A Specification Based Intrusion Detection Framework for Mobile Phones

With the fast growth of mobile market, we are now seeing more and more malware on mobile phones. One common pattern of many commonly found malware on mobile phones is that: the malware always attempts to access sensitive system services on the mobile phone in an unobtrusive and stealthy fashion. For example, the malware may send messages automatically or stealthily interface with the audio peripherals on the device without the user's awareness and authorization. To detect the unauthorized malicious behavior, we present SBIDF, a Specification Based Intrusion Detection Framework, which utilizes the keypad or touchscreen interrupts to differentiate between malware and human activity. Specifically, in the proposed framework, we use an application independent specification, written in Temporal Logic of Causal Knowledge (TLCK), to describe the normal behavior pattern, and enforce this specification to all third party applications on the mobile phone during runtime by monitoring the inter-component communication pattern among critical components. Our evaluation of simulated behavior of real world malware shows that we are able to detect all forms of malware that attempts to access sensitive services without possessing user's permission. Furthermore, the SBIDF incurs a negligible overhead (20 µ secs) which makes it very feasible for real world deployment.

[1]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[2]  R. Sekar,et al.  Specification-based anomaly detection: a new approach for detecting network intrusions , 2002, CCS '02.

[3]  Sencun Zhu,et al.  Designing System-Level Defenses against Cellphone Malware , 2009, 2009 28th IEEE International Symposium on Reliable Distributed Systems.

[4]  Trent Jaeger,et al.  Measuring integrity on mobile phone systems , 2008, SACMAT '08.

[5]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[6]  Jean-Pierre Seifert,et al.  pBMDS: a behavior-based malware detection system for cellphone devices , 2010, WiSec '10.

[7]  Songwu Lu,et al.  SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[8]  Fan Zhang,et al.  Stealthy video capturer: a new video-based spyware in 3G smartphones , 2009, WiSec '09.

[9]  Kang G. Shin,et al.  Behavioral detection of malware on mobile handsets , 2008, MobiSys '08.

[10]  Bernd Steinke,et al.  Using SELinux security enforcement in Linux-based embedded devices , 2008, MOBILWARE.

[11]  Kang G. Shin,et al.  Detecting energy-greedy anomalies and mobile malware variants , 2008, MobiSys '08.

[12]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[13]  Wouter Joosen,et al.  A flexible security architecture to support third-party applications on mobile devices , 2007, CSAW '07.

[14]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[15]  Deepak Venugopal,et al.  An efficient signature representation and matching method for mobile devices , 2006, WICON '06.

[16]  Giovanni Vigna,et al.  Using Labeling to Prevent Cross-Service Attacks Against Smart Phones , 2006, DIMVA.

[17]  Nicoleta Roman,et al.  Intelligent virus detection on mobile devices , 2006, PST.

[18]  Hao Chen,et al.  Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery , 2006, 2006 Securecomm and Workshops.

[19]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[20]  Thomas F. La Porta,et al.  Mitigating Attacks on Open Functionality in SMS-Capable Cellular Networks , 2006, IEEE/ACM Transactions on Networking.