KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민.

Slides:

Advertisements

Similar presentations

Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.

Advertisements

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Support Vector Machines

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Properties of Machine Learning Applications for Use in Metamorphic Testing Chris Murphy, Gail Kaiser, Lifeng Hu, Leon Wu Columbia University.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

School of Computer Science and Information Systems

Causal Modeling for Anomaly Detection Andrew Arnold Machine Learning Department, Carnegie Mellon University Summer Project with Naoki Abe Predictive Modeling.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

William Enck, Machigar Ongtang, and Patrick McDaniel.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Automated malware classification based on network behavior

Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

Understanding the spreading patterns of mobile phone viruses Presented by Sundararaman Natarajakumar Submitted to Prof.Dr. Eduard Heindl.

A METHODOLOGY FOR EMPIRICAL ANALYSIS OF PERMISSION-BASED SECURITY MODELS AND ITS APPLICATION TO ANDROID.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

박 종 혁 컴퓨터 보안 및 운영체제 연구실 MobiSys '11 Proceedings of the 9th international conference on Mobile systems, applications,

Masquerade Detection Mark Stamp 1Masquerade Detection.

THREATS TO MOBILE NETWORK SECURITY

IIT Indore © Neminah Hubballi

Prediction model building and feature selection with SVM in breast cancer diagnosis Cheng-Lung Huang, Hung-Chang Liao, Mu- Chen Chen Expert Systems with.

“Study on Parallel SVM Based on MapReduce” Kuei-Ti Lu 03/12/2015.

11 Automatic Discovery of Botnet Communities on Large-Scale Communication Networks Wei Lu, Mahbod Tavallaee and Ali A. Ghorbani - in ACM Symposium on InformAtion,

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

AUTHORS: ASAF SHABTAI, URI KANONOV, YUVAL ELOVICI, CHANAN GLEZER, AND YAEL WEISS "ANDROMALY": A BEHAVIORAL MALWARE DETECTION FRAMEWORK FOR ANDROID.

A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.

1 Utilizing fuzzy logic and trend analysis for effective intrusion detection Author: Martin Botha and Rossouw von Solms Source: Computers & Security Vol.

Behavioral Detection of Malware on Mobile Handsets Abhijit Bose IBM TJ Watson Research Xin Hu University of Michigan Kang G. Shin University of Michigan.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.

CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.

Lei Liu, Department of Computer Science, George Mason University Guanhua Yan, Information Sciences Group, Los Alamos National Laboratory Xinwen Zhang,

November 19, 2008 CSC 682 Use of Virtualization to Thwart Malware Written by: Ryan Lehan Presented by: Ryan Lehan Directed By: Ryan Lehan Produced By:

CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.

2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.

Ensemble Learning for Low-level Hardware-supported Malware Detection

Lorenzo Martignoni, Elizabeth Stinson, Matt Fredrikson, Somesh Jha, John Mitchell RAID

Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

BotCop: An Online Botnet Traffic Classifier 鍾錫山 Jan. 4, 2010.

CISC Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware.

Intrusion Detection System

VMM Based Rootkit Detection on Android

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

The Utilization of Artificial Intelligence in a Hybrid Intrusion Detection System Authors ： Martin Botha, Rossouw von Solms, Kent Perry, Edwin Loubser.

SUPPORT VECTOR MACHINES Presented by: Naman Fatehpuria Sumana Venkatesh.

October 20-23rd, 2015 Sandboxing and Reasoning on Malware Infection Trees Kris Ghosh 1, Jose Morales 2, Will Casey 2 and Bud Mishra 3 1. Miami University.

Antivirus Software Technology By Mitchell Zell. Intro  Computers are vulnerable to attack  Most common type of attack is Malware  Short for malicious.

CS Spring 2010 CS 414 – Multimedia Systems Design Lecture 35 – Synchronization (Part 3) Klara Nahrstedt Spring 2010.

SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.

High resolution product by SVM. L’Aquila experience and prospects for the validation site R. Anniballe DIET- Sapienza University of Rome.

Some Great Open Source Intrusion Detection Systems (IDSs)

Android’s Malware Attack, Stealthiness and Defense: An Improvement Mohammad Ali, Humayun Ali and Zahid Anwar 2011 Frontiers of Information Technology.

Learning to Detect and Classify Malicious Executables in the Wild by J

Honeypot in Mobile Network Security

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Techniques, Tools, and Research Issues

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

RHMD: Evasion-Resilient Hardware Malware Detectors

Presentation transcript:

KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al 이 승 민

“Behavioral Detection of Malware…” -2/18- CS710 IS Lab Contents Contents Introduction 11 System Overview 22 Malicious Behavior Signatures 33 Run-time Construction 44 Evaluation 55 Conclusion 66

“Behavioral Detection of Malware…” -3/18- CS710 IS Lab 1. Introduction Behavior ?

“Behavioral Detection of Malware…” -4/18- CS710 IS Lab 1. Introduction Malware on mobile handsets The first mobile worm Cabir appeared in June 2004 By the end of 2006, the known number of mobile malware families and variants increased by 59% and 75% from year 2005 Differences in mobile Limited resources such as CPU, memory and battery Difficulty of constructing network signature Spreading via non-traditional vectors (SMS, Bluetooth) Difference in OS (file permission, modification)

“Behavioral Detection of Malware…” -5/18- CS710 IS Lab 1. Introduction Related work Network based anomaly detection Host based anomaly detection Using consecutive system calls from normal app. Rule learning, finite-state automata, Hidden Markov Model But, it could be evaded by simple obfuscation This paper Monitoring a program run-time behavior at a higher level Run-time analysis Using both normal and malware behaviors

“Behavioral Detection of Malware…” -6/18- CS710 IS Lab 2. System Overview System Monitor agent collects the application behavior in the form of system events/API calls Aggregated behavior signatures are reported to the detection agent

“Behavioral Detection of Malware…” -7/18- CS710 IS Lab 3. Malicious Behavior Signatures Temporal patterns A logical ordering of the steps over time often clearly reveals the malicious intent Example Bluetooth OBEX system call (CObexClient::Put())  Harmless Received file is of type.SIS & that file is later executed & the installer process seeks to overwrite files in the system directory  Mabir, Commwarrior Behavior signatures are best specified using temporal logic instead of classical propositional logic TLCK (temporal logic of causal knowledge) language

“Behavioral Detection of Malware…” -8/18- CS710 IS Lab 3. Malicious Behavior Signatures Temporal logic Specify malicious behavior in terms of system events, by temporal and logical operators : true at time t : true at some instant before t : true at all instants before t : true at some instant in the interval [t-k, t]

“Behavioral Detection of Malware…” -9/18- CS710 IS Lab 3. Malicious Behavior Signatures Example: Commwarrior Worm Symbian OS Atomic variables are combined into seven higher-level signatures

“Behavioral Detection of Malware…” -10/18- CS710 IS Lab 4. Run-Time Signature Construction Monitoring API Calls using Proxy DLL Proxy DLL intercepts and records details about the API call events from the application (with Symbian OS emulator)

“Behavioral Detection of Malware…” -11/18- CS710 IS Lab 4. Run-Time Signature Construction Stage I: Generation of dependency graph Dependency graph is constructed from logged API calls

“Behavioral Detection of Malware…” -12/18- CS710 IS Lab 4. Run-Time Signature Construction Stage II: Graph pruning and aggregation Dependency graph grows over time Pruning The process did not have inter-process dependency relationships with any other process Its graph does not partially match with any malicious behavioral signatures It did not create or modify any file or directory It is a helper process that takes input from a process and returns data to the main process Aggregation Each API call is aggregated to reduce the size of the overall storage Construction of a behavior signature (TLCK)

“Behavioral Detection of Malware…” -13/18- CS710 IS Lab 5. Evaluation SVM classification Which of the separators is optimal ?

“Behavioral Detection of Malware…” -14/18- CS710 IS Lab 5. Evaluation Margin  of the separator is the width of separation between classes Maximizing the margin is good according to intuition Examples closest to the hyperplane are support vectors

“Behavioral Detection of Malware…” -15/18- CS710 IS Lab 5. Evaluation Methodology Monitoring agent is implemented in the Symbian OS Emulator OS dependent 8 applications 5 worms: Cabir, Mabir, Lasco, Commwarrior, generic worm 3 legitimate: OBEX file transfer, MMS client, MakeSIS Detection agent uses SVM classifier OS independent

“Behavioral Detection of Malware…” -16/18- CS710 IS Lab 5. Evaluation Accuracy of SVM Detection for known worms SVM almost never falsely classifies a legitimate application signature to malicious

“Behavioral Detection of Malware…” -17/18- CS710 IS Lab 5. Evaluation Detection for unknown worms When the training set contains 3 malware, detection is relatively high

“Behavioral Detection of Malware…” -18/18- CS710 IS Lab 6. Conclusion Contribution First attempt to construct a behavioral detection model for mobile environments Define malicious behaviors with TLCK (temporal logic) Discussion What is the difference compared to wired network? How about using HMM (Hidden Markov Model) in behavior detection? Suitable for future research topic?