skip to main content
10.1145/1999995.2000017acmconferencesArticle/Chapter ViewAbstractPublication PagesmobisysConference Proceedingsconference-collections
research-article

Security versus energy tradeoffs in host-based mobile malware detection

Published: 28 June 2011 Publication History

Abstract

The rapid growth of mobile malware necessitates the presence of robust malware detectors on mobile devices. However, running malware detectors on mobile devices may drain their battery, causing users to disable these protection mechanisms to save power. This paper studies the security versus energy tradeoffs for a particularly challenging class of malware detectors, namely rootkit detectors. We investigate the security versus energy tradeoffs along two axes: attack surface and malware scanning frequency, for both code and data based rootkit detectors. Our findings, based on a real implementation on a mobile handheld device, reveal that protecting against code-driven attacks is relatively cheap, while protecting against all data-driven attacks is prohibitively expensive. Based on our findings, we determine a sweet spot in the security versus energy tradeoff, called the balanced profile, which protects a mobile device against a vast majority of known attacks, while consuming a limited amount of extra battery power.

References

[1]
OKl4 microvisor. http://www.ok-labs.com/products/okl4-microvisor.
[2]
Viliv S5 Real Pocket PC. http://www.myviliv.com/v4/product/s5/s5.asp.
[3]
VMware Mobile Virtualization Platform. www.vmware.com/technology/mobile/.
[4]
Rootkits, Part 1 of 3: A Growing Threat. http://download.nai.com/Products/mcafee-avert/whitepapers/akapoor_rootk%its1.pdf, April 2006. MacAfee AVERT Labs Whitepaper.
[5]
2010 threat predictions. http://www.mcafee.com/us/resources/reports/rp-threat-predictions-2010.pdf, December 2009. MacAfee AVERT Labs Whitepaper.
[6]
ABC News. Use Your Cell to Monitor Your Smart Home. http://abcnews.go.com/Technology/video/monitor-home-cell-phone-9887403.
[7]
ARM. Cortex-a9 processor. http://www.arm.com/products/processors/cortex-a/cortex-a9.php.
[8]
AT&T. AT&T, T-Mobile and Verizon Wireless Announce Joint Venture to Build National Mobile Commerce Network. http://www.att.com/gen/press-room?pid=18767&cdvn=news&newsarticleid=313%69&mapcode=corporate|financial.
[9]
B. Chun and P. Maniatis. Augmented Smartphone Applications Through Clone Cloud Execution. In Proc. 12th Workshop on Hot Topic in Operating Systems, May 2009.
[10]
A. Baliga, V. Ganapathy, and L. Iftode. Automatic Inference and Enforcement of Kernel Data Structre Invariants. In Proc. Annual Computer Security Applications Conference, December 2008.
[11]
A. Baliga, V. Ganapathy, and L. Iftode. Detecting kernel-level rootkits using data structure invariants. IEEE Transactions on Dependable and Secure Computing, 8(4), July/August 2011.
[12]
A. Baliga, P. Kamat, and L. Iftode. Lurking in the Shadows: Identifying Systemic Threats to Kernel Data. In Proc. IEEE Symposium on Security and Privacy, May 2007.
[13]
P. Barham, B. Dragovic, K. Fraser, S. Hand, T. Harris, A. Ho, R. Neugebauer, I. Pratt, and A. Warfield. Xen and the Art of Virtualization. In In Proc. 19th ACM Symposium on Operating Systems Principles, 2003.
[14]
J. Bickford, R. O'Hare, A. Baliga, V. Gannapathy, and L. Iftode. Rootkits on Smart Phones: Attacks, Implications and Opportunities. In Proc. Workshop on Mobile Computing Systems and Applications, February 2010.
[15]
A. Bose, X. Hu, K. G. Shin, and T. Park. Behavioral Detection of Malware on Mobile Handsets. In Proc. 6th Mobisys, 2007.
[16]
S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data Attacks Are Realistic Threats. In Proc. USENIX Security Symposium, August 2005.
[17]
M. Christodorescu. Behavior-based Malware Detection. PhD thesis, University of Wisconsin-Madison, August 2007.
[18]
E. Cuervo and A. Balasubramanian and D. Cho and A. Wolman and S. Saroiu and R. Chandra and P. Bahl. MAUI: Making Smartphones Last Longer with Code Offload. In Proc. 8th Conference onMobile Systems, Applications and Service, June 2010.
[19]
W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proc. ACM conference on Computer and Communications Security (CCS), 2009.
[20]
M. Ernst, J. Perkins, P. Guo, S. McCamant, C. Pacheco, M. Tschantz, and C. Xiao. The Daikon System for Dynamic Detection of Likely Invariants. In Science of Computer Programming, 2006.
[21]
A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid: Automated Security Certification of Android Applications. Manuscript, Univ. of Maryland, http://www.cs.umd.edu/ avik/projects/scandroidascaa.
[22]
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. In Proc. Network and Distributed Systems Security Symposium, 2003.
[23]
P. Gilbert, L. Cox, J. Jung, and D. Wetherall. Toward Trustworthy Mobile Sensing. In Proc. Workshop on Mobile Computing Systems and Applications, February 2010.
[24]
M. Grace, Z. Wang, D. Srinivasan, J. Li, X. Jiang, Z. Liang, and S. Liakh. Transparent Protection of Commodity OS Kernels Using Hardware Virtualization. In Proc. 6th Conference on Security and Privacy in Communication Networks, 2010.
[25]
O. S. Hofmann, A. M. Dunn, S. Kim, I. Roy, and E. Witchel. Ensuring operating system kernel integrity with osck. In Proc. 16th Conference on Architectural Support for Programming Languages and Operating Systems, March 2011.
[26]
J. Hwang, S. Suh, S. Heo, C. Park, J. Ryu, S. Park, and C. Kim. Xen on ARM: System Virtualization Using Xen Hypervisor for ARM-Based Secure Mobile Phones. In Consumer Communications and Networking Conference, January 2008.
[27]
N. L. Petroni Jr., T. Fraser, J. Molina, and W. A. Arbaugh. Copilot - a Coprocessor-based Kernel Runtime Integrity Monitor. In Proc. USENIX Security Symposium, 2004.
[28]
H. Kim, J. Smith, and K. G. Shin. Detecting Energy-greedy Anomalies and Mobile Malware Variants. In Proc. 6th Conference on Mobile Systems, Applications and Services, 2008.
[29]
G. Klein, K. Elphinstone, G. Heiser, J. Andronick, D. Cock, P. Derrin, D. Elkaduwe, K. Engelhardt, R. Kolanski, M. Norrish, T. Sewell, H. Tuch, and S. Winwood. seL4: Formal Verification of an OS Kernel. In Proc. 22nd ACM Symposium on Operating Systems Principles, October 2009.
[30]
L. Litty, H. A. Lagar-Cavilla, and D. Lie. Hypervisor Support for Identifying Covertly Executing Binaries. In Proc. 17th USENIX Security Symposium, August 2008.
[31]
LWN.net. A New Adore Root Kit. lwn.net/Articles/75990/.
[32]
J. McCune, B. Parno, A. Perrig, M. Reiter, and H. Isozaki. Flicker: An execution infrastructure for TCB minimization. In Proc. European Conference on Computer Systems, April 2008.
[33]
L. McVoy and C. Staelin. lmbench: Portable tools for performance analysis. In Proc. USENIX Annual Technical Conference, 1996.
[34]
E. Monti. iPhone Rootkit? There's an App for That. http://sandiego.toorcon.org/index.php?option=com_content&task=view&id=4%8&Itemid=9, October 2010.
[35]
G. Neiger, A. Santoni, F. Leung, D. Rodgers, and R. Uhlig. Intel Virtualization Technology: Hardware Support for Efficient Processor Virtualization. 10(3), August 2006.
[36]
J. Oberheide and F. Jahanian. When Mobile is Harder Than Fixed (and Vice Versa): Demystifying Security Challenges in Mobile Environments. In Proc. Workshop on Mobile Computing Systems and Applications, February 2010.
[37]
J. Oberheide, K. Veeraraghavan, E. Cooke, J. Flinn, and F. Jahanian. Virtualized In-Cloud Security Services for Mobile Devices. In Proc. Workshop on Virtualization in Mobile Computing, June 2008.
[38]
N. Percoco and C. Papathanasiou. This Is Not the Droid You're Looking For... http://www.defcon.org/images/defcon-18/dc-18-presentations/Trustwave-Sp%iderlabs/DEFCON-18-Trustwave-Spiderlabs-Android-Rootkit-WP.pdf, July 2010.
[39]
N. Petroni and M. Hicks. Automated Detection of Persistent Kernel Control-Flow Attacks. In Proc. ACM Conference on Computer and Communications Security, pages 103--115, October 2007.
[40]
N. L. Petroni, T. Fraser, A. Walters, and W. A. Arbaugh. An Architecture for Specification-based Detection of Semantic Integrity Violations of Kernel Dynamic Data. In Proc. USENIX Security Symposium, August 2006.
[41]
G. Portokalidisi, P. Homburg, K. Anagnostakis, and H. Bos. Paranoid Android: Versatile Protection For Smartphones. In Proc. 26th Annual Computer Security Applications Conference, 2010.
[42]
R. Riley, X. Jiang, and D. Xu. Guest-Transparent Prevention of Kernel Rootkits with VMM-based Memory Shadowing. In Proc. 11th Symposium on Recent Advances in Intrusion Detection, September 2008.
[43]
A. Seshadri, M. Luk, N. Qu, and A. Perrig. SecVisor: A Tiny Hypervisor to Provide Lifetime Kernel Code Integrity for Commodity OSes. In Proc. 21st ACM Symposium on Operating Systems Principles, November 2007.
[44]
H. Shacham. The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86). In Proc. ACM Conference on Computer and Communications Security, pages 552--561, October 2007.
[45]
P.C. van Oorschot, A. Somayaji, and G. Wurster. Hardware-assisted circumvention of self-hashing software tamper resistance. IEEE Transactions on Dependable and Secure Computting, 2:82--92, April 2005.
[46]
Z. Wang, X. Jiang, W. Cui, and P. Ning. Countering Kernel Rootkits with Lightweight Hook Protection. In Proceedings of the ACM Conference on Computer and Communications Security, November 2009.
[47]
X. Zhang, L. van Doorn, T. Jaeger, R. Perez, and R. Sailer. Secure Coprocessor-based Intrusion Detection. In Proc. 10th workshop on ACM SIGOPS European workshop: beyond the PC, 2002.

Cited By

View all
  • (2024)Green Security: A Framework for Measurement and Optimization of Energy Consumption of Cybersecurity Solutions2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00043(676-696)Online publication date: 8-Jul-2024
  • (2021)SHARKS: Smart Hacking Approaches for RisK Scanning in Internet-of-Things and Cyber-Physical Systems based on Machine learningIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2021.3050733(1-1)Online publication date: 2021
  • (2018)Detection under Privileged InformationProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196502(199-206)Online publication date: 29-May-2018
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
MobiSys '11: Proceedings of the 9th international conference on Mobile systems, applications, and services
June 2011
430 pages
ISBN:9781450306430
DOI:10.1145/1999995
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 June 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. energy
  2. mobile malware
  3. rootkits
  4. security

Qualifiers

  • Research-article

Conference

MobiSys'11
Sponsor:

Acceptance Rates

Overall Acceptance Rate 274 of 1,679 submissions, 16%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)4
  • Downloads (Last 6 weeks)0
Reflects downloads up to 16 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Green Security: A Framework for Measurement and Optimization of Energy Consumption of Cybersecurity Solutions2024 IEEE 9th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP60621.2024.00043(676-696)Online publication date: 8-Jul-2024
  • (2021)SHARKS: Smart Hacking Approaches for RisK Scanning in Internet-of-Things and Cyber-Physical Systems based on Machine learningIEEE Transactions on Emerging Topics in Computing10.1109/TETC.2021.3050733(1-1)Online publication date: 2021
  • (2018)Detection under Privileged InformationProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196502(199-206)Online publication date: 29-May-2018
  • (2018)Extending Detection with Privileged Information via Generalized Distillation2018 IEEE Security and Privacy Workshops (SPW)10.1109/SPW.2018.00021(83-88)Online publication date: May-2018
  • (2018)A Machine Learning Approach to the Detection and Analysis of Android Malicious Apps2018 International Conference on Computer Communication and Informatics (ICCCI)10.1109/ICCCI.2018.8441472(1-4)Online publication date: Jan-2018
  • (2018)Identifying cyber threats to mobile-IoT applications in edge computing paradigmFuture Generation Computer Systems10.1016/j.future.2018.06.05389(525-538)Online publication date: Dec-2018
  • (2017)Feature Cultivation in Privileged Information-augmented DetectionProceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics10.1145/3041008.3041018(73-80)Online publication date: 24-Mar-2017
  • (2017)On-Device Mobile Phone Security Exploits Machine LearningIEEE Pervasive Computing10.1109/MPRV.2017.2616:2(92-96)Online publication date: 1-Mar-2017
  • (2017)Security threat identification using energy points2017 2nd International Conference on Anti-Cyber Crimes (ICACC)10.1109/Anti-Cybercrime.2017.7905262(52-54)Online publication date: Mar-2017
  • (2017)DADE: a fast data anomaly detection engine for kernel integrity monitoringThe Journal of Supercomputing10.1007/s11227-017-2131-6Online publication date: 1-Sep-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media