Presentation is loading. Please wait.

Presentation is loading. Please wait.

CISC 879 - Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware.

Published byLeslie Hood Modified over 9 years ago

Similar presentations

Presentation on theme: "CISC 879 - Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware."— Presentation transcript:

1 CISC 879 - Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware Behavioral Detection of Malware on Mobile Handsets Abhijit Bose, Xin Hu, Kang G. Shin, Taejoon Park

2 CISC 879 - Machine Learning for Solving Systems Problems Malware on Mobile Handsets  Like PC’s Mobile Handsets are becoming more intelligent and complex in functionality  Exposure to malicious programs and risks increase with the new capabilities of handsets  Cabir, the first mobile worm appeared in June 2004  WinCE.Duts, the Windows CE virus was the first file injector on mobile handsets capable of infecting all the executables in the device’s root directory

3 CISC 879 - Machine Learning for Solving Systems Problems  Rely primarily on signature-based detection  Useful mostly for post-infection cleanup  Example: Scan the system directory for the presence of files with specific extension.APP,.RSC and.MLD in Symbian-based devices  Due to differences between mobile and traditional desktop environments Limitations of current anti-virus solutions for mobile devices

4 CISC 879 - Machine Learning for Solving Systems Problems Why conventional anti-virus solutions are less efficient for mobile devices?  Mobile devices generally have limited resources such as CPU, memory, and battery power  Most published studies on the detection of internet malware focus on their network signatures  Mobile OSes have important differences in the way file permissions and modifications to the OS are handled

5 CISC 879 - Machine Learning for Solving Systems Problems Goal Develop a detection framework that  Overcomes the limitations of signature based detection  Address the unique features and constraints of mobile handsets

6 CISC 879 - Machine Learning for Solving Systems Problems Approach Behavioral detection approach is used to detect malware on mobile handsets

7 CISC 879 - Machine Learning for Solving Systems Problems Behavioral Detection  Run-time behavior of an application is monitored and compared against malicious and/or normal behavior profiles  More resilient to polymorphic worms and code obfuscation  Database of behavior profiles is much smaller than that needed for storing signature-based profiles  Suitable for resource limited handsets  Has potential for detecting new malware

8 CISC 879 - Machine Learning for Solving Systems Problems System Overview

9 CISC 879 - Machine Learning for Solving Systems Problems Malicious Behavior Signatures  Behavior Signature: Manifestation of a specification of resource accesses and events generated by applications  It is not sufficient to monitor a single event of a process in isolation in order to classify an activity to be malicious  Temporal Pattern: The precedence order of the events and resource accesses, is the key to detect malicious intent

10 CISC 879 - Machine Learning for Solving Systems Problems Temporal Patterns - Example  Consider a simple file transfer by calling the Bluetooth OBEX system call in Symbian OS  On their own, any such call will appear harmless  Temporal Pattern: (received file is of type.SIS) and (that file is executed later) and (installer process seeks to overwrite files in the system directory)

11 CISC 879 - Machine Learning for Solving Systems Problems Representation of Malicious Behavior  Simple Behavior: ordering the corresponding actions using a vector clock and applying the “and” operator to the actions  Complex Behavior: specified using temporal logic instead of classical propositional logic  Specification language of TLCK(Temporal Logic of Causal Knowledge) is used to represent malicious behaviors within the context of a handset environment

12 CISC 879 - Machine Learning for Solving Systems Problems Behavior Signature  A finite set of propositional variables interposed using TLCK  Each variable (when true) confirms the execution of either - A single or an aggregation of system calls - An event such as read/write access to a given file descriptor, directory structure or memory location  PS = {p1, p2, ・ ・ ・, pm} U {i|i ∈ N}

13 CISC 879 - Machine Learning for Solving Systems Problems Operators used to define Malicious Behavior Logical Operators: Temporal Operators:

14 CISC 879 - Machine Learning for Solving Systems Problems Example: Commwarrior Worm – Behavior Signature

15 CISC 879 - Machine Learning for Solving Systems Problems Atomic Propositional Variables

16 CISC 879 - Machine Learning for Solving Systems Problems Higher Level Signatures Harmless Signatures: Harmful Signatures:

17 CISC 879 - Machine Learning for Solving Systems Problems Generalized Behavior Signatures  Studied more than 25 distinct families of mobile viruses and worms targeting the Symbian OS  Extracted most common signature elements and a database was created  Malware actions were placed were placed into 3 categories: - User Data Integrity - System Data Integrity - Trojan-like Actions

18 CISC 879 - Machine Learning for Solving Systems Problems Run-Time Construction of Behavior Signatures Proxy DLL to capture API call arguments

19 CISC 879 - Machine Learning for Solving Systems Problems Major Components of Monitoring System

20 CISC 879 - Machine Learning for Solving Systems Problems Behavior Classification By Machine Learning Algorithm  Behavior signatures for the complete life cycle of malware are placed in the behavior database for run-time classification  To activate early response mechanisms, malicious behavior database must also contain partial signatures that have a high probability of eventually manifesting as malicious behavior  Behavior detection system can detect even new malware or variants of existing malware, whose behavior is only partially matched with the signatures in the database  SVM is used to classify partial behavior signatures from the training data of both normal and malicious applications

21 CISC 879 - Machine Learning for Solving Systems Problems Possible Evasions Program behavior can be obfuscated by:  Behavior reordering  File or directory renaming  Normal behavior insertion  Equivalent behavior replacement

22 CISC 879 - Machine Learning for Solving Systems Problems Limitations  The detection might fail if most behaviors of a mobile malware are completely new or the same as normal programs  The system can be circumvented by malware that can bypass the API monitoring or modify the framework configuration

23 CISC 879 - Machine Learning for Solving Systems Problems Evaluation  Monitor agent (platform dependent) and Behavior detection agent (platform independent) is evaluated  Program behavior is emulated and then tested against real-world worms  5 malware applications (Cabir, Mabir, Lasco, Commwarrior, and a generic worm that spreads by sending messages via MMS and Bluetooth) and 3 legitimate applications (Bluetooth OBEX file transfer, MMS client, and the MakeSIS utility in Symbian OS) were built Applications (Malwre + Legitimate) Set of Behavior Signatures Obtain Partial/ Full Signatures Remove Redundant Signatures Training Dataset Testing Dataset

24 CISC 879 - Machine Learning for Solving Systems Problems Classification Accuracy of Known Worms

25 CISC 879 - Machine Learning for Solving Systems Problems Detection Accuracy (%) of Unknown Worms

26 CISC 879 - Machine Learning for Solving Systems Problems Evaluation with Real-world Mobile Worms  Two Symbian worms, Cabir and Lasco are considered  Behavior signatures are collected by compiling and running them on Symbian emulator - SVC achieved 100% detection of all worm instances  Framework’s resilience to the variations and obfuscation is tested by considering the variants of Cabir - The variants are easily detectable as the behavioral detection abstracts away the name details

27 CISC 879 - Machine Learning for Solving Systems Problems Conclusions  Due to fewer signatures, the malware database is compact and can be place on a handset  Can potentially detect new malware and their variants  Behavioral detection results in high detection rates

28 CISC 879 - Machine Learning for Solving Systems Problems Thank You

Download ppt "CISC 879 - Machine Learning for Solving Systems Problems Presented by: Suparna Manjunath Dept of Computer & Information Sciences University of Delaware."

Similar presentations

Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.

Mobile Viruses and Worms (Project Group 6) Amit Kumar Jain Amogh Asgekar Jeevan Chalke Manoj Kumar Ramdas Rao.
Operating System Structures

Operating System Structures
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.

Security strategy. What is security strategy? How an organisation plans to protect and respond to security attacks on their information technology assets.
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.

Security in By: Abdulelah Algosaibi Supervised by: Prof. Michael Rothstein Summer II 2010: CS 6/79995 Operating System Security.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.

Learning Classifier Systems to Intrusion Detection Monu Bambroo 12/01/03.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.

S EC (4.5): S ECURITY 1. F ORMS OF ATTACK There are numerous way that a computer system and its contents can be attacked via network connections. Many.
1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.

1 Software Testing and Quality Assurance Lecture 30 – Testing Systems.
William Enck, Machigar Ongtang, and Patrick McDaniel.

William Enck, Machigar Ongtang, and Patrick McDaniel.
Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.

Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.

A Hybrid Model to Detect Malicious Executables Mohammad M. Masud Latifur Khan Bhavani Thuraisingham Department of Computer Science The University of Texas.
CISC 879 - Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google