1 / 18

Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al.

Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민. Contents. 1. Introduction. 2. System Overview. 3. Malicious Behavior Signatures. 4. Run-time Construction. 5. Evaluation. 6. Conclusion. 1. Introduction. Behavior ?.

raoul
Download Presentation

Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al.

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Behavioral Detection of Malware on Mobile Handsets MobiSys 2008, Abhijit Bose et al. 2008.12.11. 이 승 민

  2. Contents 1 Introduction 2 System Overview 3 Malicious Behavior Signatures 4 Run-time Construction 5 Evaluation 6 Conclusion

  3. 1. Introduction • Behavior ?

  4. 1. Introduction • Malware on mobile handsets • The first mobile worm Cabir appeared in June 2004 • By the end of 2006, the known number of mobile malware families and variants increased by 59% and 75% from year 2005 • Differences in mobile • Limited resources such as CPU, memory and battery • Difficulty of constructing network signature • Spreading via non-traditional vectors (SMS, Bluetooth) • Difference in OS (file permission, modification)

  5. 1. Introduction • Related work • Network based anomaly detection • Host based anomaly detection • Using consecutive system calls from normal app. • Rule learning, finite-state automata, Hidden Markov Model • But, it could be evaded by simple obfuscation • This paper • Monitoring a program run-time behavior at a higher level • Run-time analysis • Using both normal and malware behaviors

  6. 2. System Overview • System • Monitor agent collects the application behavior in the form of system events/API calls • Aggregated behavior signatures are reported to the detection agent

  7. 3. Malicious Behavior Signatures • Temporal patterns • A logical ordering of the steps over time often clearly reveals the malicious intent • Example • Bluetooth OBEX system call (CObexClient::Put())  Harmless • Received file is of type .SIS & that file is later executed & the installer process seeks to overwrite files in the system directory  Mabir, Commwarrior • Behavior signatures are best specified using temporal logic instead of classical propositional logic • TLCK (temporal logic of causal knowledge) language

  8. 3. Malicious Behavior Signatures • Temporal logic • Specify malicious behavior in terms of system events, by temporal and logical operators • : true at time t • : true at some instant before t • : true at all instants before t • : true at some instant in the interval [t-k, t]

  9. 3. Malicious Behavior Signatures • Example: Commwarrior Worm • Symbian OS • Atomic variables are combined into seven higher-level signatures

  10. 4. Run-Time Signature Construction • Monitoring API Calls using Proxy DLL • Proxy DLL intercepts and records details about the API call events from the application (with Symbian OS emulator)

  11. 4. Run-Time Signature Construction • Stage I: Generation of dependency graph • Dependency graph is constructed from logged API calls

  12. 4. Run-Time Signature Construction • Stage II: Graph pruning and aggregation • Dependency graph grows over time • Pruning • The process did not have inter-process dependency relationships with any other process • Its graph does not partially match with any malicious behavioral signatures • It did not create or modify any file or directory • It is a helper process that takes input from a process and returns data to the main process • Aggregation • Each API call is aggregated to reduce the size of the overall storage • Construction of a behavior signature (TLCK)

  13. 5. Evaluation • SVM classification • Which of the separators is optimal ?

  14. 5. Evaluation • Margin  of the separator is the width of separation between classes • Maximizing the margin is good according to intuition • Examples closest to the hyperplane are support vectors

  15. 5. Evaluation • Methodology • Monitoring agent is implemented in the Symbian OS Emulator • OS dependent • 8 applications • 5 worms: Cabir, Mabir, Lasco, Commwarrior, generic worm • 3 legitimate: OBEX file transfer, MMS client, MakeSIS • Detection agent uses SVM classifier • OS independent

  16. 5. Evaluation • Accuracy of SVM • Detection for known worms • SVM almost never falsely classifies a legitimate application signature to malicious

  17. 5. Evaluation • Detection for unknown worms • When the training set contains 3 malware, detection is relatively high

  18. 6. Conclusion • Contribution • First attempt to construct a behavioral detection model for mobile environments • Define malicious behaviors with TLCK (temporal logic) • Discussion • What is the difference compared to wired network? • How about using HMM (Hidden Markov Model) in behavior detection? • Suitable for future research topic?

More Related