar
- R. Racic, D. Ma, and H. Chen. Exploiting mms vulnerabilities to stealthily exhause mobile phone's battery. In IEEE SecureComm, 2006.Google Scholar
- R. Sailer, X. Zhao, T. Jaeger, and L. Doom. Design and implementation of a tcg-based integrity measurement architecture. In Proc. of Usenix Security Symposium, 2004. Google ScholarDigital Library
- C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium in Security and Privacy, 1999.Google ScholarCross Ref
- L. Welch. The shannon lecture: Hidden markov models and the baum-welch algorithm. In IEEE Information Theory Society Newsletter, 2003.Google Scholar
- A. Wespi, M. Dacier, and H. Debar. Intrusion detection using variable length audit trail patterns. In Proc. of RAID, 2000. Google ScholarDigital Library
- L. Xie, H. Song, T. Jaeger, and S. Zhu. Towards a systematic approach for cell-phone worm containment. In Proc. of International World Wide Web Conference (WWW), poster, 2008. Google ScholarDigital Library
- D. Yeung and Y. Ding. Host-based intrustion detection using dynamic and static behavioral models. In Pattern Recognition, Issue.1, 2003.Google Scholar
- X. Zhang, O. Aciicmez, and J. Seifert. A trusted mobile phone reference architecture via secure kernel. In ACM workshop on Scalable trusted computing, 2007. Google ScholarDigital Library
Index Terms
- pBMDS: a behavior-based malware detection system for cellphone devices
Recommendations
IMAD: in-execution malware analysis and detection
GECCO '09: Proceedings of the 11th Annual conference on Genetic and evolutionary computationThe sophistication of computer malware is becoming a serious threat to the information technology infrastructure, which is the backbone of modern e-commerce systems. We, therefore, advocate the need for developing sophisticated, efficient, and accurate ...
Malware Detection Systems Based on API Log Data Mining
COMPSAC '15: Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference - Volume 03As information technology improves, the Internet is involved in every area in our daily life. When the mobile devices and cloud computing technology start to play important parts of our life, they have become more susceptible to attacks. In recent years,...
Identifying android malicious repackaged applications by thread-grained system call sequences
Android security has become highly desirable since adversaries can easily repackage malicious codes into various benign applications and spread these malicious repackaged applications (MRAs). Most MRA detection mechanisms on Android focus on detecting a ...
Comments