Presentation is loading. Please wait.

Presentation is loading. Please wait.

UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Randomizing Smartphone Malware Profiles against Statistical Mining.

Published byJodie Stafford Modified over 8 years ago

Similar presentations

Presentation on theme: "UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Randomizing Smartphone Malware Profiles against Statistical Mining."— Presentation transcript:

1 UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Randomizing Smartphone Malware Profiles against Statistical Mining Techniques Abhijith Shastry Murat Kantarcioglu Yan Zhou Bhavani Thuraisingham

2 FEARLESS engineering Outline Introduction Related Work Smartphone Malware Development Attacking Statistical Data Mining Tools Experimental Results Conclusions

3 FEARLESS engineering Introduction Smartphone usage: –Calling –Web browsing –Social networking –Online banking

4 FEARLESS engineering Introduction (cont.) Smartphone OS: –iOS –Android –Symbian –Microsoft windows phone OS

5 FEARLESS engineering Introduction (cont.) Common malicious activities on smartphones –Collecting user information (61%) –Sending premium-rate SMS messages (52%) –Amusement –Credential theft –SMS spam –Search engine optimization –Ransom

6 FEARLESS engineering Introduction (cont.) Smartphone Defense Mechanisims –Application permission (Android) –Review (iOS) –Review and sign (Symbian)

7 FEARLESS engineering Introduction (cont.) Smartphone application market –Apple app store Applications are reviewed by Apple for security Disallow personal spyware –Android market Users can install applications from unofficial markets Google does not review applications prior their listing Google can remotely uninstall known malware from users’ devices –Nokia Ovi Symbian does not prevent or discourage users from installing applications from other sources. Symbian provides application signing services; only signed applications have permission to access dangerous privileges

8 FEARLESS engineering Introduction (cont.) User-approved permissions –Android: user-approved install-time permissions control access to the phone’s number, contact lists, camera, blue tooth, etc. –iOS: requires user approval to access location and send notifications at runtime rather than installation time –Symbian: user permission is needed to install unsigned apps.

9 FEARLESS engineering Introduction (cont.) Smartphone malware incentives –Amusement –Selling user informaiton Applications query mobile APIs for user’s location, lists of contacts, browser and download history, list of installed apps, IMEI (unique device id), inter-application data theft –Steal user credentials Bank account credentials ($1000), credit card number ($25), e- mail account password ($30) Intercepting SMS messages, phishing, keylogging and document scanning –Premium rate calls and SMS Android and Symbian, premium SMS can be sent completely unnoticed –SMS spam, search engine optimization, blackmail

10 FEARLESS engineering Introduction (cont.) Root exploit –Available 74% lifetime of a smartphone –Become available on average 5.2 days after a firmware version –Prior to or on the official release date

11 FEARLESS engineering Introduction (cont.) Incentives for root exploits –Restricted app distributions –Users cannot perform complete system backup –Restrictions on sharing internet connetions with computers –Users cannot remove pre-installed apps –Users cannot install custom versions of the OS

12 FEARLESS engineering Introduction (cont.) Smartphone malware activities –eavesdropping on phone calls –reading e-mail and call-logs –tracking callers’ locations Malware detection techniques –Static analysis –Dynamic analysis

13 FEARLESS engineering Related Work Permission-based behavioral foot-printing (Zhou et al.) Behavior checker (Yap and Ewe) Power signature (Kim et al.) Association rules and frequent episodes (Lee and Stolfo)

14 FEARLESS engineering Smartphone Malware Development Android platform (Samsung Captivate) –We assume that either through a direct installation or an indirect installation (through the payload of a benign application), the victim’s mobile phone is infected with the developed malware Six parameterized malware programs –Privacy intrusion –Information theft –Denial-of-service

15 FEARLESS engineering Smartphone Malware Development (cont.) Call recorder –Eavesdropping on incoming and outgoing calls –Recorded files stored locally or uploaded to a remote server –Parameters: max_duration, max_filesize, num_skipped_calls, interval_record, interval_sleep, _upload, delete_local

16 FEARLESS engineering Smartphone Malware Development (cont.) Smart recorder –Eavesdropping on specific phone numbers on both incoming and outgoing calls –Specific phone numbers can be changed at runtime –Phone numbers are stored on a remote server and the recorded phone calls are uploaded to the server –Parameters: max_duration, max_filesize, num_skipped_calls, interval_record, interval_sleep

17 FEARLESS engineering Smartphone Malware Development (cont.) Mass Uploader –Upload contents of memory to the server –Also download contents from a remote server –Parameters: upload/download_BW, upload/download_interval, upload/download_inter_lim

18 FEARLESS engineering Smartphone Malware Development (cont.) DoS –Spawn a large number of threads, each performing expensive multiplications –Freeze smartphone with 200 threads –Parameters: max_threads, num_multiplications, interval_restart, interval_sleep

19 FEARLESS engineering Smartphone Malware Development (cont.) Spy recorder –Remotely turn on the microphone and start recording any voice input –Initiated and terminated by a phone call from a specific number –Microphone is turned on when a call comes from the number and the call is automatically rejected afterwards –User is not notified –Parameters: max_duration, max_filesize, inverval_record, interval_sleep, _upload, delete_local

20 FEARLESS engineering Smartphone Malware Development (cont.) Spy camera –Taking snap shots from the camera –Pictures uploaded to a remote server –User is not notified when pictures are taken –Parameters: snap_interval, pic_dsample_ratio, pic_comp_quality, _upload, delete_local

21 FEARLESS engineering Attacking Statistical Data Mining Tools Data mining tools –Decision Tree –Logistic Regression –Naïve Bayes –Artificial neural network –Support vector machine Common assumption –training data and test data are identically independently distributed (iid).

22 FEARLESS engineering Attacking Statistical Data Mining Tools (cont.) Randomizing malware profiles –Malware parameters are randomized with an expected mean value. –Each randomized malware profile varies from the other with respect to the amount of deviation from the mean value of a parameter. For example, Rand x refers to a profile in which the variance from the mean value of the parameters is x. –Randomized profiles violate the iid assumption.

23 FEARLESS engineering Experimental Results Data collection –Recording run-time behavior of applications –Features including CPU consumption, network traffic, memory usage, power, etc. –Features are recorded every five seconds and stored in a database on the mobile phone. Data sets –20 benign apps 10 tools, 10 games –6 malware programs plus their randomized profiles

24 FEARLESS engineering Experimental Results (cont.) Evaluation metrics –True positive rate –False positive rate –Accuracy –Area Under Curve (AUC)

25 FEARLESS engineering Experimental Results (cont.) Experiment I: no randomized profiles –20 benign programs, 6 malware programs –10-fold cross-validation ClassifierAccuracyTPRFPRAUC DT99.6150.9880.0010.992 LR99.2310.9880.0060.995 NB82.6920.3030.0160.788 ANN99.8080.9960.0010.999 SVM95.4160.8320.0090.911

26 FEARLESS engineering Experimental Results (cont.) Experiment I (cont.): no randomized profiles –Training on games (right) has higher accuracy than training on tools(left) ClassifierAccuracyTPRFPRAUC DT99.5310.9930.0030.996 LR99.1670.9890.0070.996 NB71.5630.2920.0300.849 ANN99.7920.9970.0021.000 SVM98.6980.9860.01250.987 ClassifierAccuracyTPRFPRAUC DT99.9480.9990.0000.999 LR99.2710.9940.0080.995 NB74.6880.3390.0080.829 ANN99.9481.0000.0001.000 SVM93.4900.8400.0080.916

27 FEARLESS engineering Experimental Results (cont.) Experiment II: with randomized profiles

28 FEARLESS engineering Experimental Results (cont.) Experiment II: with randomized profiles

29 FEARLESS engineering Experimental Results (cont.) Experiment II: with randomized profiles

30 FEARLESS engineering Experimental Results (cont.) Experiment II: with randomized profiles

31 FEARLESS engineering Experimental Results (cont.) Experiment II: with randomized profiles

32 FEARLESS engineering Experimental Results (cont.) Experiment II: observations –No consistent winner –When training set does not contain randomized malware profiles, accuracy is limited to below 70%. –When training set contains Rand x and test set contains Rand y, good accuracy is obtained only when x ≈ y. –Averaging samples in 25-sec durations helps improve predictive accuracy. Longer durations do not result in further improvement.

33 FEARLESS engineering Conclusions We developed six custom parameterized malware programs on the Android platform. We demonstrate that data mining algorithms are vulnerable to attacks with randomized malware profiles. We also demonstrate that simple consolidation may effectively improve classification performance.

Download ppt "UT DALLAS Erik Jonsson School of Engineering & Computer Science FEARLESS engineering Randomizing Smartphone Malware Profiles against Statistical Mining."

Similar presentations

Kadra Alvaro April,2010. Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future.

Kadra Alvaro April,2010. Introduction: The Android Platform Threats to Smartphones Android-Specific Threats How to Secure Your Android Device The Future.
Dissecting Android Malware : Characterization and Evolution

Dissecting Android Malware : Characterization and Evolution
How Secure Are Your On-Line Payments? Brad Rand V.P. Information Technology Infrastructure Manager Information Security Officer.

How Secure Are Your On-Line Payments? Brad Rand V.P. Information Technology Infrastructure Manager Information Security Officer.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
On the Feasibility of Large-Scale Infections of iOS Devices

On the Feasibility of Large-Scale Infections of iOS Devices
Designed By: Technical Training Department

Designed By: Technical Training Department
MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.

MOBILE MALWARE TOPIC #5 – INFORMATION ASSURANCE AND SECURITY Michael Fine 1.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Mobile Malware in the Wild Acknowledgement: Hiromu Enoki.

Mobile Malware in the Wild Acknowledgement: Hiromu Enoki.
Android Security What is out there? Waqar Aziz. Android Market Share - I 2.

Android Security What is out there? Waqar Aziz. Android Market Share - I 2.
CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.

CS 153 Design of Operating Systems Spring 2015 Lecture 24: Android OS.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
Presentation By Deepak Katta

Presentation By Deepak Katta
Internet Safety By Megan Wilkinson. Viruses If your computer haves a viruses on it, it will show one of them or a different one. All commuters have different.

Internet Safety By Megan Wilkinson. Viruses If your computer haves a viruses on it, it will show one of them or a different one. All commuters have different.
Automatic Gender Identification using Cell Phone Calling Behavior Presented by David.

Automatic Gender Identification using Cell Phone Calling Behavior Presented by David.
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
eScan Total Security Suite with Cloud Security

eScan Total Security Suite with Cloud Security
Introduction to Mobile Malware

Introduction to Mobile Malware
A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

Similar presentations

Ads by Google