Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method

In this paper, a new approach for detecting previously unencountered malware targeting mobile device is proposed. In the proposed approach, time-stamped security data is continuously monitored within the target mobile device (i.e., smartphones, PDAs) and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e.g., the number of sent SMSs) and events (e.g., software installation) are integrated with a mobile device security domain knowledge-base (i.e., an ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions are then monitored to detect suspicious temporal patterns and to issue an alert. These patterns are compatible with a set of predefined classes of malware as defined by a security expert (or the owner) employing a set of time and value constraints. The goal is to identify malicious behavior that other defensive technologies (e.g., antivirus or firewall) failed to detect. Since the abstraction derivation process is complex, the KBTA method was adapted for mobile devices that are limited in resources (i.e., CPU, memory, battery). To evaluate the proposed modified KBTA method a lightweight host-based intrusion detection system (HIDS), combined with central management capabilities for Android-based mobile phones, was developed. Evaluation results demonstrated the effectiveness of the new approach in detecting malicious applications on mobile devices (detection rate above 94% in most scenarios) and the feasibility of running such a system on mobile devices (CPU consumption was 3% on average).

[1]  L. J. Kohout,et al.  Activity profiles for intrusion detection , 2002, 2002 Annual Meeting of the North American Fuzzy Information Processing Society Proceedings. NAFIPS-FLINT 2002 (Cat. No. 02TH8622).

[2]  Yuval Elovici,et al.  Applying Behavioral Detection on Android-Based Devices , 2010, MOBILWARE.

[3]  Grant A. Jacoby,et al.  Battery-based intrusion detection , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[4]  Hong Tat Ewe,et al.  A Mobile Phone Malicious Software Detection Model with Behavior Checker , 2005, Human.Society@Internet.

[5]  Hao Chen,et al.  Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery , 2006, 2006 Securecomm and Workshops.

[6]  Nong Ye,et al.  A Markov Chain Model of Temporal Behavior for Anomaly Detection , 2000 .

[7]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[8]  M. Piercy Embedded devices next on the virus target list , 2004 .

[9]  Markus Miettinen,et al.  Host-Based Intrusion Detection for Advanced Mobile Devices , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[10]  Koushik Sen,et al.  A Temporal Logic Based Framework for Intrusion Detection , 2004, FORTE.

[11]  Steven Furnell,et al.  From desktop to mobile: Examining the security experience , 2009, Comput. Secur..

[12]  Yuval Shahar,et al.  A Framework for Knowledge-Based Temporal Abstraction , 1997, Artif. Intell..

[13]  Sungzoon Cho,et al.  Keystroke dynamics-based authentication for mobile devices , 2009, Comput. Secur..

[14]  Joos Vandewalle,et al.  Detection of Mobile Phone Fraud Using Supervised Neural Networks: A First Prototype , 1997, ICANN.

[15]  Refik Molva,et al.  IDAMN: An Intrusion Detection Architecture for Mobile Networks , 1997, IEEE J. Sel. Areas Commun..

[16]  Yuval Shahar,et al.  CAPSUL: A constraint-based specification of repeating patterns in time-oriented data , 2001, Annals of Mathematics and Artificial Intelligence.

[17]  Michael S. Hsiao,et al.  Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[18]  Joseph G. Tront,et al.  Mobile Device Profiling and Intrusion Detection Using Smart Batteries , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[19]  Rayford B. Vaughn,et al.  Intrusion sensor data fusion in an intelligent intrusion detection system architecture , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[20]  Kang G. Shin,et al.  Detecting energy-greedy anomalies and mobile malware variants , 2008, MobiSys '08.

[21]  Yuval Shahar,et al.  Knowledge-based temporal abstraction in clinical domains , 1996, Artif. Intell. Medicine.

[22]  Yuval Shahar,et al.  Medical Temporal-Knowledge Discovery via Temporal Abstraction , 2009, AMIA.

[23]  Carla E. Brodley,et al.  Temporal sequence learning and data reduction for anomaly detection , 1998, CCS '98.

[24]  Mohamed Mejri,et al.  Specification and evaluation of polymorphic shellcode properties using a new temporal logic , 2008, Journal in Computer Virology.

[25]  Sahin Albayrak,et al.  Monitoring Smartphones for Anomaly Detection , 2008, Mob. Networks Appl..

[26]  Michael Schatz,et al.  Learning Program Behavior Profiles for Intrusion Detection , 1999, Workshop on Intrusion Detection and Network Monitoring.

[27]  Michael S. Hsiao,et al.  Denial-of-service attacks on battery-powered mobile computers , 2004, Second IEEE Annual Conference on Pervasive Computing and Communications, 2004. Proceedings of the.

[28]  Oleksiy Mazhelis,et al.  Learning temporal patterns for anomaly intrusion detection , 2002, SAC '02.

[29]  W. Pedrycz,et al.  A SURVEY OF FUZZY COGNITIVE MAP LEARNING METHODS , 2005 .

[30]  Songwu Lu,et al.  SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[31]  Yuval Shahar,et al.  Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics , 2010, Journal in Computer Virology.

[32]  Hervé Debar,et al.  Correlation of Intrusion Symptoms: An Application of Chronicles , 2003, RAID.

[33]  Jose Aguilar,et al.  A Survey about Fuzzy Cognitive Maps Papers (Invited Paper) , 2005 .

[34]  James F. Allen Maintaining knowledge about temporal intervals , 1983, CACM.

[35]  Trent Jaeger,et al.  Measuring integrity on mobile phone systems , 2008, SACMAT '08.

[36]  Sushil Jajodia,et al.  Enhancing Profiles for Anomaly Detection Using Time Granularities , 2002, J. Comput. Secur..

[37]  Sushil Jajodia,et al.  Abstraction-based intrusion detection in distributed environments , 2001, TSEC.