energy consumption metrics for mobile device dynamic malware detection

Abstract The ineffectiveness of signature-based malware detection systems prevents the detection of malware, even objects of trivial obfuscation techniques, makes mobile devices vulnerable. In this paper a dynamic technique to detect malware on Android platform is proposed. We exploit a set of energy related features i.e., feature which can be symptomatic of abnormal battery consumption. We built different models exploiting four different supervised machine learning classification algorithms, obtaining for all the evaluated models an accuracy greater than 0.91

Malware detection at runtime for resource-constrained mobile devices: data-driven approach

The number of smart and connected mobile devices is increasing, bringing enormous possibilities to users in various domains and transforming everything that we get in touch with into smart. Thus, we have smart watches, smart phones, smart homes, and finally even smart cities. Increased smartness of mobile devices means that they contain more valuable information about their users, more decision making capabilities, and more control over sometimes even life-critical systems. Although, on one side, all of these are necessary in order to enable mobile devices maintain their main purpose to help and support people, on the other, it opens new vulnerabilities. Namely, with increased number and volume of smart devices, also the interest of attackers to abuse them is rising, making their security one of the main challenges. The main mean that the attackers use in order to abuse mobile devices is malicious software, shortly called malware. One way to protect against malware is by using static analysis, that investigates the nature of software by analyzing its static features. However, this technique detects well only known malware and it is prone to obfuscation, which means that it is relatively easy to create a new malicious sample that would be able to pass the radar. Thus, alone, is not powerful enough to protect the users against increasing malicious attacks. The other way to cope with malware is through dynamic analysis, where the nature of the software is decided based on its behavior during its execution on a device. This is a promising solution, because while the code of the software can be easily changed to appear as new, the same cannot be done with ease with its behavior when being executed. However, in order to achieve high accuracy dynamic analysis usually requires computational resources that are beyond suitable for battery-operated mobile devices. This is further complicated if, in addition to detecting the presence of malware, we also want to understand which type of malware it is, in order to trigger suitable countermeasures. Finally, the decisions on potential infections have to happen early enough, to guarantee minimal exposure to the attacks. Fulfilling these requirements in a mobile, battery-operated environments is a challenging task, for which, to the best of our knowledge, a suitable solution is not yet proposed. In this thesis, we pave the way towards such a solution by proposing a dynamic malware detection system that is able to early detect malware that appears at runtime and that provides useful information to discriminate between diverse types of malware while taking into account limited resources of mobile devices. On a mobile device we monitor a set of the representative features for presence of malware and based on them we trigger an alarm if software infection is observed. When this happens, we analyze a set of previously stored information relevant for malware classification, in order to understand what type of malware is being executed. In order to make the detection efficient and suitable for resource-constrained environments of mobile devices, we minimize the set of observed system parameters to only the most informative ones for both detection and classification. Additionally, since sampling period of monitoring infrastructure is directly connected to the power consumption, we take it into account as an important parameter of the development of the detection system. In order to make detection effective, we use dynamic features related to memory, CPU, system calls and network as they reflect well the behavior of a system. Our experiments show that the monitoring with a sampling period of eight seconds gives a good trade-off between detection accuracy, detection time and consumed power. Using it and by monitoring a set of only seven dynamic features (six related to the behavior of memory and one of CPU), we are able to provide a detection solution that satisfies the initial requirements and to detect malware at runtime with F- measure of 0.85, within 85.52 seconds of its execution, and with consumed average power of 20mW. Apart from observed features containing enough information to discriminate between malicious and benign applications, our results show that they can also be used to discriminate between diverse behavior of malware, reflected in different malware families. Using small number of features we are able to identify the presence of the malicious records from the considered family with precision of up to 99.8%. In addition to the standalone use of the proposed detection solution, we have also used it in a hybrid scenario where the applications were first analyzed by a static method, and it was able to detect correctly all the malware previously undetected by static analysis with false positive rate of 3.81% and average detection time of 44.72s. The method, we have designed, tested and validated, has been applied on a smartphone running on Android Operating System. However, since in the design of this method efficient usage of available computational resources was one of our main criteria, we are confident that the method as such can be applied also on the other battery-operated mobile devices of Internet of Things, in order to provide an effective and efficient system able to counter the ever-increasing and ever-evolving number and a variety of malicious attacks

An Enhanced IP Trace Back Mechanism by using Particle Swarm System

Internet is the most powerful medium as on date, facilitating varied services to numerous users. It has also become the environment for cyber warfare where attacks of many types (financial, ideological, revenge) are being launched. �Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection.� Cloud Storage is a service where data is remotely maintained, managed, and backed up. The service is available to users over a network, which is usually the internet. It allows the user to store files online so that the user can access them from any location via the internet. The provider company makes them available to the user online by keeping the uploaded files on an external server. In this paper, a novel Digital Network Forensic Investigation Method is proposed. This paper will do changes in the analysis and investigation place of the network forensic. The investigation of the case will be based on the previous data collecting framework. The Spoofed IP address are classified by the previous framework and Enhanced IP trace back mechanism by Particle Swarm System is trace the real victim of the case in the network forensic

Algorithms for 5G physical layer

There is a great activity in the research community towards the investigations of the various aspects of 5G at different protocol layers and parts of the network. Among all, physical layer design plays a very important role to satisfy high demands in terms of data rates, latency, reliability and number of connected devices for 5G deployment. This thesis addresses he latest developments in the physical layer algorithms regarding the channel coding, signal detection, frame synchronization and multiple access technique in the light of 5G use cases. These developments are governed by the requirements of the different use case scenarios that are envisioned to be the driving force in 5G. All chapters from chapter 2 to 5 are developed around the need of physical layer algorithms dedicated to 5G use cases. In brief, this thesis focuses on design, analysis, simulation and he advancement of physical layer aspects such as 1. Reliability based decoding of short length Linear Block Codes (LBCs) with very good properties in terms of minimum hamming istance for very small latency requiring applications. In this context, we enlarge the grid of possible candidates by considering, in particular, short length LBCs (especially extended CH codes) with soft-decision decoding; 2. Efficient synchronization of preamble/postamble in a short bursty frame using modified Massey correlator; 3. Detection of Primary User activity using semiblind spectrum sensing algorithms and analysis of such algorithms under practical imperfections; 4. Design of optimal spreading matrix for a Low Density Spreading (LDS) technique in the context of non-orthogonal multiple access. In such spreading matrix, small number of elements in a spreading sequences are non zero allowing each user to spread its data over small number of chips (tones), thus simplifying the decoding procedure using Message Passing Algorithm (MPA)

Multicriteria evaluation as a tool for decision support in the design of sustainable routes

Public transport negative externalities have been increasing over the past years and, consequently, a bigger concern for eliminating and minimizing them has been growing. One way to contribute for this global objective is to design public transport networks towards sustainability, which requires an assessment of its sustainability performance. Thus, the main goal of this dissertation is to develop a tool able to accomplish a multi-objective evaluation of public transport routes regarding the three main sustainability domains - economic, social, and environmental. The considered structure is based on a hierarchical relation between domains, themes, and indicators. Accordingly, for each domain, a selection of indicators within different chosen themes was performed. The quantification of each indicator was estimated prior to the assignment of their themes and domains' importance. This assignment was mainly based on the literature, and given the different sources and opinions, sensibility analyses were performed. The tool was applied to a simulation case constituted by three routes, based on STCP's network data that provides a public transport service in Porto's metropolitan area.Public transport negative externalities have been increasing over the past years and, consequently, a bigger concern for eliminating and minimizing them has been growing. One way to contribute for this global objective is to design public transport networks towards sustainability, which requires an assessment of its sustainability performance. Thus, the main goal of this dissertation is to develop a tool able to accomplish a multi-objective evaluation of public transport routes regarding the three main sustainability domains - economic, social, and environmental. The considered structure is based on a hierarchical relation between domains, themes, and indicators. Accordingly, for each domain, a selection of indicators within different chosen themes was performed. The quantification of each indicator was estimated prior to the assignment of their themes and domains' importance. This assignment was mainly based on the literature, and given the different sources and opinions, sensibility analyses were performed. The tool was applied to a simulation case constituted by three routes, based on STCP's network data that provides a public transport service in Porto's metropolitan area

PROCESS FOR BREAKING DOWN THE LTE SIGNAL TO EXTRACT KEY INFORMATION

The increasingly important role of Long Term Evolution (LTE) has increased security concerns among the service providers and end users and made security of the network even more indispensable. The main thrust of this thesis is to investigate if the LTE signal can be broken down in a methodical way to obtain information that would otherwise be private; e.g., the Global Positioning System (GPS) location of the user equipment/base station or identity (ID) of the user. The study made use of signal simulators and software to analyze the LTE signal to develop a method to remove noise, breakdown the LTE signal and extract desired information. From the simulation results, it was possible to extract key information in the downlink like the Downlink Control Information (DCI), Cell-Radio Network Temporary Identifier (C-RNTI) and physical Cell Identity (Cell-ID). This information can be modified to cause service disruptions in the network within a reasonable amount of time and with modest computing resources.Defence Science and Technology Agency, SingaporeApproved for public release; distribution is unlimited

On the Detection of Cyber-Attacks in the Communication Network of IEC 61850 Electrical Substations

The availability of the data within the network communication remains one of the most critical requirement when compared to integrity and confidentiality. Several threats such as Denial of Service (DoS) or flooding attacks caused by Generic Object Oriented Substation Event (GOOSE) poisoning attacks, for instance, might hinder the availability of the communication within IEC 61850 substations. To tackle such threats, a novel method for the Early Detection of Attacks for the GOOSE Network Traffic (EDA4GNeT) is developed in the present work. Few of previously available intrusion detection systems take into account the specific features of IEC 61850 substations and offer a good trade-off between the detection performance and the detection time. Moreover, to the best of our knowledge, none of the existing works proposes an early anomaly detection method of GOOSE attacks in the network traffic of IEC 61850 substations that account for the specific characteristics of the network data in electrical substations. The EDA4GNeT method considers the dynamic behavior of network traffic in electrical substations. The mathematical modeling of the GOOSE network traffic first enables the development of the proposed method for anomaly detection. In addition, the developed model can also support the management of the network architecture in IEC 61850 substations based on appropriate performance studies. To test the novel anomaly detection method and compare the obtained results with available techniques, two use cases are used