210 likes | 511 Views
Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. 2012. "Andromaly": a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38, 1 (February 2012) AVEEK KARMAKAR KSHITIJKUMAR PATIL DOIPAYAN BHOWMICK. andromaly. Introduction.
E N D
Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. 2012. "Andromaly": a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38, 1 (February 2012) AVEEK KARMAKAR KSHITIJKUMAR PATIL DOIPAYAN BHOWMICK andromaly
Introduction • Smartphones are susceptible to various malware threats such as viruses, Trojan horses, and worms, all of which are well-known from desktop platforms. • Malware on a smartphone can make the phone partially or fully unusable; cause unwanted billing; steal private information; or infect every name in a user’s phonebook. • Common desktop security solutions have been analyzed and evaluated for their applicability to mobile devices and have been found to be inadequate for use on smartphones.
Introduction contd… • Described a generic and modular framework for detecting malware on Android mobile devices. • The system continuously monitors mobile devices to detect suspicious and abnormal activities using a supervised anomaly detection technique. • The framework relies on a light-weight application, installed on the mobile device that samples various system metrics such as CPU consumption, number of sent packets through the Wi-Fi, number of running processes, battery level and analyzes them in order to make inferences about the well-being state of the device. • The main assumption is that the system metrics can be employed for detection of previously un-encountered malware by examining similarities with patterns of system metrics induced by known malware.
Related Work • Analysis techniques for detecting malware are of two types • Dynamic Analysis • Static Analysis • Most analysis techniques for detecting malware in mobile devices are focused on dynamic analysis approaches. • In the majority of cases, Host-based Intrusion Detection Systems (HIDS) have been used. Only a handful of systems employ static analysis for detecting malware on mobile devices. • Artificial Neural Networks (ANN) have been used to detect anomalous behavior. • SmartSiren - a collaborative proxy-based SMS - virus detection and alert system for smartphones.
Related work contd… • Intrusion Detection Architecture for Mobile devices (IDAMN) that used both rule-based and anomaly detection methods. • Battery-Sensing Intrusion Protection System (B-SIPS) for mobile computers, which alerts when abnormal current changes are detected. • Battery-Based Intrusion Detection System (B-BID) as a means of improving mobile device security that monitors the device’s electrical current and evaluates its correlation with known signatures and patterns. • The aforementioned frameworks and systems proved valuable in protecting mobile devices in general however, they do not leverage Android’s capabilities to their full extent. • Since Android is an open source and extensible platform it allows to extract as many features as one would like. This enables to provide richer detection capabilities, not relying merely on the standard call records or power consumption patterns.
The Andromaly Framework • Security model of Android is “system centric” • Apps specify permissions at installation time but have no control afterwards • Lightweight Malware Detection System • Real-time monitoring, collection, preprocessing, analysis of various system metrics • After collection and preprocessing, the system metrics are sent to analysis by detection units called processors • These units generate a threat assessment (TA) • These TAs are weighted to produce integrated alert • A smoothing phase is included to avoid false alarms. • A notification is displayed to user and automatic or manual actions are taken.
Detection Method • Using Machine Learning • Evaluated on k-Means, Logistic Regression, Histograms, Decision Tree, Bayesian Networks, Naïve Bayes • two phases, training (generate a classifier) and testing (test the classifier) • Feature Selection • Too many features cause problems (misleading, over-fitting, increased complexity and runtime) • Filter approach • An objective function used to evaluate features by content and estimate their contribution.
The Questions • Is it possible to detect unknown malicious applications on Android devices using the android framework?? • Is it possible to learn the behavior of applications on a set of Android devices and perform the detection on other devices?? • Most accurate classifier??
METRICS OF COMPARISON • True Positive Rate (TPR) =proportion of positive instances correctly classified. • False Positive Rate (FPR) = proportion of negative instances incorrectly classified. • Total Accuracy = proportion of absolutely correctly classified instances (positive or negative).
The four applications • Tip Calculator :- DoS • Snake and Lunar Lander :- Information Theft • HTTP Upload :- Information theft
Experiments • The purpose of the experiments is to evaluate the ability of the proposed detection methods to distinguish between benign and malicious applications. • 10 Data Sets (generated by selecting five times four different benign applications of tools and games)
Experiment 1 • The purpose of this experiment is to evaluate the ability of each combination of detection algorithm, feature selection method, and number of top features to differentiate between benign and malicious applications when training set includes all benign/malicious applications and training/testing are performed on the same device.
Experiment 2 • The purpose of this experiment is to evaluate the ability of each combination of detection algorithm, feature selection method, and number of top features to differentiate between benign and malicious applications not included in the training set, when training and testing are performed on the same device.
Experiment 3 • The purpose of this experiment is to compare the ability of each combination of detection algorithm, feature selection method, and number of top features to differentiate between benign and malicious applications when training set includes all benign/malicious applications but training/testing are performed on different devices
Experiment 4 • The purpose of this experiment is to compare the ability of each combination of detection algorithm, feature selection method, and number of top features to differentiate between benign and malicious applications which are not included in the training set when training and testing are performed on different devices
Discussion and Conclusions • When observing all sub-experiments we can conclude that the NB and Logistic Regression were superior over other classifiers in the majority of the configurations. • Another interesting fact is that in all experiments it was easier to distinguish between malicious and benign applications when the benign application was a game, as opposed to a tool application • The proposed detection approach is recommended for detecting continuous attacks (e.g., DoS, worm infection) and needs to be trained on a broad range of examples
References • Asaf Shabtai, Uri Kanonov, Yuval Elovici, Chanan Glezer, and Yael Weiss. 2012. "Andromaly": a behavioral malware detection framework for android devices. J. Intell. Inf. Syst. 38, 1 (February 2012)