Android forensics: Automated data collection and reporting from a mobile device

As Android smartphones gain popularity, industry and government will face increasing pressure to integrate them into their environments. The implementation of these devices on an enterprise can save on costs and add capabilities previously unavailable; however, the organizations that incorporate this technology must be prepared to mitigate the associated risks. These devices can contain vast amounts of personal and work-related data that can impact internal investigations, including (but not limited to) those of policy violations, intellectual property theft, misuse, embezzlement, sabotage, and espionage. Physical access has been the traditional method for retrieving data useful to these investigations from Android devices, with the exception of some limited collection abilities in commercial mobile device management systems and remote enterprise forensics tools. As part of this thesis, a prototype enterprise monitoring system for Android smartphones was developed to continuously collect many of the data sets of interest to incident responders, security auditors, proactive security monitors, and forensic investigators. Many of the data sets covered were not found in other available enterprise monitoring tools. The prototype system neither requires root access privileges nor exploiting weaknesses in the Android architecture for proper operation, thereby increasing interoperability among Android devices and avoiding a spyware classification for the system. An anti-forensics analysis on the system was performed to identify and further strengthen areas vulnerable to tampering. The results of this research include the release of the first open-source Android enterprise monitoring solution of its kind, a comprehensive guide of data sets available for collection without elevated privileges, and the introduction of a novel design strategy implementing various Android application components useful for monitoring on the Android platform

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Machine learning based solutions have been successfully employed for automatic detection of malware in Android applications. However, machine learning models are known to lack robustness against inputs crafted by an adversary. So far, the adversarial examples can only deceive Android malware detectors that rely on syntactic features, and the perturbations can only be implemented by simply modifying Android manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new highly-effective attack that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK using a substitute model. Based on the transferability concept, the perturbations that successfully deceive the substitute model are likely to deceive the original models as well. We develop an automated tool to generate the adversarial examples without human intervention to apply the attacks. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We evaluated the proposed manipulation methods for adversarial examples by using the same datasets that Drebin and MaMadroid (5879 malware samples) used. Our results show that, the malware detection rates decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just a small distortion generated by our adversarial examples manipulation method.Comment: 15 pages, 11 figure

Precognition: Automated Digital Forensic Readiness System for Mobile Computing Devices in Enterprises

Enterprises are facing an unprecedented risk of security incidents due to the influx of emerging technologies, like smartphones and wearables. Most of the current Mobile security systems are not maturing in pace with technological advances. They lack the ability to learn and adapt from the past knowledge base. In the case of a security incident, enterprises find themselves underprepared for the lack of evidence and data. The systems are not designed to be forensic ready. There is a need for automated security analysis and forensically ready solution, which can learn and continuously adapt to new challenges, improve efficiency and productivity of the system. In this research, the authors have designed a security analysis and digital forensic readiness system targeted at smartphones and wearables in an enterprise environment. The proposed system detects applications violating security policies, analyzes Android and iOS applications to identify possible vulnerabilities on the server, apply machine learning algorithms to improve the efficiency and accuracy of vulnerability prediction. The System continuously learns from past incidents, proactively collect required information from the devices which can help in digital forensics. Machine learning techniques are applied to the set of features extracted from the decompiled Mobile applications and applications classified based on consisting of one or more vulnerabilities. The system was evaluated in a real-world enterprise environment with 14151 mobile applications and vulnerabilities was predicted with an accuracy of 94.2%. The system can also work on virtual instances of the mobile devices

Android Malware detection using predictive analytics.

The growth of android applications is causing a threat and a serious issue towards Android’s security. The number of malware targeting the Android operating system is increasing daily. As a result, in recent days the traditional ways that are being used to detect malware are not able to defend alone against the rapid development of hackers attacking techniques and novel malware. This capstone project focuses on using predictive analytics toward detecting malware from the network traffic. In this capstone project, we aim to train and test our data to find the best machine learning model with the highest accuracy of detecting malware in the network traffic. Through a variety of machine learning algorithms and models, we focused on 5 models starting with the logistic regression that was successfully able to predict malware by 67%. Moving to the decision tree that was effectively able to predict malware by 69% which was exactly equal to the random forest prediction ability. The AdaBoost came about 84% exactness, and KNN came with the highest anticipation of 86% between all the models. This shows us the advantage of adopting predictive analytics in malware detection within the traditional approaches to build a strong and defendable Android operating system against malware

LSGAN-AT: enhancing malware detector robustness against adversarial examples

Adversarial Malware Example (AME)-based adversarial training can effectively enhance the robustness of Machine Learning (ML)-based malware detectors against AME. AME quality is a key factor to the robustness enhancement. Generative Adversarial Network (GAN) is a kind of AME generation method, but the existing GAN-based AME generation methods have the issues of inadequate optimization, mode collapse and training instability. In this paper, we propose a novel approach (denote as LSGAN-AT) to enhance ML-based malware detector robustness against Adversarial Examples, which includes LSGAN module and AT module. LSGAN module can generate more effective and smoother AME by utilizing brand-new network structures and Least Square (LS) loss to optimize boundary samples. AT module makes adversarial training using AME generated by LSGAN to generate ML-based Robust Malware Detector (RMD). Extensive experiment results validate the better transferability of AME in terms of attacking 6 ML detectors and the RMD transferability in terms of resisting the MalGAN black-box attack. The results also verify the performance of the generated RMD in the recognition rate of AME. © 2021, The Author(s)

Applications in security and evasions in machine learning : a survey

In recent years, machine learning (ML) has become an important part to yield security and privacy in various applications. ML is used to address serious issues such as real-time attack detection, data leakage vulnerability assessments and many more. ML extensively supports the demanding requirements of the current scenario of security and privacy across a range of areas such as real-time decision-making, big data processing, reduced cycle time for learning, cost-efficiency and error-free processing. Therefore, in this paper, we review the state of the art approaches where ML is applicable more effectively to fulfill current real-world requirements in security. We examine different security applications' perspectives where ML models play an essential role and compare, with different possible dimensions, their accuracy results. By analyzing ML algorithms in security application it provides a blueprint for an interdisciplinary research area. Even with the use of current sophisticated technology and tools, attackers can evade the ML models by committing adversarial attacks. Therefore, requirements rise to assess the vulnerability in the ML models to cope up with the adversarial attacks at the time of development. Accordingly, as a supplement to this point, we also analyze the different types of adversarial attacks on the ML models. To give proper visualization of security properties, we have represented the threat model and defense strategies against adversarial attack methods. Moreover, we illustrate the adversarial attacks based on the attackers' knowledge about the model and addressed the point of the model at which possible attacks may be committed. Finally, we also investigate different types of properties of the adversarial attacks