Presentation is loading. Please wait.

Presentation is loading. Please wait.

KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민.

Published byMilton Miles Modified over 8 years ago

Similar presentations

Presentation on theme: "KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민."— Presentation transcript:

1 KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민

2 “Behavioral Detection of Malware…” -2/18- CS710 IS Lab Contents Contents Introduction 11 System Overview 22 Malicious Behavior Signatures 33 Run-time Construction 44 Evaluation 55 Conclusion 66

3 “Behavioral Detection of Malware…” -3/18- CS710 IS Lab 1. Introduction Behavior ?

4 “Behavioral Detection of Malware…” -4/18- CS710 IS Lab 1. Introduction Malware on mobile handsets The first mobile worm Cabir appeared in June 2004 By the end of 2006, the known number of mobile malware families and variants increased by 59% and 75% from year 2005 Differences in mobile Limited resources such as CPU, memory and battery Difficulty of constructing network signature Spreading via non-traditional vectors (SMS, Bluetooth) Difference in OS (file permission, modification)

5 “Behavioral Detection of Malware…” -5/18- CS710 IS Lab 1. Introduction Related work Network based anomaly detection Host based anomaly detection Using consecutive system calls from normal app. Rule learning, finite-state automata, Hidden Markov Model But, it could be evaded by simple obfuscation This paper Monitoring a program run-time behavior at a higher level Run-time analysis Using both normal and malware behaviors

6 “Behavioral Detection of Malware…” -6/18- CS710 IS Lab 2. System Overview System Monitor agent collects the application behavior in the form of system events/API calls Aggregated behavior signatures are reported to the detection agent

7 “Behavioral Detection of Malware…” -7/18- CS710 IS Lab 3. Malicious Behavior Signatures Temporal patterns A logical ordering of the steps over time often clearly reveals the malicious intent Example Bluetooth OBEX system call (CObexClient::Put())  Harmless Received file is of type.SIS & that file is later executed & the installer process seeks to overwrite files in the system directory  Mabir, Commwarrior Behavior signatures are best specified using temporal logic instead of classical propositional logic TLCK (temporal logic of causal knowledge) language

8 “Behavioral Detection of Malware…” -8/18- CS710 IS Lab 3. Malicious Behavior Signatures Temporal logic Specify malicious behavior in terms of system events, by temporal and logical operators : true at time t : true at some instant before t : true at all instants before t : true at some instant in the interval [t-k, t]

9 “Behavioral Detection of Malware…” -9/18- CS710 IS Lab 3. Malicious Behavior Signatures Example: Commwarrior Worm Symbian OS Atomic variables are combined into seven higher-level signatures

10 “Behavioral Detection of Malware…” -10/18- CS710 IS Lab 4. Run-Time Signature Construction Monitoring API Calls using Proxy DLL Proxy DLL intercepts and records details about the API call events from the application (with Symbian OS emulator)

11 “Behavioral Detection of Malware…” -11/18- CS710 IS Lab 4. Run-Time Signature Construction Stage I: Generation of dependency graph Dependency graph is constructed from logged API calls

12 “Behavioral Detection of Malware…” -12/18- CS710 IS Lab 4. Run-Time Signature Construction Stage II: Graph pruning and aggregation Dependency graph grows over time Pruning The process did not have inter-process dependency relationships with any other process Its graph does not partially match with any malicious behavioral signatures It did not create or modify any file or directory It is a helper process that takes input from a process and returns data to the main process Aggregation Each API call is aggregated to reduce the size of the overall storage Construction of a behavior signature (TLCK)

13 “Behavioral Detection of Malware…” -13/18- CS710 IS Lab 5. Evaluation SVM classification Which of the separators is optimal ?

14 “Behavioral Detection of Malware…” -14/18- CS710 IS Lab 5. Evaluation Margin  of the separator is the width of separation between classes Maximizing the margin is good according to intuition Examples closest to the hyperplane are support vectors

15 “Behavioral Detection of Malware…” -15/18- CS710 IS Lab 5. Evaluation Methodology Monitoring agent is implemented in the Symbian OS Emulator OS dependent 8 applications 5 worms: Cabir, Mabir, Lasco, Commwarrior, generic worm 3 legitimate: OBEX file transfer, MMS client, MakeSIS Detection agent uses SVM classifier OS independent

16 “Behavioral Detection of Malware…” -16/18- CS710 IS Lab 5. Evaluation Accuracy of SVM Detection for known worms SVM almost never falsely classifies a legitimate application signature to malicious

17 “Behavioral Detection of Malware…” -17/18- CS710 IS Lab 5. Evaluation Detection for unknown worms When the training set contains 3 malware, detection is relatively high

18 “Behavioral Detection of Malware…” -18/18- CS710 IS Lab 6. Conclusion Contribution First attempt to construct a behavioral detection model for mobile environments Define malicious behaviors with TLCK (temporal logic) Discussion What is the difference compared to wired network? How about using HMM (Hidden Markov Model) in behavior detection? Suitable for future research topic?

Download ppt "KAIST Internet Security Lab. CS710 Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민."

Similar presentations

Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.

Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.
Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.

Rootkits on Smart Phones: Attacks, Implications and Opportunities Jeffrey Bickford, Ryan O’Hare, Arati Baliga, Vinod Ganapathy, and Liviu Iftode Department.
Support Vector Machines

Support Vector Machines
Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.

Policy Weaving for Mobile Devices Drew Davidson. Smartphone security is critical – 1200 to 1400 US Army troops to be equipped with Android smartphones.
1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW 2007 2008.09.09 Yue Zhang, Jason Hong, and Lorrie Cranor.

1 CANTINA : A Content-Based Approach to Detecting Phishing Web Sites WWW Yue Zhang, Jason Hong, and Lorrie Cranor.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
Properties of Machine Learning Applications for Use in Metamorphic Testing Chris Murphy, Gail Kaiser, Lifeng Hu, Leon Wu Columbia University.

Properties of Machine Learning Applications for Use in Metamorphic Testing Chris Murphy, Gail Kaiser, Lifeng Hu, Leon Wu Columbia University.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
School of Computer Science and Information Systems

School of Computer Science and Information Systems
Causal Modeling for Anomaly Detection Andrew Arnold Machine Learning Department, Carnegie Mellon University Summer Project with Naoki Abe Predictive Modeling.

Causal Modeling for Anomaly Detection Andrew Arnold Machine Learning Department, Carnegie Mellon University Summer Project with Naoki Abe Predictive Modeling.
Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.

Intrusion and Anomaly Detection in Network Traffic Streams: Checking and Machine Learning Approaches ONR MURI area: High Confidence Real-Time Misuse and.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

Similar presentations

Ads by Google