Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan Taejoon Park Samsung Electronics MobiSys 2008

Outline Introduction System Overview Malicious Behavior Signatures Run-time Construction of Behavior Signatures Behavior Classification by Machine Learning Algorithm Limitations Evaluation Conclusions

Introduction % of MMS traffic in a Russian mobile network is made up of infected message (close to malicious traffic) By the end of 2006, the known number of mobile malware families and their variants increased by 69% and 75%

Introduction Payload signature-based detection isn’t suitable for mobile devices Limited resources (power, CPU, memory) Crossover worms, obfuscation, polymorphism

System Overview

Malicious Behavior Signatures Temporal Logic ⊙ t true at time t ♦t true at some instant before t □ t true at all instants before t true at some instant in the interval [t −k, t].

Malicious Behavior Signatures Example: Commwarrior Worm Target: Symbian S60 Spread via Bluetooth and MMS

Malicious Behavior Signatures Atomic propositional variables ReceviceFile(f,mode,type) InstallApp(f,files,dir) LaunchProcess(p,parent) MakeSIS(f,files) BTFindDevice(d) OBEXSendFile(f,d) MMSFindAddress(a) MMSSendMessage(f,a) SetDevice(act, ) VerifyDayofMonth(date, )

Malicious Behavior Signatures Signature: ⊙ t (bt −transfer) = ♦t(BTFindDevice(d)) ∧ ( ⊙ t (OBEXSendFile(f,d))) ⊙ t (mms−transfer) = ♦t (MMSFindAddress(a)) ∧ ( ⊙ t (MMSSendMessage(f,a))) ⊙ t (init −worm) = t (ReceiveFile(mode = Bluetooth)) ∨ ( ⊙ t (ReceiveFile(mode = MMS))) ⊙ t (activate−worm) = ♦t (init −worm) ∧ ( ⊙ t (InstallApp) ∧ ⊙ t(LaunchProcess)) ⊙ t (run−worm−1) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ ⊙ t (VerifyDayofMonth) ∧ ( (SetDevice))) ⊙ t (run−worm−2) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ (( bt −transfer))) ⊙ t (run−worm−3) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ ( (mms−transfer)))

Malicious Behavior Signatures Generalized Behavior Signatures User Data Integrity System Data Integrity Trojan-like Actions

Run-time Construction of Behavior Signatures Proxy DLL technique log(timestamp,ret,obj,istatus);

Run-time Construction of Behavior Signatures Generation of Dependency Graph Graph Pruning and Aggregation

Behavior Classification by Machine Learning Algorithm Use SVM as Support Vector Classification (SVC)SVM A key step in SVM is mapping of the vectors x from their original input space to a higher- dimensional dot-product space

Limitations Obfuscation? Novel malware Some malware may bypass the API monitoring rootkit

Evaluation Malware Cabir, Mabir, Lasco, Commwarrior, and a generic worm Legitimate Bluetooth file transfer, MMS client, MakeSIS utility 905 distinct signatures for test data set

Evaluation

Real-world worms Cabir has 32 variants Cabir.H : fix bug Cabir.AF : compression New Cabir : obfuscation

Evaluation Performance of Proxy DLL 3%

Conclusions Behavioral detection framework Behavior signature Use SVM to train a classifier from normal and malicious data