Presentation is loading. Please wait.

Presentation is loading. Please wait.

Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan.

Published byEunice Brooks Modified over 8 years ago

Similar presentations

Presentation on theme: "Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan."— Presentation transcript:

1 Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan Taejoon Park Samsung Electronics MobiSys 2008

2 Outline Introduction System Overview Malicious Behavior Signatures Run-time Construction of Behavior Signatures Behavior Classification by Machine Learning Algorithm Limitations Evaluation Conclusions

3 Introduction 0.5-1.5% of MMS traffic in a Russian mobile network is made up of infected message (close to malicious email traffic) By the end of 2006, the known number of mobile malware families and their variants increased by 69% and 75%

4 Introduction Payload signature-based detection isn’t suitable for mobile devices Limited resources (power, CPU, memory) Crossover worms, obfuscation, polymorphism

5 System Overview

6 Malicious Behavior Signatures Temporal Logic ⊙ t true at time t ♦t true at some instant before t □ t true at all instants before t true at some instant in the interval [t −k, t].

7 Malicious Behavior Signatures Example: Commwarrior Worm Target: Symbian S60 Spread via Bluetooth and MMS

8 Malicious Behavior Signatures Atomic propositional variables ReceviceFile(f,mode,type) InstallApp(f,files,dir) LaunchProcess(p,parent) MakeSIS(f,files) BTFindDevice(d) OBEXSendFile(f,d) MMSFindAddress(a) MMSSendMessage(f,a) SetDevice(act, ) VerifyDayofMonth(date, )

9 Malicious Behavior Signatures Signature: ⊙ t (bt −transfer) = ♦t(BTFindDevice(d)) ∧ ( ⊙ t (OBEXSendFile(f,d))) ⊙ t (mms−transfer) = ♦t (MMSFindAddress(a)) ∧ ( ⊙ t (MMSSendMessage(f,a))) ⊙ t (init −worm) = t (ReceiveFile(mode = Bluetooth)) ∨ ( ⊙ t (ReceiveFile(mode = MMS))) ⊙ t (activate−worm) = ♦t (init −worm) ∧ ( ⊙ t (InstallApp) ∧ ⊙ t(LaunchProcess)) ⊙ t (run−worm−1) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ ⊙ t (VerifyDayofMonth) ∧ ( (SetDevice))) ⊙ t (run−worm−2) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ (( bt −transfer))) ⊙ t (run−worm−3) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ ( (mms−transfer)))

10 Malicious Behavior Signatures Generalized Behavior Signatures User Data Integrity System Data Integrity Trojan-like Actions

11 Run-time Construction of Behavior Signatures Proxy DLL technique log(timestamp,ret,obj,istatus);

12 Run-time Construction of Behavior Signatures Generation of Dependency Graph Graph Pruning and Aggregation

13 Behavior Classification by Machine Learning Algorithm Use SVM as Support Vector Classification (SVC)SVM A key step in SVM is mapping of the vectors x from their original input space to a higher- dimensional dot-product space

14 Limitations Obfuscation? Novel malware Some malware may bypass the API monitoring rootkit

15 Evaluation Malware Cabir, Mabir, Lasco, Commwarrior, and a generic worm Legitimate Bluetooth file transfer, MMS client, MakeSIS utility 905 distinct signatures for test data set

16 Evaluation

17

18 Real-world worms Cabir has 32 variants Cabir.H : fix bug Cabir.AF : compression New Cabir : obfuscation

19 Evaluation Performance of Proxy DLL 3%

20 Conclusions Behavioral detection framework Behavior signature Use SVM to train a classifier from normal and malicious data

Download ppt "Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan."

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.

Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Lecture 14 Malicious Software (cont) modified from slides of Lawrie Brown.

Lecture 14 Malicious Software (cont) modified from slides of Lawrie Brown.
Bypassing antivirus detection with encryption

Bypassing antivirus detection with encryption
Learning on User Behavior for Novel Worm Detection.

Learning on User Behavior for Novel Worm Detection.
SEERE, Neum 2009 Runtime verification of Java programs using ITL Vladimir Valkanov, Damyan Mitev Plovdiv, Bulgaria.

SEERE, Neum 2009 Runtime verification of Java programs using ITL Vladimir Valkanov, Damyan Mitev Plovdiv, Bulgaria.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
IBM Security Network Protection (XGS)

IBM Security Network Protection (XGS)
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Symbian os with smart phones Guided by: Hetal A Josiyara

Symbian os with smart phones Guided by: Hetal A Josiyara
Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.

Wang, Z., et al. Presented by: Kayla Henneman October 27, 2014 WHO IS HERE: LOCATION AWARE FACE RECOGNITION.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.

MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Similar presentations

Ads by Google