Seeing the Unseen: Revealing Mobile Malware Hidden Communications via Energy Consumption and Artificial Intelligence

Modern malware uses advanced techniques to hide from static and dynamic analysis tools. To achieve stealthiness when attacking a mobile device, an effective approach is the use of a covert channel built by two colluding applications to exchange data locally. Since this process is tightly coupled with the used hiding method, its detection is a challenging task, also worsened by the very low transmission rates. As a consequence, it is important to investigate how to reveal the presence of malicious software using general indicators, such as the energy consumed by the device. In this perspective, this paper aims to spot malware covertly exchanging data using two detection methods based on artificial intelligence tools, such as neural networks and decision trees. To verify their effectiveness, seven covert channels have been implemented and tested over a measurement framework using Android devices. Experimental results show the feasibility and effectiveness of the proposed approach to detect the hidden data exchange between colluding applications.

[1]  Lei Yang,et al.  Accurate online power estimation and automatic battery behavior based power model generation for smartphones , 2010, 2010 IEEE/ACM/IFIP International Conference on Hardware/Software Codesign and System Synthesis (CODES+ISSS).

[2]  D. Marquardt An Algorithm for Least-Squares Estimation of Nonlinear Parameters , 1963 .

[3]  Fragkiskos – Emmanouil Kioupakis,et al.  Preparing for Malware that Uses Covert Communication Channels: The Case of Tor-based Android Malware , 2014 .

[4]  Cristiano Cervellera,et al.  An analysis based on F-discrepancy for sampling in regression tree learning , 2014, 2014 International Joint Conference on Neural Networks (IJCNN).

[5]  Hubert Ritzdorf,et al.  Analysis of the communication between colluding applications on modern smartphones , 2012, ACSAC '12.

[6]  Lei Liu,et al.  VirusMeter: Preventing Your Cellphone from Spies , 2009, RAID.

[7]  Vijay Laxmi,et al.  AndroSimilar: robust statistical feature signature for Android malware detection , 2013, SIN.

[8]  Seokjun Lee,et al.  EnTrack: a system facility for analyzing energy consumption of Android system services , 2015, UbiComp.

[9]  Xuxian Jiang,et al.  Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks , 2014, IEEE Transactions on Information Forensics and Security.

[10]  J.G. Tront,et al.  Battery-Sensing Intrusion Protection System , 2006, 2006 IEEE Information Assurance Workshop.

[11]  Trevor Hastie,et al.  The Elements of Statistical Learning , 2001 .

[12]  Shivakant Mishra,et al.  Time and Location Power Based Malicious Code Detection Techniques for Smartphones , 2013, 2014 IEEE 13th International Symposium on Network Computing and Applications.

[13]  Muni S. Srivastava,et al.  Regression Analysis: Theory, Methods, and Applications , 1991 .

[14]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[15]  Shalabh Statistical Learning from a Regression Perspective , 2009 .

[16]  Kurt Hornik,et al.  Multilayer feedforward networks are universal approximators , 1989, Neural Networks.

[17]  J.G. Tront,et al.  Battery Polling and Trace Determination for Bluetooth Attack Detection in Mobile Devices , 2007, 2007 IEEE SMC Information Assurance and Security Workshop.

[18]  Alessio Merlo,et al.  Measuring and estimating power consumption in Android to support energy-based intrusion detection , 2015, J. Comput. Secur..

[19]  Alessio Merlo,et al.  A survey on energy-aware security mechanisms , 2015, Pervasive Mob. Comput..

[20]  Alessio Merlo,et al.  What is Green Security? , 2011, 2011 7th International Conference on Information Assurance and Security (IAS).

[21]  Valérie Viet Triem Tong,et al.  Detection and Identification of Android Malware Based on Information Flow Monitoring , 2015, 2015 IEEE 2nd International Conference on Cyber Security and Cloud Computing.

[22]  Alessio Merlo,et al.  On energy-based profiling of malware in Android , 2014, 2014 International Conference on High Performance Computing & Simulation (HPCS).

[23]  Wojciech Mazurczyk,et al.  Steganography in Modern Smartphones and Mitigation Techniques , 2014, IEEE Communications Surveys & Tutorials.

[24]  Kang G. Shin,et al.  Detecting energy-greedy anomalies and mobile malware variants , 2008, MobiSys '08.

[25]  S. Hyakin,et al.  Neural Networks: A Comprehensive Foundation , 1994 .

[26]  Cristiano Cervellera,et al.  Predictive Control of Container Flows in Maritime Intermodal Terminals , 2013, IEEE Transactions on Control Systems Technology.

[27]  Michael S. Hsiao,et al.  Towards an intrusion detection system for battery exhaustion attacks on mobile computing devices , 2005, Third IEEE International Conference on Pervasive Computing and Communications Workshops.

[28]  Alessio Merlo,et al.  Towards energy-aware intrusion detection systems on mobile devices , 2013, 2013 International Conference on High Performance Computing & Simulation (HPCS).

[29]  Grant A. Jacoby,et al.  Battery-based intrusion detection , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[30]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[31]  Alessandro Armando,et al.  An Empirical Evaluation of the Android Security Framework , 2013, SEC.

[32]  Wei-Yin Loh,et al.  Classification and regression trees , 2011, WIREs Data Mining Knowl. Discov..

[33]  Andrew R. Barron,et al.  Universal approximation bounds for superpositions of a sigmoidal function , 1993, IEEE Trans. Inf. Theory.

[34]  Jacques Klein,et al.  A Forensic Analysis of Android Malware -- How is Malware Written and How it Could Be Detected? , 2014, 2014 IEEE 38th Annual Computer Software and Applications Conference.

[35]  Alessandro Armando,et al.  Breaking and fixing the Android Launching Flow , 2013, Comput. Secur..

[36]  Wojciech Mazurczyk,et al.  Information Hiding as a Challenge for Malware Detection , 2015, IEEE Security & Privacy.

[37]  Marcello Sanguineti,et al.  Dynamic Programming and Value-Function Approximation in Sequential Decision Problems: Error Analysis and Numerical Results , 2012, Journal of Optimization Theory and Applications.

[38]  Steffen Wendzel,et al.  Hiding Privacy Leaks in Android Applications Using Low-Attention Raising Covert Channels , 2013, 2013 International Conference on Availability, Reliability and Security.

[39]  Alessio Merlo,et al.  The energy impact of security mechanisms in modern mobile devices , 2012, Netw. Secur..

[40]  Giorgio Gnecco,et al.  Approximate dynamic programming for stochastic N-stage optimization with application to optimal consumption under uncertainty , 2014, Comput. Optim. Appl..

[41]  Paul J. Werbos,et al.  The Roots of Backpropagation: From Ordered Derivatives to Neural Networks and Political Forecasting , 1994 .

[42]  Yuval Elovici,et al.  “Andromaly”: a behavioral malware detection framework for android devices , 2012, Journal of Intelligent Information Systems.

[43]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[44]  Yuval Elovici,et al.  Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey , 2009, Inf. Secur. Tech. Rep..

[45]  M. Sanguineti,et al.  Approximating Networks and Extended Ritz Method for the Solution of Functional Optimization Problems , 2002 .

[46]  Thorsten Holz,et al.  Mobile Malware Detection Based on Energy Fingerprints - A Dead End? , 2013, RAID.

[47]  Shivakant Mishra,et al.  Power Based Malicious Code Detection Techniques for Smartphones , 2013, 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications.

[48]  Shivakant Mishra,et al.  Location based power analysis to detect malicious code in smartphones , 2011, SPSM '11.

[49]  Luca Caviglione Enabling cooperation of consumer devices through peer-to-peer overlays , 2009, IEEE Transactions on Consumer Electronics.