Detecting energy-greedy anomalies and mobile malware variants

Mobile users of computation and communication services have been rapidly adopting battery-powered mobile handhelds, such as PocketPCs and SmartPhones, for their work. However, the limited battery-lifetime of these devices restricts their portability and applicability, and this weakness can be exacerbated by mobile malware targeting depletion of battery energy. Such malware are usually difficult to detect and prevent, and frequent outbreaks of new malware variants also reduce the effectiveness of commonly-seen signature-based detection. To alleviate these problems, we propose a power-aware malware-detection framework that monitors, detects, and analyzes previously unknown energy-depletion threats. The framework is composed of (1) a power monitor which collects power samples and builds a power consumption history from the collected samples, and (2) a data analyzer which generates a power signature from the constructed history. To generate a power signature, simple and effective noise-filtering and data-compression are applied, thus reducing the detection overhead. Similarities between power signatures are measured by the χ2-distance, reducing both false-positive and false-negative detection rates. According to our experimental results on an HP iPAQ running a Windows Mobile OS, the proposed framework achieves significant (up to 95%) storage-savings without losing the detection accuracy, and a 99% true-positive rate in classifying mobile malware.

[1]  Kang G. Shin,et al.  On Mobile Viruses Exploiting Messaging and Bluetooth Services , 2006, 2006 Securecomm and Workshops.

[2]  R. Sekar,et al.  A fast automaton-based method for detecting anomalous program behaviors , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[3]  Stephanie Forrest,et al.  Automated response using system-call delays , 2000 .

[4]  Mahmut T. Kandemir,et al.  The Sleep Deprivation Attack in Sensor Networks: Analysis and Methods of Defense , 2006, Int. J. Distributed Sens. Networks.

[5]  Vladimir Pavlovic,et al.  Real-Time Vision for Human-Computer Interaction , 2010 .

[6]  Stephanie Forrest,et al.  A sense of self for Unix processes , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[7]  Mikko Hypponen,et al.  Malware goes mobile. , 2006, Scientific American.

[8]  Kang G. Shin,et al.  Soft tamper-proofing via program integrity verification in wireless sensor networks , 2005, IEEE Transactions on Mobile Computing.

[9]  Christopher Krügel,et al.  Anomalous system call detection , 2006, TSEC.

[10]  Andrew H. Sung,et al.  Identifying key features for intrusion detection using neural networks , 2002 .

[11]  Shigeo Abe DrEng Pattern Classification , 2001, Springer London.

[12]  Francisco de A. T. de Carvalho,et al.  A Partitioning Fuzzy Clustering Algorithm for Symbolic Interval Data based on Adaptive Mahalanobis Distances , 2007, 7th International Conference on Hybrid Intelligent Systems (HIS 2007).

[13]  Marko Helenius,et al.  About malicious software in smartphones , 2006, Journal in Computer Virology.

[14]  Songwu Lu,et al.  SmartSiren: virus detection and alert for smartphones , 2007, MobiSys '07.

[15]  Michael S. Hsiao,et al.  Denial-of-service attacks on battery-powered mobile computers , 2004, Second IEEE Annual Conference on Pervasive Computing and Communications, 2004. Proceedings of the.

[16]  Mahadev Satyanarayanan,et al.  PowerScope: a tool for profiling the energy usage of mobile applications , 1999, Proceedings WMCSA'99. Second IEEE Workshop on Mobile Computing Systems and Applications.

[17]  R. Edwards,et al.  Technical Analysis of Stock Trends , 1966 .

[18]  Jason Flinn,et al.  Ghosts in the machine: interfaces for better power management , 2004, MobiSys '04.

[19]  Brian D. Noble,et al.  Modeling epidemic spreading in mobile environments , 2005, WiSe '05.

[20]  Ed Skoudis,et al.  Malware: Fighting Malicious Code , 2003 .

[21]  James Newsome,et al.  Polygraph: automatically generating signatures for polymorphic worms , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[22]  J.G. Tront,et al.  Battery Exhaustion Attack Detection with Small Handheld Mobile Computers , 2007, 2007 IEEE International Conference on Portable Information Devices.

[23]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[24]  T. Little,et al.  Compressed Video Processing For Cut Detection , 1996 .

[25]  Thad Starner Thick Clients for Personal Wireless Devices , .

[26]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[27]  Constantino Carlos Reyes-Aldasoro,et al.  The Bhattacharyya space for feature selection and its application to texture segmentation , 2006, Pattern Recognit..

[28]  Wenke Lee,et al.  Polymorphic Blending Attacks , 2006, USENIX Security Symposium.

[29]  M Damashek,et al.  Gauging Similarity with n-Grams: Language-Independent Categorization of Text , 1995, Science.

[30]  Salvatore J. Stolfo,et al.  Data Mining Approaches for Intrusion Detection , 1998, USENIX Security Symposium.

[31]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[32]  Daniel R. Ellis,et al.  A behavioral approach to worm detection , 2004, WORM '04.

[33]  Barak A. Pearlmutter,et al.  Detecting intrusions using system calls: alternative data models , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[34]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[35]  Y. W. Suen,et al.  Magnetic-Field-Induced Triple-Layer to Bilayer Transition , 1998 .

[36]  Guanhua Yan,et al.  Bluetooth Worms: Models, Dynamics, and Defense Implications , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[37]  Weibo Gong,et al.  Anomaly detection using call stack information , 2003, 2003 Symposium on Security and Privacy, 2003..

[38]  Peter J. Clarke,et al.  Testing and evaluating virus detectors for handheld devices , 2006, Journal in Computer Virology.

[39]  Hao Chen,et al.  Exploiting MMS Vulnerabilities to Stealthily Exhaust Mobile Phone's Battery , 2006, 2006 Securecomm and Workshops.

[40]  Sencun Zhu,et al.  SigFree: A Signature-Free Buffer Overflow Attack Blocker , 2010, IEEE Transactions on Dependable and Secure Computing.

[41]  Qiang Chen,et al.  An anomaly detection technique based on a chi‐square statistic for detecting intrusions into information systems , 2001 .

[42]  Thomas F. La Porta,et al.  Exploiting open functionality in SMS-capable cellular networks , 2005, CCS '05.

[43]  Jason Flinn,et al.  Quantifying the energy consumption of a pocket computer and a Java virtual machine , 2000, SIGMETRICS '00.

[44]  Ralph M. Ford,et al.  Metrics for scene change detection in digital video sequences , 1997, Proceedings of IEEE International Conference on Multimedia Computing and Systems.

[45]  Tom Martin,et al.  Mobile phones as computing devices: the viruses are coming! , 2004, IEEE Pervasive Computing.