Presented by: Suparna Manjunath - PowerPoint PPT Presentation

About This Presentation
Title:

Presented by: Suparna Manjunath

Description:

Title: John Cavazos Institute for Computing Systems Architecture Schoo Author: Suparna Last modified by: Suparna Document presentation format: Custom – PowerPoint PPT presentation

Number of Views:71
Avg rating:3.0/5.0
Slides: 29
Provided by: supa48
Category:

less

Transcript and Presenter's Notes

Title: Presented by: Suparna Manjunath


1
Behavioral Detection of Malware on Mobile
Handsets Abhijit Bose, Xin Hu, Kang G. Shin,
Taejoon Park
  • Presented by Suparna Manjunath
  • Dept of Computer Information Sciences
  • University of Delaware

2
Malware on Mobile Handsets
  • Like PCs Mobile Handsets are becoming more
    intelligent and complex in functionality
  • Exposure to malicious programs and risks increase
    with the new capabilities of handsets
  • Cabir, the first mobile worm appeared in June
    2004
  • WinCE.Duts, the Windows CE virus was the first
    file injector on mobile handsets capable of
    infecting all the executables in the devices
    root directory

3
Limitations of current anti-virus solutions for
mobile devices
  • Rely primarily on signature-based detection
  • Useful mostly for post-infection cleanup
  • Example
  • Scan the system directory for the presence of
    files with specific extension
  • .APP, .RSC and .MLD in Symbian-based devices
  • Due to differences between mobile and traditional
    desktop environments

4
Why conventional anti-virus solutions are less
efficient for mobile devices?
  • Mobile devices generally have limited resources
    such as CPU, memory, and battery power
  • Most published studies on the detection of
    internet malware focus on their network
    signatures
  • Mobile OSes have important differences in the way
    file permissions and modifications to the OS are
    handled

5
Goal
  • Develop a detection framework that
  • Overcomes the limitations of signature based
    detection
  • Address the unique features and constraints of
    mobile handsets

6
Approach
Behavioral detection approach is used to detect
malware on mobile handsets
7
Behavioral Detection
  • Run-time behavior of an application is monitored
    and compared against malicious and/or normal
    behavior profiles
  • More resilient to polymorphic worms and code
    obfuscation
  • Database of behavior profiles is much smaller
    than that needed for storing signature-based
    profiles
  • Suitable for resource limited handsets
  • Has potential for detecting new malware

8
System Overview
9
Malicious Behavior Signatures
  • Behavior Signature Manifestation of a
    specification of resource accesses and events
    generated by applications
  • It is not sufficient to monitor a single event of
    a process in isolation in order to classify an
    activity to be malicious
  • Temporal Pattern The precedence order of the
    events and resource accesses, is the key to
    detect malicious intent

10
Temporal Patterns - Example
  • Consider a simple file transfer by calling the
    Bluetooth OBEX system call in Symbian OS
  • On their own, any such call will appear harmless
  • Temporal Pattern
  • (received file is of type .SIS) and (that
    file is executed later) and (installer process
    seeks to overwrite files in the system directory)

11
Representation of Malicious Behavior
  • Simple Behavior ordering the corresponding
    actions using a vector clock and applying the
    and operator to the actions
  • Complex Behavior specified using temporal logic
    instead of classical propositional logic
  • Specification language of TLCK(Temporal Logic of
    Causal Knowledge) is used to represent malicious
    behaviors within the context of a handset
    environment

12
Behavior Signature
  • A finite set of propositional variables
    interposed using TLCK
  • Each variable (when true) confirms the execution
    of either
  • - A single or an aggregation of system
    calls
  • - An event such as read/write access to a
    given file descriptor, directory structure or
    memory location
  • PS p1, p2, , pm U ii ? N

13
Operators used to define Malicious Behavior
Logical Operators Temporal Operators
14
Example Commwarrior Worm Behavior Signature
15
Atomic Propositional Variables
16
Higher Level Signatures
Harmless Signatures Harmful Signatures
17
Generalized Behavior Signatures
  • Studied more than 25 distinct families of mobile
    viruses and worms targeting the Symbian OS
  • Extracted most common signature elements and a
    database was created
  • Malware actions were placed were placed into 3
    categories
  • - User Data Integrity
  • - System Data Integrity
  • - Trojan-like Actions

18
Run-Time Construction of Behavior Signatures
Proxy DLL to capture API call arguments
19
Major Components of Monitoring System
20
Behavior Classification By Machine Learning
Algorithm
  • Behavior signatures for the complete life cycle
    of malware are placed in the behavior database
    for run-time classification
  • To activate early response mechanisms, malicious
    behavior database must also contain partial
    signatures that have a high probability of
    eventually manifesting as malicious behavior
  • Behavior detection system can detect even new
    malware or variants of existing malware, whose
    behavior is only partially matched with the
    signatures in the database
  • SVM is used to classify partial behavior
    signatures from the training data of both normal
    and malicious applications

21
Possible Evasions
  • Program behavior can be obfuscated by
  • Behavior reordering
  • File or directory renaming
  • Normal behavior insertion
  • Equivalent behavior replacement

22
Limitations
  • The detection might fail if most behaviors of a
    mobile malware are completely new or the same as
    normal programs
  • The system can be circumvented by malware that
    can bypass the API monitoring or modify the
    framework configuration

23
Evaluation
  • Monitor agent (platform dependent) and Behavior
    detection agent (platform independent) is
    evaluated
  • Program behavior is emulated and then tested
    against real-world worms
  • 5 malware applications (Cabir, Mabir, Lasco,
    Commwarrior, and a generic worm that spreads by
    sending messages via MMS and Bluetooth) and 3
    legitimate applications (Bluetooth OBEX file
    transfer, MMS client, and the MakeSIS utility in
    Symbian OS) were built

Training Dataset
Applications (Malwre Legitimate)
Set of Behavior Signatures
Obtain Partial/ Full Signatures
Remove Redundant Signatures
Testing Dataset
24
Classification Accuracy of Known Worms
25
Detection Accuracy () of Unknown Worms
26
Evaluation with Real-world Mobile Worms
  • Two Symbian worms, Cabir and Lasco are considered
  • Behavior signatures are collected by compiling
    and running them on Symbian emulator
  • - SVC achieved 100 detection of all worm
    instances
  • Frameworks resilience to the variations and
    obfuscation is tested by considering the variants
    of Cabir
  • - The variants are easily detectable as the
    behavioral detection abstracts away the name
    details

27
Conclusions
  • Due to fewer signatures, the malware database is
    compact and can be place on a handset
  • Can potentially detect new malware and their
    variants
  • Behavioral detection results in high detection
    rates

28
Thank You
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Presented by: Suparna Manjunath" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!