Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan Taejoon Park Samsung Electronics MobiSys 2008
Outline Introduction System Overview Malicious Behavior Signatures Run-time Construction of Behavior Signatures Behavior Classification by Machine Learning Algorithm Limitations Evaluation Conclusions
Introduction % of MMS traffic in a Russian mobile network is made up of infected message (close to malicious traffic) By the end of 2006, the known number of mobile malware families and their variants increased by 69% and 75%
Introduction Payload signature-based detection isn’t suitable for mobile devices Limited resources (power, CPU, memory) Crossover worms, obfuscation, polymorphism
System Overview
Malicious Behavior Signatures Temporal Logic ⊙ t true at time t ♦t true at some instant before t □ t true at all instants before t true at some instant in the interval [t −k, t].
Malicious Behavior Signatures Example: Commwarrior Worm Target: Symbian S60 Spread via Bluetooth and MMS
Malicious Behavior Signatures Atomic propositional variables ReceviceFile(f,mode,type) InstallApp(f,files,dir) LaunchProcess(p,parent) MakeSIS(f,files) BTFindDevice(d) OBEXSendFile(f,d) MMSFindAddress(a) MMSSendMessage(f,a) SetDevice(act, ) VerifyDayofMonth(date, )
Malicious Behavior Signatures Signature: ⊙ t (bt −transfer) = ♦t(BTFindDevice(d)) ∧ ( ⊙ t (OBEXSendFile(f,d))) ⊙ t (mms−transfer) = ♦t (MMSFindAddress(a)) ∧ ( ⊙ t (MMSSendMessage(f,a))) ⊙ t (init −worm) = t (ReceiveFile(mode = Bluetooth)) ∨ ( ⊙ t (ReceiveFile(mode = MMS))) ⊙ t (activate−worm) = ♦t (init −worm) ∧ ( ⊙ t (InstallApp) ∧ ⊙ t(LaunchProcess)) ⊙ t (run−worm−1) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ ⊙ t (VerifyDayofMonth) ∧ ( (SetDevice))) ⊙ t (run−worm−2) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ (( bt −transfer))) ⊙ t (run−worm−3) = ♦t (activate−worm) ∧ ( ⊙ t (MakeSIS) ∧ ( (mms−transfer)))
Malicious Behavior Signatures Generalized Behavior Signatures User Data Integrity System Data Integrity Trojan-like Actions
Run-time Construction of Behavior Signatures Proxy DLL technique log(timestamp,ret,obj,istatus);
Run-time Construction of Behavior Signatures Generation of Dependency Graph Graph Pruning and Aggregation
Behavior Classification by Machine Learning Algorithm Use SVM as Support Vector Classification (SVC)SVM A key step in SVM is mapping of the vectors x from their original input space to a higher- dimensional dot-product space
Limitations Obfuscation? Novel malware Some malware may bypass the API monitoring rootkit
Evaluation Malware Cabir, Mabir, Lasco, Commwarrior, and a generic worm Legitimate Bluetooth file transfer, MMS client, MakeSIS utility 905 distinct signatures for test data set
Evaluation
Real-world worms Cabir has 32 variants Cabir.H : fix bug Cabir.AF : compression New Cabir : obfuscation
Evaluation Performance of Proxy DLL 3%
Conclusions Behavioral detection framework Behavior signature Use SVM to train a classifier from normal and malicious data