Risk Assessment for Mobile Systems Through a Multilayered Hierarchical Bayesian Network

Mobile systems are facing a number of application vulnerabilities that can be combined together and utilized to penetrate systems with devastating impact. When assessing the overall security of a mobile system, it is important to assess the security risks posed by each mobile applications (apps), thus gaining a stronger understanding of any vulnerabilities present. This paper aims at developing a three-layer framework that assesses the potential risks which apps introduce within the Android mobile systems. A Bayesian risk graphical model is proposed to evaluate risk propagation in a layered risk architecture. By integrating static analysis, dynamic analysis, and behavior analysis in a hierarchical framework, the risks and their propagation through each layer are well modeled by the Bayesian risk graph, which can quantitatively analyze risks faced to both apps and mobile systems. The proposed hierarchical Bayesian risk graph model offers a novel way to investigate the security risks in mobile environment and enables users and administrators to evaluate the potential risks. This strategy allows to strengthen both app security as well as the security of the entire system.

[1]  Vyas Sekar,et al.  Measuring user confidence in smartphone security and privacy , 2012, SOUPS.

[2]  Herbert Bos,et al.  Paranoid Android: versatile protection for smartphones , 2010, ACSAC '10.

[3]  Andrew Hunt,et al.  Automated identification of installed malicious Android applications , 2013, Digit. Investig..

[4]  Bin Gu,et al.  Incremental Support Vector Learning for Ordinal Regression , 2015, IEEE Transactions on Neural Networks and Learning Systems.

[5]  Angelos Stavrou,et al.  Exposing Security Risks for Commercial Mobile Devices , 2012, MMM-ACNS.

[6]  Suleyman Kondakci Network Security Risk Assessment Using Bayesian Belief Networks , 2010, 2010 IEEE Second International Conference on Social Computing.

[7]  Luis M. de Campos,et al.  A Layered Bayesian Network Model for Document Retrieval , 2002, ECIR.

[8]  Yu Liu,et al.  Network vulnerability assessment using Bayesian networks , 2005, SPIE Defense + Commercial Sensing.

[9]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[10]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[11]  Theodore Tryfonas,et al.  A Distributed Consensus Algorithm for Decision Making in Service-Oriented Internet of Things , 2014, IEEE Transactions on Industrial Informatics.

[12]  Indrajit Ray,et al.  Dynamic Security Risk Management Using Bayesian Attack Graphs , 2012, IEEE Transactions on Dependable and Secure Computing.

[13]  Zhihua Xia,et al.  A Secure and Dynamic Multi-Keyword Ranked Search Scheme over Encrypted Cloud Data , 2016, IEEE Transactions on Parallel and Distributed Systems.

[14]  Desheng Dash Wu,et al.  Introduction to special issue on “Enterprise risk management in operations” , 2011 .

[15]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[16]  Desheng Dash Wu,et al.  Selling to the Socially Interactive Consumer: Order More or Less? , 2015, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[17]  Wu He,et al.  Internet of Things in Industries: A Survey , 2014, IEEE Transactions on Industrial Informatics.

[18]  Xuxian Jiang,et al.  DroidChameleon: evaluating Android anti-malware against transformation attacks , 2013, ASIA CCS '13.

[19]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[20]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[21]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[22]  Xingming Sun,et al.  Segmentation-Based Image Copy-Move Forgery Detection Scheme , 2015, IEEE Transactions on Information Forensics and Security.

[23]  Xingquan Zhu,et al.  Machine Learning for Android Malware Detection Using Permission and API Calls , 2013, 2013 IEEE 25th International Conference on Tools with Artificial Intelligence.

[24]  George Oikonomou,et al.  Highlighting Relationships of a Smartphone’s Social Ecosystem in Potentially Large Investigations , 2016, IEEE Transactions on Cybernetics.

[25]  Desheng Dash Wu,et al.  Efficiency Evaluation for Supply Chains Using Maximin Decision Support , 2014, IEEE Transactions on Systems, Man, and Cybernetics: Systems.

[26]  Guanglei Liu,et al.  Resilience of all-optical network architectures under in-band crosstalk attacks: a probabilistic graphical model approach , 2007, IEEE Journal on Selected Areas in Communications.

[27]  N. Swapna Goud,et al.  Effective Risk Communication for Android Apps , 2017 .

[28]  Krishna R. Pattipati,et al.  Information integration via hierarchical and hybrid bayesian networks , 2006, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.