pBMDS: a behavior-based malware detection system for cellphone devices

Computing environments on cellphones, especially smartphones, are becoming more open and general-purpose, thus they also become attractive targets of malware. Cellphone malware not only causes privacy leakage, extra charges, and depletion of battery power, but also generates malicious traffic and drains down mobile network and service capacity. In this work we devise a novel behavior-based malware detection system named pBMDS, which adopts a probabilistic approach through correlating user inputs with system calls to detect anomalous activities in cellphones. pBMDS observes unique behaviors of the mobile phone applications and the operating users on input and output constrained devices, and leverages a Hidden Markov Model (HMM) to learn application and user behaviors from two major aspects: process state transitions and user operational patterns. Built on these, pBDMS identifies behavioral differences between malware and human users. Through extensive experiments on major smartphone platforms, we show that pBMDS can be easily deployed to existing smartphone hardware and it achieves high detection accuracy and low false positive rates in protecting major applications in smartphones.

[1]  Jean-Pierre Seifert,et al.  A trusted mobile phone reference architecturevia secure kernel , 2007, STC '07.

[2]  C. Heath Symbian OS Platform Security , 2006 .

[3]  Benjamin B. Bederson,et al.  One-handed touchscreen input for legacy applications , 2008, CHI.

[4]  Trent Jaeger,et al.  Design and Implementation of a TCG-based Integrity Measurement Architecture , 2004, USENIX Security Symposium.

[5]  Sencun Zhu,et al.  A systematic approach for cell-phone worm containment , 2008, WWW.

[6]  Kang G. Shin,et al.  Proactive security for mobile messaging networks , 2006, WiSe '06.

[7]  Lawrence R. Rabiner,et al.  A tutorial on Hidden Markov Models , 1986 .

[8]  Songwu Lu,et al.  SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[9]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[10]  Trent Jaeger,et al.  Measuring integrity on mobile phone systems , 2008, SACMAT '08.

[11]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[12]  Lawrence R. Rabiner,et al.  A tutorial on hidden Markov models and selected applications in speech recognition , 1989, Proc. IEEE.

[13]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[14]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[15]  Hao Chen,et al.  Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery , 2006, 2006 Securecomm and Workshops.

[16]  Philip K. Chan,et al.  Learning Patterns from Unix Process Execution Traces for Intrusion Detection , 1997 .

[17]  Sencun Zhu,et al.  Designing System-Level Defenses against Cellphone Malware , 2009, 2009 28th IEEE International Symposium on Reliable Distributed Systems.

[18]  Marc Dacier,et al.  Intrusion Detection Using Variable-Length Audit Trail Patterns , 2000, Recent Advances in Intrusion Detection.

[19]  Giovanni Vigna,et al.  Using Labeling to Prevent Cross-Service Attacks Against Smart Phones , 2006, DIMVA.

[20]  Yuxin Ding,et al.  Host-based intrusion detection using dynamic and static behavioral models , 2003, Pattern Recognit..

[21]  Helen J. Wang,et al.  Smartphone attacks and defenses , 2004 .

[22]  Gernot Heiser Virtualization for Embedded Systems , 2007 .

[23]  Giovanni Vigna,et al.  Vulnerability Analysis of MMS User Agents , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).