ABSTRACT
A novel behavioral detection framework is proposed to detect mobile worms, viruses and Trojans, instead of the signature-based solutions currently available for use in mobile devices. First, we propose an efficient representation of malware behaviors based on a key observation that the logical ordering of an application's actions over time often reveals the malicious intent even when each action alone may appear harmless. Then, we generate a database of malicious behavior signatures by studying more than 25 distinct families of mobile viruses and worms targeting the Symbian OS - the most widely-deployed handset OS - and their variants. Next, we propose a two-stage mapping technique that constructs these signatures at run-time from the monitored system events and API calls in Symbian OS. We discriminate the malicious behavior of malware from the normal behavior of applications by training a classifier based on Support Vector Machines (SVMs). Our evaluation on both simulated and real-world malware samples indicates that behavioral detection can identify current mobile viruses and worms with more than 96% accuracy. We also find that the time and resource overheads of constructing the behavior signatures from low-level API calls are acceptably low for their deployment in mobile devices.
- Rootkitrevealer 1.71. http://technet.microsoft.com/enus/sysinternals/bb897445.aspx.Google Scholar
- UPX: the ultimate packer for executables. http://upx.sourceforge.net/.Google Scholar
- G. Berry and G. Gonthier. The esterel synchronous programming language: Design, semantics, implementation. Science of Computer Programming, 19(2):87--152, 1992. Google ScholarDigital Library
- A. Bose and K. G. Shin. On mobile viruses exploiting messaging and Bluetooth services. SecureComm, 2006.Google ScholarCross Ref
- T. Brosch and M. Morgenstern. Runtime packers: The hidden problem? Black Hat USA 2006.Google Scholar
- C.-C. Chang and C.-J. Lin. LIBSVM: a library for support vector machines, 2001. Software available at http://www.csie.ntu.edu.tw/cjlin/libsvm.Google Scholar
- J. Cheng, S. H. Wong, H. Yang, and S. Lu. Smartsiren: virus detection and alert for smartphones. In MobiSys'07: Proceedings of the 5th international conference on Mobile systems, applications and services, pages 258--271, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- N. Christianini and J. Shawe-Taylor. An introduction to Support Vector Machines and other kernel-based learning methods. Cambridge University Press, 2000. Google ScholarDigital Library
- W. W. Cohen. Fast effective rule induction. In Proc. of the 12th International Conference on Machine Learning, 1995.Google ScholarCross Ref
- S. Corp. Symantec internet security threat report trends. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google Scholar
- K. Corporation". Kaspersky Anti-Virus Mobile. http://usa.kaspersky.com/products_services/antivirusmobile.php.Google Scholar
- E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Proceedings of the 15th USENIX Security Symposium, 2006. Google ScholarDigital Library
- D. R. Ellis, J. G. Aiken, K. S. Attwood, and S. D. Tenaglia. A behavioral approach to worm detection. In ACM Workshop on Rapid malcode (WORM), pages 43--53, 2004. Google ScholarDigital Library
- W. Enck, P. Traynor, P. McDaniel, and T. La Porta. Exploiting open functionality in SMS-capable cellular networks. ACM Conference on Computer and communications security, 2005. Google ScholarDigital Library
- F-secure. Cabir. http://www.f-secure.com/v-descs/cabir.shtml.Google Scholar
- F-secure. Lasco. http://www.f-secure.com/v-descs/lasco_a.shtml.Google Scholar
- F-secure. Mobile detection descriptions. http://www.f-secure.com/v-descs/mobile-description-index.shtml.Google Scholar
- F-Secure. SymbOS.Acallno Trojan description. http://www.f-secure.com/sw-desc/acallno_a.shtml, Aug 2005.Google Scholar
- F-Secure. SymbOS.Cardtrap Trojan description. http://www.f-secure.com/v-descs/cardtrap_a.shtml, Sep 2005.Google Scholar
- C. Fleizach, M. Liljenstam, P. Johansson, G. M. Voelker, and A. Mehes. Can you infect me now?: malware propagation in mobile phone networks. In WORM '07: Proceedings of the 2007 ACM workshop on Recurring malcode, pages 61--68, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- S. Forrest, S. A. Hofmeyr, A. Somayaji, and T. A. Longstaff. A sense of self for Unix processes. IEEE Symposium on Security and Privacy, 120, 1996. Google ScholarDigital Library
- A. K. Ghosh, A. Schwartzbard, and M. Schatz. Learning program behavior profiles for intrusion detection. In ID'99: Proceedings of the 1st conference on Workshop on Intrusion Detection and Network Monitoring, 1999. Google ScholarDigital Library
- A. Honig, A. Howard, E. Eskin, and S. Stolfo. Adaptive model generation:: An architecture for the deployment of data minig-based intrusion detection systems. Data Mining for Security Applications, 2002.Google ScholarCross Ref
- H. Wang, S. Jha, and V. Ganapathy. Netspy: Automatic generation of spyware signatures for nids. In Proceedings of Annual Computer Security Applications Conference, 2006. Google ScholarDigital Library
- T. M. Incorporated. Trend Micro mobile security. http://www.trendmicro.com/en/ products/mobile/tmms/, 2006.Google Scholar
- T. Joachims. Making large-scale support vector machine learning practical. In B. Scholkopf, C. Burges, and A. Smola, editors, Advances in Kernel Methods: Support Vector Machines. MIT Press, Cambridge, MA, 1998. Google ScholarDigital Library
- Y. Kaplan. Api spying techniques for windows 9x, nt and 2000. http://www.internals.com/articles/apispy/apispy.htm.Google Scholar
- S. T. King and P. M. Chen. Backtracking intrusions. ACM Transactions on Computer Systems (TOCS), 2005. Google ScholarDigital Library
- J. Kleinberg. The wireless epidemic. Nature, 449(20):287--288, September 2007.Google ScholarCross Ref
- K. Lab. Kaspersky security bulletin 2006: Mobile malware. http://www.viruslist.com/en/analysis?pubid=204791922.Google Scholar
- K. Lab. Mobile malware evolution: An overview, part 2. http://www.viruslist.com/en/analysis?pubid=201225789.Google Scholar
- K. Lab. Mobile threats - myth or reality? http://www.viruslist.com/en/weblog?weblogid=204924390.Google Scholar
- L. Lamport. Time, clocks, and the ordering of events in a distributed system. Communications of the ACM, 21(7):558--565, 1978. Google ScholarDigital Library
- M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In Proceedings of the IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
- J. W. Mickens and B. D. Noble. Modeling epidemic spreading in mobile environments. In 2005 ACM Workshop on Wireless Security (WiSe 2005), September 2005. Google ScholarDigital Library
- J. A. Morales, P. J. Clarke, Y. Deng, and B. M. G. Kibria. Testing and evaluating virus detectors for handheld devices. Journal in Computer Virology, 2(2):135--147, November 2006.Google ScholarCross Ref
- S. Mukkamala, G. Janoski, and A. Sung. Intrusion detection using neural networks and support vectormachines. Intl. Joint Conf. on Neural Networks, 2002, 2, 2002.Google Scholar
- W. Penczek. Temporal logic of causal knowledge. Proc. of WoLLiC, 98, 1998.Google Scholar
- S. Schechter, J. Jung, and A. Berger. Fast detection of scanning worm infections. In International Symposium on Recent Advances in Intrusion Detection (RAID), 2004.Google ScholarCross Ref
- B. Scholkopf and A. J. Smola. Learning with Kernels: Support Vector Machines, Regularization, Optimization, and Beyond. MIT Press, Cambridge, MA, USA, 2001. Google ScholarDigital Library
- R. Sekar, M. Bendre, D. Dhurjati, and P. Bollineni. A fast automaton-based method for detecting anomalous program behaviors. In SP '01: Proceedings of the 2001 IEEE Symposium on Security and Privacy, page 144, Washington, DC, USA, 2001. IEEE Computer Society. Google ScholarDigital Library
- A. Seshadri, M. Luk, N. Qu, and A. Perrig. Secvisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity oses. In SOSP '07: Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, pages 335--350, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- Symantec. SymbOS.Commwarrior Worm Description. http://securityresponse.symantec.com/avcenter/venc/data/symbos.commwarrior.a.html, October 2005.Google Scholar
- Symantec. SymbOS.Mabir Worm Description. http://securityresponse.symantec.com/avcenter/venc/data/symbos.mabir.html, April 2005.Google Scholar
- Symbian. Symbian Signed platform security. http://www.symbiansigned.com.Google Scholar
- T. Lee and J. J. Mody. Behavioral classification. http://www.microsoft.com/downloads/details.aspx?FamilyID=7b5d8cc8-b336-4091-abb5-2cc500a6c41a&displaylang=en,2006.Google Scholar
- S. Töyssy and M. Helenius. About malicious software in smartphones. Journal in Computer Virology, 2(2), 2006.Google ScholarCross Ref
- V. Vapnik. The Nature of Statistical Learning Theory. Springer, New York, 1995. Google ScholarDigital Library
- D. Wagner and P. Soto. Mimicry attacks on host based intrusion detection systems, 2002.Google Scholar
- K. Wang, G. Cretu, and S. J. Stolfo. Anomalous payload-based worm detection and signature generation. International Symposium on Recent Advances in Intrusion Detection (RAID), 2005. Google ScholarDigital Library
- C. Warrender, S. Forrest, and B. A. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, pages 133--145, 1999.Google ScholarCross Ref
- G. Yan, and S. Eidenbenz. Bluetooth worms: Models, dynamics, and defense implications. In Computer Security Applications Conference, 2006. Google ScholarDigital Library
- G. Yan, H. D. Flores, L. Cuellar, N. Hengartner, S. Eidenbenz, and V. Vu. Bluetooth worm propagation: mobility pattern matters! In Proceedings of the 2nd ACM symposium on Information, computer and communications security, 2007. Google ScholarDigital Library
- C. C. Zou, W. Gong, D. Towsley, and L. Gao. The monitoring and early detection of Internet worms. IEEE/ACM Transactions on Networking, 13(5):961--974, 2005 Google ScholarDigital Library
Index Terms
- Behavioral detection of malware on mobile handsets
Recommendations
vEye: behavioral footprinting for self-propagating worm detection and profiling
With unprecedented speed, virulence, and sophistication, self-propagating worms remain as one of the most severe threats to information systems and Internet in general. In order to mitigate the threat, efficient mechanisms are needed to accurately ...
Resilience strategies for networked malware detection and remediation
NSS'12: Proceedings of the 6th international conference on Network and System SecurityNetwork propagated malware such as worms are a potentially serious threat, since they can infect and damage a large number of vulnerable hosts at timescales in which human reaction is unlikely to be effective. Research on worm detection has produced ...
Smart malware detection on Android
Nowadays, because of its increased popularity, Android is target to a growing number of attacks and malicious applications, with the purpose of stealing private information and consuming credit by subscribing to premium services. Most of the current ...
Comments