1 / 19

K nowledge- b ased Temporal Abstraction Host-based I ntrusion D etection S ystem for Android

K nowledge- b ased Temporal Abstraction Host-based I ntrusion D etection S ystem for Android. KB-IDS. Academic Advisor: Dr. Yuval Elovici Technical Advisor : Asaf Shabtai Team Members : Eliya Rahamim Elad Ankry Uri Kanonov. Background.

gotzon
Download Presentation

K nowledge- b ased Temporal Abstraction Host-based I ntrusion D etection S ystem for Android

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Knowledge-based Temporal Abstraction Host-based Intrusion Detection System for Android KB-IDS

  2. Academic Advisor: Dr. Yuval Elovici Technical Advisor: AsafShabtai Team Members: EliyaRahamim EladAnkry Uri Kanonov

  3. Background • An IDS is used to detect malicious behaviors that indicates a breach in the security of a computer system • The Knowledge-based Temporal-Abstraction (KBTA) method in which a computational mechanism extracts meaningful conclusions from raw time-stamped data and knowledge. • Android is an operating system for mobile devices, based on the Linux kernel, developed by Google. It allows development of applications in Java, controlling the phone via Google-developed Java libraries.

  4. Problem Domain • In the modern age Smartphones as well as the threats they are susceptible to, are a growing trend • This strengthens the need for sophisticated defense mechanisms to protect them

  5. Current Situation • Mobile devices lack the computational strength needed to support PC-like security solutions • Android, being an open source and open platform introduces new potential risks and types of attacks • Android has some inherent security mechanisms that cannot cope with all possible threats • Due to application sandboxing, conventional methods such as AntiVirus are futile. There is a need for a different solution…

  6. Proposed Solution - HIDS

  7. Knowledge-basedTemporal Abstraction • Developed by Prof. Yuval Shahar, 1997 • Time-Stamped Raw Data: • - Primitive Parameters • - Events • Higher Level Meaningful Temporal Information: • - Contexts • - Abstractions • - Temporal Patterns Knowledge (KBTA Security ontology) • Four inference mechanisms: • - Temporal Context Forming • - Contemporaneous Abstraction • - Temporal Interpolation • - Temporal Pattern Matching

  8. Internet Connection Mode Context Worm Pattern I2 I1 KBTA – cont. Patterns TCP Packets Sent State = HIGH Abstractions Contexts High Primitives Medium TCP Packets Sent ( ) Low T1 T2 T3 T0 Events Time Wi-Fi Connection Events ( )

  9. Func. Requirements - Agent

  10. Func. Requirements – Analysis Servers

  11. Func. Requirements – KBTA Server

  12. Func. Requirements – Threat Weighting Unit

  13. Non-Func. Requirements • Gathering a feature batch (maximum 40) by the agent should take less than 10 seconds. • CPU usage by the HIDS should be under 10% • The HIDS should take at most 10MB on the data partition of the device • The HIDS will be developed in Java using the Android SDK • For demo and testing purposes, a real device will be supplied by DT Labs

  14. Collect features, Analyze Data and Weight Assessments • Primary actors: Android • Description: After a time trigger the agent collects the monitored feature values and sends them to all of the local analysis servers. Each of the servers analyzes the data and outputs a threat assessment. The assessments are weighted by the TWU and if a threat is found, an alert along with any associated data, is dispatched to the agent and the Control Center. • Trigger: A time trigger from Android • Pre-conditions: The agent is installed on the device and is running • Post-conditions: If a threat is found, an alert along with any associated data has been dispatched

  15. Risks • Risk: The HIDS consumes too much CPU • Solution: Reducing the quantity of the features collected by the agent and/or decreasing the collection rate • Risk: The HIDS consumes too much memory • Solution: Reducing the time frame for keeping raw data in the KBTA’s memory • Risk: The HIDS consumes too much bandwidth • Solution: Lessening the amount of data transmitted to and from the Control Center

  16. The End And so Android lived happily ever after…

More Related