Conference PaperPDF Available

DAIDS: An Architecture for Modular Mobile IDS

Authors:

Abstract and Figures

The popularity of mobile devices and the enormous number of third party mobile applications in the market have naturally lead to several vulnerabilities being identified and abused. This is coupled with the immaturity of intrusion detection system (IDS) technology targeting mobile devices. In this paper we propose a modular host-based IDS framework for mobile devices that uses behavior analysis to profile applications on the Android platform. Anomaly detection can then be used to categorize malicious behavior and alert users. The proposed system accommodates different detection algorithms, and is being tested at a major telecom operator in North America. This paper highlights the architecture, findings, and lessons learned.
Content may be subject to copyright.
DAIDS: An Architecture for Modular Mobile IDS
Alaa Salman Imad H. Elhajj Ali Chehab Ayman Kayssi
Electrical and Computer Engineering
American University of Beirut
Beirut, Lebanon
alaa@codedemigod.com, {ie05, chehab, ayman}@aub.edu.lb
Abstract— The popularity of mobile devices and the
enormous number of third party mobile applications in the
market have naturally lead to several vulnerabilities being
identified and abused. This is coupled with the immaturity of
intrusion detection system (IDS) technology targeting mobile
devices. In this paper we propose a modular host-based IDS
framework for mobile devices that uses behavior analysis to
profile applications on the Android platform. Anomaly detection
can then be used to categorize malicious behavior and alert users.
The proposed system accommodates different detection
algorithms, and is being tested at a major telecom operator in
North America. This paper highlights the architecture, findings,
and lessons learned.
Keywords—intrusion detection; dynamic analysis; behavior
profiling
I. INTRODUCTION
Android's popularity as a mobile operating system has
increased in recent years to occupy the number one spot in
terms of worldwide market share [1]. This increase in
popularity, along with the open nature of the official Google
Play store and the existence of third-party marketplaces has
made Android an attractive target for malware writers [2].
According to Halilovic et. al [3], malware on Android can
be categorized into three different groups: 1) malicious
applications that cause a threat to user experience, 2)
applications that generate extra costs, 3) applications that steal
private information. Some applications in these categories have
used kernel exploits to gain elevated privileges on the device
and in turn use these privileges to overcome the system’s
sandboxing and other security mechanisms. As devices get
more powerful, botnets targeting these platforms have also
started showing up [4].
Current approaches for detecting malware include static
analysis, dynamic analysis, or a mix of both with no clear
winner emerging as the ultimate detection method. Static
analysis mainly uses signature databases or pattern matching of
decompiled sources or disassembled byte code to match
against known malicious patterns. This type of analysis is very
similar to the analysis done by traditional anti-virus software
used on personal computers, and hence shares its weaknesses.
Namely, the databases of signatures and patterns need to be
constantly updated and the increase of sophistication of
malware, such as polymorphic payloads [5], is helping in
circumventing this approach. The byte code or decompiled
source code can hide malicious activities through slight
modification of the malicious code. Anti-virus scanners are
getting smarter, mostly through the addition of heuristic pattern
matching, but the race continues between anti-virus vendors
and malware writers.
Dynamic analysis is mostly based on application behavior.
The approaches use either heuristics or profiling data to
classify irregular or malicious behavior. This type of analysis is
inaccurate by nature and heavily depends on the classification
algorithms used. Weaknesses in the design of earlier versions
of the framework and the lack of automation tools often add to
this inaccuracy.
Thus far, neither approach is sufficient to stop malicious
applications which seem to be getting more sophisticated. The
current approach used by Google for its Play store is a mix of
both static analysis of the byte code and dynamic analysis of
the behavior of each submitted application [6]. However, even
the official Google-curated market place cannot escape
sophisticated malware [7]. The existence of centralized
marketplaces have contributed to the popularity of Android and
helped to streamline the installation and update of applications.
But it also provided malware writers with the same advantages.
Finding better approaches to detect and prevent malware on
Android mobile devices is currently a popular research topic.
In this paper, we propose an architecture for a modular host-
based intrusion detection system (IDS). The system monitors in
real-time the behavior of applications on the device and allows
for the use of dynamic analysis to detect bad or malicious
behavior.
This paper is organized as follows. Section II explores
related work in the field of host-based intrusion detection
systems with a focus on the ones targeting mobile devices.
Section III describes the current architecture of the proposed
system. Section IV presents the testing setup and results.
Section V describes the lessons learned, and Section VI
concludes with highlights for future work.
II. RELATED WORK
The use of host-based intrusion detection techniques has
been attempted by many researchers to detect and prevent
malware on Android devices.
2014 28th International Conference on Advanced Information Networking and Applications Workshops
978-1-4799-2652-7/14 $31.00 © 2014 IEEE
DOI 10.1109/WAINA.2014.54
328
2014 28th International Conference on Advanced Information Networking and Applications Workshops
978-1-4799-2652-7/14 $31.00 © 2014 IEEE
DOI 10.1109/WAINA.2014.54
328
Berthomé et al. [8] proposed the static injection of bytecode
into applications to monitor private data access and SMS
sending functionality. The monitoring aspect was used in the
development of an IDS/IPS called AndroSpywareMonitor
which attempts to report or block these activities.
Alazab et al. [9] used DroidBox, the Android application
sandbox, to generate behavioral graphs to help analyze run-
time activities and establish functional patterns. The patterns
were then used in cross-examining naming classification of
malware families by known antivirus vendors.
Halilovic et al. [3] suggested the design of a host-based IDS
that uses a support vector machine with features such as
number of calls to people in or out of a contact list in order to
classify malicious applications.
A. Shabtai et al. [10] described a framework, dubbed
KBTA for knowledge-based temporal abstraction, for
continuously monitoring a device to identify malicious
behavior. The framework relies on a lightweight agent that
continuously samples various features on the device such as
CPU, memory, and battery consumption, and analyzes the
collected data. The device state is inferred based on behavioral
temporal patterns and context-sensitive interpretation of
accumulated data.
Our work is most inspired by the KBTA approach and uses
similar continuous monitoring of time stamped data and uses
triggers that affect the context-sensitive interpretation of it.
However, our work is more general and differs in our focus to
offer a pluggable modular platform that can use different
algorithms for the interpretation of the data.
III. DESIGN OF IDS ARCHITECTURE
This section describes the architecture of our proposed
intrusion detection system. Subsection A describes the overall
architecture of the IDS while subsection B describes the
collected data. Subsection C describes how the data is analyzed
and profiled. Subsection D describes one sample algorithm for
detecting anomalies in application behavior. Finally,
subsection E concludes with some implementation notes.
A. IDS Architecture
The Dynamic Android Intrusion Detection System
(DAIDS) is a modular host-based intrusion detection system
that tries to identify malicious or misbehaving applications by
profiling their behavior. It is composed of several semi-
independent components and it uses most traditional host-
based intrusion detection methods but combines those with
mobile-specific attributes for increased accuracy and
efficiency.
The intrusion detection system consists of data collectors,
profilers, and threat detectors. As a user-facing application, it
also includes an alert manager and associated user interface
components. Out-of-the-box, the system monitors and logs
resource usage of applications and it has built-in profilers and
detectors that make use of the collected data. This will be
detailed in its own section.
Since energy consumption is a major factor to account for
while designing any host-based system running on a
smartphone, several optimizations had to be developed to
ensure the efficiency of the whole system. Figure 1 shows an
overview of the architecture while details are described in their
respective sections.
Fig. 1. Diagram showing the IDS architecture
B. Data Collected
Data collectors acquire and store information such as timed
snapshots of application resources and system events. The
collectors use different timers depending on the variability of
the collected resource. Special care was taken to write
optimized code to minimize the amount of processing and
memory use in these frequently-run tasks. An example of this
was aiming to use efficient memory structures and performing
the database inserts in bulk and within a single transaction
whenever possible.
The types of data that are collected include:
Installed packages on the device along with their
metadata that includes time of installation, time of
update, requested permissions, requested features, and
the first time the application was launched.
Timed snapshots for running processes.
CPU consumption per process in snapshot.
Memory levels per process in snapshot.
Bandwidth consumption per package. It collects bytes
sent and received as well as number of packets sent and
received.
Currently open connections per package. It collects IP
addresses and TCP ports that are open.
329329
System events as indicators for sc
r
package installation.
Content events as indicators for SMS s
e
File system events to indicate access t
o
media folder.
Network activity events indicating net
w
Optional logging of network packets i
and data.
The IDS uses the PackageManager class t
o
installed applications on the device. For ea
c
also records metadata for its correspondi
n
metadata collected are time of installation,
requested permissions and features. The met
a
to date when the application is updated.
Using the ActivityManager class, a
applications is periodically collected. Then,
application, different collectors are responsi
b
resource-usage such as CPU consumption b
y
[11] utility and memory usage using the
M
The process ID and user ID are used to pa
i
their corresponding application.
Two network-related components colle
c
consumption and open connections for run
n
The bandwidth consumed is collected usin
g
class and retrieves the amount of bytes se
n
with number of packets, while the open conn
e
for local and remote IP address/port combin
a
/proc/net/tcp.
The event collector implements a Broa
listen to screen on/off intents and package i
n
The package installation intent triggers the I
D
the new package to our monitored packages
l
updated metadata for an existing application.
The SMS sent/received event is gener
a
ContentObserver on the SMS data store. It
w
store for any activity and then issues an S
M
when noticed. Even though this is not an o
ff
monitoring SMS activity, we found that it w
o
to include in our system.
The IDS also includes utilities that requir
to function. Two such utilities are the file s
y
the network packet inspection utility. Both
Android NDK platform [12] to facilitate devel
The file system access utility uses
t
functionality in the Linux kernel to listen t
o
monitored files or directories. The utility mo
n
and media database for read events and report
s
b
y issuing a READ_CONTACTS and R
E
event. A NETWORK_ACCESS event is simil
a utility that uses libpcap [14] for deep p
a
These utilities function at a lower level than
t
API and so cannot specify which application
i
the events.
r
een on/off and
e
nt/received.
o
the contacts and
w
ork access.
i
ncluding headers
o
retrieve a list of
c
h application, it
n
g package. The
l
ast update time,
a
data are kept up
list of running
for each running
b
le for recording
y
parsing the top
M
emoryInfo class.
i
r resources with
c
t the bandwidth
n
ing applications.
g
the TrafficStats
n
t/received along
e
ctions are parsed
a
tions by reading
dcastReciever to
n
stallation intents.
D
S to either add
l
ist or to look for
a
ted by using a
w
atches the data
M
S-related event
ff
icial method for
o
rks well enough
r
e a rooted phone
y
stem access and
utilities use the
l
opment.
t
he inotify [13]
o
read events on
n
itors the contacts
s
them to the IDS
E
AD_GALLERY
arly generated by
a
cket inspection.
t
he Android Java
i
s responsible for
All this collected data is stored
i
depicted by Figure 2.
Fig. 2. Database schema used to store colle
c
C. Profilers and Detectors
A different set of workers, call
e
for using the collected data and
e
p
rofiles that will be used for a
n
involves intensive
p
rocessing but
i
frequently than collectors. A profil
e
characterizes normal system behavi
o
data mentioned earlier, one possibl
e
of IP addresses/ports opened duri
n
Another example could be the amo
u
specific application during a speci
f
can be any combination of parame
t
normal behavior of the monitored t
a
The last set of components, ca
l
use of the profile to detect an ano
m
used by multiple threat detectors
event that each detector is monito
r
threat detector can make use of
dependent on the profile model u
s
that combines a list of IP addresse
s
can be used by two threat detectors
.
bandwidth per IP address and the
listed IP addresses. Necessarily, t
h
have a different periodicity since
detector needs to monitor every ou
t
bandwidth abuse detector only need
i
n a database with a schema
c
ted data.
e
d profilers, are responsible
e
vents to build and update
n
omaly detection. This set
t usually needs to run less
e
is a list of parameters that
o
r [15]. Using the collected
e
profile could be the range
n
g a specified time period.
u
nt of bandwidth used by a
f
ied time period. A profile
t
ers collected to signify the
a
rget.
l
led threat detectors, makes
m
aly. A single profile can be
depending on the security
r
ing. But each profiler and
a different timer that is
s
ed. For example, a profile
s
with consumed bandwidth
.
One monitors for abuse of
other monitors for blac
k
-
h
e two threat detectors will
the IP address black-list
t
going connection while the
s to collect aggregates.
330330
The modular approach in the design of th
e
to implement multiple algorithms to detect m
a
These algorithms can collaborate or work
i
generate alerts. One such example algorithm i
s
testing section.
The resource-usage profiles and threat
d
schema depicted in Figure 3.
Fig. 3. Database schema used to store resource-usage pr
D. Implementation Notes
DAIDS stores all the generated data in
S
the default storage mechanism in Android. O
store the data generated by the collectors, pr
o
detectors. The second file is used for event
Java-
b
ased application and the rest of the data
b
the native utilities. A separate file is use
d
configuration data. The data was split into
d
files after experimentation showed increasin
g
caused by a high number of collectors which
to function at a high frequency and to gen
e
smartphone undergoing regular use.
Additional features were added in order
t
collection process easier:
Application starts collecting data at de
v
Ability to reset the collected data to
s
from getting too large.
A
b
ility to stop scanning and reset
t
locked to avoid user error.
Ability to export the collected data to
a device-specific UUID.
Integration with the crash notification
s
[17].
Timer periodicity for each componen
t
via an accessible database.
e
IDS can be used
a
licious behavior.
independently to
s
described in the
d
etectors use the
ofiles
S
QLite databases,
ne file is used to
o
filers, and threat
storage from the
b
ases a
r
e used by
d
for storage of
d
ifferent database
g
lock contention
necessarily need
e
rate events on a
t
o make the data
v
ice boo
t
-up.
s
top the database
t
he data is PIN-
SD storage using
s
ervice BugSense
t
can be tweaked
The application needs the
f
function:
ACCESS_NETWORK_ST
A
existence of network co
m
collection.
WRITE_EXTERNAL_STO
R
exported data to SD storage.
INTERNET: Used to send
c
crash notification service.
RECEIVE_BOOT_COMPL
E
application to start data coll
e
READ_SMS: Needed to
activity.
IV. TES
T
Testing of the platform was
Galaxy S II and S III phones runn
i
later on stock Samsung ROM imag
e
to run on any Android platform ha
v
showed excellent performance and
r
phone models.
The crash notification service
r
crashes that were mostly the result
due to ungraceful native process sh
crashes were out of memory erro
r
from on excessively busy devices.
were transient in nature and mostly
when the phone is rebooting, so t
h
collection process.
One problem that did affect the
due to instability while exporting t
h
The export function copies the d
a
storage and empties the origin
a
operations resulted in corrupt datab
a
back to a problem in the size o
f
believe that these issues stem fro
m
badly with larger files and the An
d
the process mid-copy. An auto
m
implemented as a workaround for t
h
Resource usage of the IDS was
so as not to interfere with the reg
u
Figures 4 and 5 show CPU and m
one hour of operation.
f
ollowing permissions to
A
TE: Needed to check for
m
munication to optimize
R
AGE: Needed for writing
c
rash reports to third-party
E
TED: Needed to allow the
e
ction at device boot-up.
monitor SMS store for
T
ING
m
ostly done on Samsung
i
ng Android version 4.0 or
e
s. The platform is designed
v
ing the minimum specs but
r
eliability on the above two
r
eported a small number of
of database locking issues
u
tdown. The other types of
r
s that are hard to recover
However, these problems
due to edge cases; such as
h
ey did not affect the data
data collection process was
h
e databases to SD storage.
a
tabases to the internal SD
a
l database. Some copy
a
ses but could not be traced
f
the source database. We
m
the file system behaving
d
roid system or user killing
m
ated timed backup was
h
is issue.
designed to be ligh
t
weight
u
lar function of the device.
e
mory consumption during
331331
Fig. 4. CPU consumption during one hour of operation
The CPU consumption heavily depends
o
of the timers set and device activity at time
maintains an overall low average of usa
g
defaults of 5 seconds for each collector. For t
h
in Figure 4, the average CPU usage was 9.9%.
Fig. 5. Memory usage during one hour of operation
The memory usage depends on the impl
e
different running components. To conserv
e
testing showed that it is preferable to re-use
m
components to avoid invoking the garbage col
l
The power consumed by the default s
e
average of 163 mW according to PowerT
u
testing device.
To test the capabilities of the system, an e
x
that monitors resource usage was implement
e
assigns installed packages an initial threat v
a
p
ermissions that are requested. Most applicati
p
ermissions than they need [16]. While the n
u
p
ermissions provides an indication of the cap
of the behavior of the application, there is a l
i
p
ermissions and features that should be give
n
in the Android security system. In differe
n
these permissions and features provide
a
o
n the periodicity
of sampling but
g
e using the set
h
e test run shown
e
mentation of the
e
battery power,
m
emory within the
l
ector.
e
t timers had an
u
tor [18] on one
x
ample algorith
m
e
d. The algorithm
a
lue based on the
ons request more
u
mber and type of
abilities and thus
i
mited number of
n
greater attention
n
t combinations,
a
pplications with
dangerous capabilities such as acce
s
to use services that cost money.
The threat level changes dyna
m
b
ehavior and resource usage but it i
s
level assigned to it at installation-ti
m
it. So primarily, the threat level has
application’s requested permissions
Two resource-usage profiles ar
e
anomalies. The first one measures
week of activity per application
resource usage for the lifetime of
p
rofiles are then used by their corre
s
report misbehaving applications
resource-usage to profiled ones.
Similar to the KBTA method
algorithm uses the captured syst
e
b
eing turned off, to modify the cal
c
the resultant threat level. Using th
e
Halilovic et al [3], this resource u
s
useful in detecting misbehaving
a
threat to the overall user experie
n
implementing a sample malicious
CPU cycles after the screen turns
o
consumption from the user.
Figure 6 shows a screenshot of
showcasing the platform’s functio
n
one of the PIN-locked actions.
Fig. 6. Screenshot showing the main menu
Fig. 7. Screenshot showing one of the pin-l
o
s
s to personal da
t
a or ability
m
ically based on application
s
seeded by the initial threat
m
e and it does not go below
a tight correlation with the
and features.
e
built and used in detecting
resource usage for the first
and the second measures
the application. These two
s
ponding threat detectors to
by comparing current
[10], the threat detection
e
m events, such as screen
c
ulation of usage trends and
e
classification proposed by
s
age algorithm was mostly
a
pplications that caused a
n
ce. This was verified by
application that consumes
o
ff and thus tries to hide its
the main men
u
of the IDS
n
ality while figure 7 shows
of the IDS
o
cked actions
332332
V. LESSONS LEARNED
The scanner uses regular Java timers, which fire only when
the device is awake. So we experimented with changing the
timers to use a wake lock to keep the device partially awake
and perform continuous scanning. The increase in precision in
the captured readings did not warrant the increase in energy
consumption.
Heavy activity on busy test devices made some high
frequency collectors encounter database locking issues when
the scanner was using a single SQLite database to log all
activity. The use of several databases to split up the
information made this a rare occurrence.
Some other busy devices suffered from low memory
conditions which affected the functionality of the IDS along
with other applications. This made us suspect that any
continuous scanning behavior will perform poorly on Android
unless specific optimizations are made to address this issue.
VI. CONCLUSIONS AND FUTURE WORK
This paper provided an overview of detection methods used
for detecting malware on Android systems. We then proposed
and designed DAIDS, a modular host-based mobile intrusion
detection framework that monitors application behavior
looking for malicious patterns. An example algorithm that uses
resource usage to detect malicious behavior was described and
used to test the capabilities of the system. The proposed system
can be used as a framework for further testing and discovery of
detection techniques. The source code will be made available
at https://github.com/alaasalman/aids.
Our future work using this platform will consist of offline
analysis of data collected from a larger sample of devices in
real-use. The sampling test was run by TELUS Corporation
and used 15 Samsung Galaxy S III devices given to recruited
power users for the collection of data. The data was exported
and collected bi-weekly over a period of around 6 months. The
analysis will help in tweaking existing algorithms and
discovering new ones to be incorporated and distributed with
the system. A subset of the data will also be used for targeting
specific malware to observe system response and detection
rates of different algorithms. We also aim at refining the
integration points of our IDS with the operating system to
allow for deeper integration and better data collection to be
used in the detection of malicious applications.
ACKNOWLEDGEMENT
This research was funded by TELUS Corporation, Canada.
REFERENCES
[1] “Android and iOS Combine for 92.3% of All Smartphone Operating
System Shipments in the First Quarter While Windows Phone Leapfrogs
BlackBerry, According to IDC - prUS24108913.” [Online]. Available:
http://www.idc.com/getdoc.jsp?containerId=prUS24108913. [Accessed:
13-Nov-2013].
[2] “NQ mobile’s 2012 security report.” [Online]. Available:
http://www.nq.com/2012_NQ_Mobile_Security_Report.pdf. [Accessed:
13-Nov-2013].
[3] M. Halilovic and A. Subasi, “Intrusion Detection on Smartphones,”
arXiv e-print 1211.6610, Nov. 2012.
[4] Pieterse, H.; Olivier, M.S., "Android botnets on the rise: Trends and
characteristics," Information Security for South Africa (ISSA), 2012 ,
vol., no., pp.1,5, 15-17 Aug. 2012
[5] “Server-side Polymorphic Android Applications | Symantec Connect
Community.” [Online]. Available:
http://www.symantec.com/connect/blogs/server-side-polymorphic-
android-applications. [Accessed: 13-Nov-2013].
[6] “jon.oberheide.org - blog - dissecting the android bouncer.” [Online].
Available: http://jon.oberheide.org/blog/2012/06/21/dissecting-the-
android-bouncer/. [Accessed: 13-Nov-2013]
[7] “The Bearer of BadNews | The Official Lookout Blog.” [Online].
Available: https://blog.lookout.com/blog/2013/04/19/the-bearer-of-
badnews-malware-google-play/. [Accessed: 13-Nov-2013]
[8] P. Berthome, T. Fecherolle, N. Guilloteau, and J.-F. Lalande,
“Repackaging Android Applications for Auditing Access to Private
Data,” in Availability, Reliability and Security (ARES), 2012 Seventh
International Conference on, 2012, pp. 388–396.
[9] M. Alazab, V. Monsamy, L. Batten, P. Lantz, and R. Tian, “Analysis of
malicious and benign Android applications,” in Distributed Computing
Systems Workshops (ICDCSW), 2012 32nd International Conference
on, 2012, pp. 608–616.
[10] Asaf Shabtai, Uri Kanonov, Yuval Elovici, Intrusion detection for
mobile devices using the knowledge-based, temporal abstraction
method, Journal of Systems and Software, Volume 83, Issue 8, August
2010, Pages 1524-1537
[11] “top (software),” Wikipedia, the free encyclopedia. 11-Nov-2013
[Online]. Available:
http://en.wikipedia.org/w/index.php?title=Top_(software)&oldid=57696
3680. [Accessed: 13-Nov-2013]
[12] “Android NDK | Android Developers.” [Online]. Available:
http://developer.android.com/tools/sdk/ndk/index.html. [Accessed: 13-
Nov-2013]
[13] “inotify - Wikipedia, the free encyclopedia.” [Online]. Available:
http://en.wikipedia.org/wiki/Inotify. [Accessed: 13-Nov-2013]
[14] “TCPDUMP/LIBPCAP public repository.” [Online]. Available:
http://www.tcpdump.org/. [Accessed: 13-Nov-2013]
[15] “Deciphering detection techniques: Part ii anomaly-based intrusion
detection.” [Online]. Available:
https://secure.mcafee.com/japan/products/pdf/Deciphering_Detection_T
echniques-Anomaly-Based_Detection_WP_en.pdf
[16] A. Porter Felt, E. Chin, S. Hanna, D. Song, D. Wagner, “Android
permissions demystified”, in 18th ACM Conference on Computer and
Communications Security, Chicago, IL, 2011, pp. 627-638
[17] “BugSense | Crash Reports and Operational Intelligence for Android,
iOS, Windows Phone & Windows 8 apps.” [Online]. Available:
https://www.bugsense.com/. [Accessed: 13-Nov-2013]
[18] “PowerTutor.” [Online]. Available:
http://ziyang.eecs.umich.edu/projects/powertutor/. [Accessed: 13-Nov-
2013]
333333
... The main contribution of this paper is "DFeeder", an Xposed [9] module that allows us to examine an application's behavior at runtime within the context of the Android framework. Paired with DAIDS, our previously proposed intrusion detection system (IDS) [5], we are able to extend the analysis of application behavior to look for malicious activities. To the best of our knowledge, the Xposed framework, which is meant to facilitate behavior modification of running applications, has not been previously used to detect malicious applications. ...
... We have extended our host-based modular dynamic intrusion detection system (DAIDS) [5] to integrate information generated by DFeeder. The platform collects and analyzes system-wide and application-based information. ...
... However, obfuscation techniques can be used to avoid detection. In dynamic techniques [25][26][27][28][29][30][31][32][33], the program behavior is monitored during its execution to detect whether there are any inconsistencies with the normal behavior. The problem with this approach is its cost and the possibility of detection evasion. ...
Article
Full-text available
n this paper, we propose MinDroid, a user-centric preventive policy enforcement system against SMS malware in Android devices. The design of MinDroid takes into consideration the user’s little understanding of the Android permission system. This can be done by deriving the policy rules from the behavioral model of the malicious SMS applications rather than adopting user-defined rules. MinDroid requires user intervention only during the first T time units from the application installation time. The user during this time period is notified to accept or reject the SMS-sending operations. MinDroid execution is specified as a finite state machine, and its security properties are formally proven using Metric Temporal Logic. We also show that MinDroid is resilient against threats trying to compromise its correct functionality. In addition, an analytical study demonstrates that MinDroid offers good performance in terms of detection time and execution cost in comparison with intrusion detection systems based on static and dynamic analysis. The detection efficiency of MinDroid is also studied in terms of detection rate, false positive rate, and ROC distance. A prototype implementation of MinDroid is tested under Android emulator.
Article
The next industrial revolution commonly known as Industry 4.0 represents the idea of interconnected manufacturing, where intelligent devices, systems and processes exchange information, resources and artifacts to optimize the complete value-added chain and to reduce costs and time-to- market. Industrial software ecosystems are a good example how the latest digitalization trends are applied in the industry domain and how with the help of industrial IoT applications the production process can be optimized. However, the use of third- party applications exposes to a risk the systems and devices part of the manufacturing process. To address these risks a set of quality measures must be carried out in the ecosystem. This paper presents the results of a systematic mapping study carried out in the area of verification and validation of industrial IoT third-party applications. The goal of the study is to structure the scientific landscape and to provide an up-to-date snapshot of the current state of the research field.
Article
Full-text available
With the popularization of smartphones, they have become the main target of malicious applications. In recent years, malware has become a major threat to Android smartphones. Detection for malicious applications in smartphone has become a research hotspot. There are many studies that were mainly based on host mode. Although this kind of approach has the advantage of an effective collection of client features, it can interfere with the original environment for detection and only applies to certain versions of phones. In this paper, we combine network traffic analysis with data mining to identify malicious network behavior. We improve Apriori algorithm to extract network traffic features from network data, and overall exposes malware functionalities through operational behavioral triggers. Then, it adopts a density-based local outlier factor (LOF) clustering algorithm to form a detection model. ADMDM model can effectively detect an anomaly, and it has good results in unknown anomaly detection. The proposed model can be used for daily smartphone security checking and evaluation. Moreover, ADMDM enriches techniques for dynamic smartphone behavior analysis.
Article
Full-text available
In this paper, we propose OnDroid, a prevention system to defend against outgoing malicious SMSs in Android devices. OnDroid is user-friendly as it considers the user's little understanding of the Android system. It also considers multiple threat scenarios and requires less interaction with the user. For each SMS-sending operation, OnDroid first checks if the mobile device state mismatches the user's behavior. If so, the operation is blocked. Otherwise, it is delayed for a while and the user is notified to confirm or reject the operation. If the SMS is considered normal, the user does not need to take any action and the SMS is sent when the delay expires. Efficiency analysis shows that malicious SMS operations might be missed when the user is unavailable. To deal with this issue, we propose a method by which the user behavior can be adjusted to achieve of malicious SMS prevention. Formal analysis as well as comparative study show that OnDroid offers a good tradeoff between security efficiency and usability.
Conference Paper
Full-text available
Smartphones are the latest technology trend of the 21st century. Today's social expectation of always staying connected and the need for an increase in productivity are the reasons for the increase in smartphone usage. One of the leaders of the smartphone evolution is Google's Android Operating System (OS). The openness of the design and the ease of customizing are the aspects that are placing Android ahead of the other smartphone OSs. Such popularity has not only led to an increase in Android usage but also to the rise of Android malware. Although such malware is not having a significant impact on the popularity of Android smartphones, it is however creating new possibilities for threats. One such threat is the impact of botnets on Android smartphones. Recently, malware has surfaced that revealed specific characteristics relating to traditional botnet activities. Malware such as Geinimi, Pjapps, DroidDream, and RootSmart all display traditional botnet functionalities. These malicious applications show that Android botnets is a reality. From a security perspective it is important to understand the underlying structure of an Android botnet. This paper evaluates Android malware with the purpose of identifying specific trends and characteristics relating to botnet behaviour. The botnet trends and characteristics are detected by a comprehensive literature study of well-known Android malware applications. The identified characteristics are then further explored in terms of the Android Botnet Development Model and the Android Botnet Discovery Process. The common identified trends and characteristics aid the understanding of Android botnet activities as well as the possible discovery of an Android bot.
Article
Full-text available
Smartphone technology is more and more becoming the predominant communication tool for people across the world. People use their smartphones to keep their contact data, to browse the internet, to exchange messages, to keep notes, carry their personal files and documents, etc. Users while browsing are also capable of shopping online, thus provoking a need to type their credit card numbers and security codes. As the smartphones are becoming widespread so do the security threats and vulnerabilities facing this technology. Recent news and articles indicate huge increase in malware and viruses for operating systems employed on smartphones (primarily Android and iOS). Major limitations of smartphone technology are its processing power and its scarce energy source since smartphones rely on battery usage. Since smartphones are devices which change their network location as the user moves between different places, intrusion detection systems for smartphone technology are most often classified as IDSs designed for mobile ad-hoc networks. The aim of this research is to give a brief overview of IDS technology, give an overview of major machine learning and pattern recognition algorithms used in IDS technologies, give an overview of security models of iOS and Android and propose a new host-based IDS model for smartphones and create proof-of-concept application for Android platform for the newly proposed model. Keywords: IDS, SVM, Android, iOS;
Conference Paper
Full-text available
Android provides third-party applications with an extensive API that includes access to phone hardware, settings, and user data. Access to privacy- and security-relevant parts of the API is controlled with an install-time application permission system. We study Android applications to determine whether Android developers follow least privilege with their permission requests. We built Stowaway, a tool that detects overprivilege in compiled Android applications. Stowaway determines the set of API calls that an application uses and then maps those API calls to permissions. We used automated testing tools on the Android API in order to build the permission map that is necessary for detecting overprivilege. We apply Stowaway to a set of 940 applications and find that about one-third are overprivileged. We investigate the causes of overprivilege and find evidence that developers are trying to follow least privilege but sometimes fail due to insufficient API documentation.
Conference Paper
Since its establishment, the Android applications market has been infected by a proliferation of malicious applications. Recent studies show that rogue developers are injecting malware into legitimate market applications which are then installed on open source sites for consumer uptake. Often, applications are infected several times. In this paper, we investigate the behavior of malicious Android applications, we present a simple and effective way to safely execute and analyze them. As part of this analysis, we use the Android application sandbox Droidbox to generate behavioral graphs for each sample and these provide the basis of the development of patterns to aid in identifying it. As a result, we are able to determine if family names have been correctly assigned by current anti-virus vendors. Our results indicate that the traditional anti-virus mechanisms are not able to correctly identify malicious Android applications.
Conference Paper
One of the most important threats for Android users is the collection of private data by malware put on the market. Most of the proposed approaches that help to guarantee the user's privacy rely on modified versions of the Android operating system. In this paper, we propose to automatically detect when an application accesses private data and to log this access in a third-party application. This detection should be performed without any modification to the operating system. The proposed methodology relies on the repackaging of a compiled application and the injection of a reporter at bytecode level. Thus, such a methodology enables the user to audit suspicious applications that ask permissions to access private data and to know if such an access has occurred. We show that the proposed methodology can also be implemented as an IPS, in order to prevent such accesses. Experimental results show the efficiency of the methodology on a set of 18 regular applications of the Android market that deal with contacts. Our prototype detected 66% of the accesses to the user's contacts. We also experimented the detection of privacy violations with 5 known malware that send premium-rate SMS.
Article
In this paper, a new approach for detecting previously unencountered malware targeting mobile device is proposed. In the proposed approach, time-stamped security data is continuously monitored within the target mobile device (i.e., smartphones, PDAs) and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e.g., the number of sent SMSs) and events (e.g., software installation) are integrated with a mobile device security domain knowledge-base (i.e., an ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions are then monitored to detect suspicious temporal patterns and to issue an alert. These patterns are compatible with a set of predefined classes of malware as defined by a security expert (or the owner) employing a set of time and value constraints. The goal is to identify malicious behavior that other defensive technologies (e.g., antivirus or firewall) failed to detect. Since the abstraction derivation process is complex, the KBTA method was adapted for mobile devices that are limited in resources (i.e., CPU, memory, battery). To evaluate the proposed modified KBTA method a lightweight host-based intrusion detection system (HIDS), combined with central management capabilities for Android-based mobile phones, was developed. Evaluation results demonstrated the effectiveness of the new approach in detecting malicious applications on mobile devices (detection rate above 94% in most scenarios) and the feasibility of running such a system on mobile devices (CPU consumption was 3% on average).
Android botnets on the rise: Trends and characteristics
  • H Pieterse
  • M S Olivier
Pieterse, H.; Olivier, M.S., "Android botnets on the rise: Trends and characteristics," Information Security for South Africa (ISSA), 2012, vol., no., pp.1,5, 15-17 Aug. 2012