Security and Communications Networks 5 00 , 1—9 Google Scholar. Bose, A. Jacoby, G. Schmidt, A. Xie, L. ACM Google Scholar. Enck, W. Ongtang, M. La Polla, M. Kwak, N. Falaki, H. Remember me on this computer. Enter the email address you signed up with and we'll email you a reset link. Need an account? Click here to sign up. Download Free PDF. Gianluca Dini. Daniele Sgandurra. A short summary of this paper. Currently, in the smartphone market, Android is the plat- form with the highest share.
Due to this popularity and also to its open source nature, Android-based smartphones are now an ideal target for attackers.
Since the number of malware designed for Android devices is increasing fast, Android users are looking for security solutions aimed at preventing malicious actions from damaging their smartphones. MADAM concurrently monitors Android at the kernel-level and user-level to detect real malware infections using ma- chine learning techniques to distinguish between standard behaviors and malicious ones. The device usability is not affected by MADAM due to the low number of false positives generated after the learning phase.
Keywords: Intrusion detection, Android, Security, Classification 1 Introduction In the last years, mobile devices, such as smartphones, tablets and PDAs, have drastically changed by increasing the number and complexity of their capabil- ities. Current mobile devices offer a larger amount of services and applications than those offered by personal computers. At the same time, an increasing num- ber of security threats targeting mobile devices has emerged. In , malware attacks increased by percent across all platforms [1]: in particular, Android is the platform with the highest malware growth rate by the end of To mitigate these security threats, various mobile-specific Intrusion Detection Systems IDSes have been recently proposed.
Most of these IDSes are behavior- based, i. A behavior-based or anomaly-based IDS is a system that attempts to learn the normal behavior of a device. To this end, the system is firstly trained by receiving as input a set of parameters that describes the way the user normally behaves. Secondly, during the normal usage, the IDS is able to recognize as suspicious any behavior that strongly differs from those well-known, i.
MADAM exploits machine learning techniques to distinguish between standard behaviors and malicious ones. A first prototype of MADAM has been implemented for Android smartphones, but its theoretical approach can be extended to other mobile operating systems OS as well.
The first set of results show that this approach works well with real malware and it is usable since it has a very low false positive rate.
The main contributions of the paper are the following: — We describe the design and implementation of MADAM, a host-based real- time anomaly detector that exploits a multi-level view of the monitored smartphone, which considers both OS events, namely the issued system calls, and smartphone parameters, e. The tests have been performed with more than 50 popular applications and several user behaviors to measure the false positives; on the average, a user receives less than 5 false positives per day, and the overall performance overhead is acceptable, i.
The rest of the paper is organized as follows. Section 2 lists some related work. Section 4 reports some preliminary tests and results. In Sect. Finally, Sect. A genuine application differs from its trojanized version, since it issues different types and a different number of system calls. Crowdroid builds a vector of m features the Android system calls. Differently from this approach, MADAM uses a global-monitoring approach that is able to detect malware contained in unknown applications, i.
Furthermore, on Crowdroid only two trojanised applications have been tested, whereas on MADAM we tested ten real malware. A similar approach is presented in [3], which also considers the system call parameters to discern between normal system calls and malicious ones. The authors developed four malicious applications to evaluate the ability to detect anomalies. Compared to Andromaly, MADAM uses a smaller number of features 13 , and has been tested on real malware found in the wild, and shows better performance in terms of detection and, especially, of false posi- tives rate.
RADS is a web service that receives, from the monitoring client, the monitored features and exploits this information, stored in a database, to im- plement a machine learning algorithm. MADAM is more general since it considers all the activities on a smartphone.
Hence, these calls are compared with malware executables for classification. Finally, [15] surveys some security solutions for mobile devices. Some behavior-based IDSes rely on computational intelligence and machine learning techniques, such as clustering [2], probability-based classifiers [4] [5], decision trees [5] and others. Classifiers automatically learn how to classify a set of items.
A classifier understands how to correctly classify elements after the execution of a training phase. This phase is critical, since it determines the accuracy of the classifier. Hence, it is fundamental to provide the classifier with a good training set. To build a good dataset for smartphones, i. Moreover, our training set also contains some malicious behaviors, which strongly differ from the standard ones.
Usually, the collected features come from several sources of events [4]: choosing the right features to best represent the smartphone behaviors is a critical task, since their number and correlation determine the quality of the training set [16]. As discussed in Sect. Table 1 provides a list of features that can be monitored at the kernel and user-level. Features at Distinct Levels upon the assumption that an attacker has to execute one or several system calls to harm the system.
At the second level, the extracted features consider whether the user is idle or not, and the number of sent SMSes. To extract features from these two levels, the framework includes two moni- tors. The first one is a kernel-level monitor that intercepts all the critical system calls, and that records the number of their occurrences during a period T.
Hence, if m is the number of monitored system calls, this monitor returns a vector of dimension m at each period T. Functional Blocks of MADAM The second monitor is at the application-level, and it can be split in two sub- monitors that handle two different tasks: i to periodically measure the number of SMS sent in a time interval; ii to monitor the user idleness.
Since after a very short period of user inactivity the smartphone screen is turned off by the OS, the user can be considered active either if the screen is on or a voice call is active [17]. A collector receives these features from all the monitors and then builds the vectors.
These vectors are stored in local files using a logger module so that they can be used to build a training set, which is composed of Tt vectors, where t is the total time spent collecting data and T is the logging interval an input parameter of the framework.
A training set is then used to obtain a trained classifier. This phase of data gathering, preprocessing and classifier training, is called the Training Phase. In the Operative Phase, which is the phase where the user actually uses the smartphone, each monitored vector is given as input to the trained classifier and, if it is classified as suspicious, a notification is immediately shown to the user.
The lowest-level component of MADAM framework is the system call monitor, which has been implemented as a Linux kernel module that hijacks the execution of the monitored system calls: each system call is coupled with a counter that is incremented before its execution. In the current implementation, this module considers only a subset of all the available system calls on Android Linux, those that are rather critical, in term of security, in the description of the system behavior see Sect.
The kernel module contains a task that periodically with a period of T logs the actual value of the counters on a shared buffer with the collector and then resets all the counters. The inclusion and execution of the hijacking module requires the Super User SU permissions: since on the Android production builds the OS version installed on device by manufacturers SU is disabled, during the tests the devices required rooting, which is a procedure to get root permissions.
The highest-level component of the framework includes an Android Appli- cation in Java, which has been implemented using the Android SDK. Furthermore, the Java application also includes two parallel tasks. The second task is the classifier that states if the vectors built by the collector are good or suspicious. In the latter case, the classifier sends a notification to the user and logs those vectors that have been classified as suspicious, for further analysis.
Malware writers are using novel techniques to create malicious Android applications which severely undermine the capability of traditional malware detectors which are incompetent towards detecting these unknown malicious applications. The features obtained from static and dynamic analysis of Android applications can be used to detect unknown Android malware by using machine learning techniques. This paper presents an analysis of various Android malware detection systems and compares them based on various parameters such as detection technique, analysis method, and features extracted.
We were able to find research work in all the Android malware detection techniques which employ machine learning which also highlights the fact that machine learning algorithms are used frequently in this area for detecting Android malware in the wild.
This is a preview of subscription content, access via your institution. Rent this article via DeepDyve. Google Scholar. Article Google Scholar. Christodorescu M, Jha S Testing malware detectors.
Mitchell TM Machine learning. McGraw-Hill, Inc. Springer Sci. Media, vol. Kotsiantis SB Supervised machine learning: a review of classification techniques. Mach Learn — Ghahramani Z Unsupervised learning. Ning P Intrusion detection techniques. Internet Encycl. Comput Netw 31 8 — Hassan D, Might M A similarity-based machine learning approach for detecting adversarial android malware.
Procedia Comput Sci —
0コメント