Three-Phase Detection and Classification for Android Malware Based on Common Behaviors

Android is one of the most popular operating systems used in mobile devices. Its popularity also renders it a common target for attackers. We propose an efficient and accurate three-phase behavior-based approach for detecting and classifying malicious Android applications. In the proposed approach, the first two phases detect a malicious application and the final phase classifies the detected malware. The first phase quickly filters out benign applications based on requested permissions and the remaining samples are passed to the slower second phase, which detects malicious applications based on system call sequences. The final phase classifies malware into known or unknown types based on behavioral or permission similarities. Our contributions are three-fold: First, we propose a self-contained approach for Android malware identification and classification. Second, we show that permission requests from an Application are beneficial to benign application filtering. Third, we show that system call sequences generated from an application running inside a virtual machine can be used for malware detection. The experiment results indicate that the multi-phase approach is more accurate than the single-phase approach. The proposed approach registered true positive and false positive rates of 97% and 3%, respectively. In addition, more than 98% of the samples were correctly classified into known or unknown types of malware based on permission similarities.We believe that our findings shed some lights on future development of malware detection and classification

Extracting Android Applications Data for Anomaly-based Malware Detection

In order to apply any machine learning algorithm or classifier, it is fundamentally important to first and foremost collect relevant features. This is most important in the field of dynamic analysis approach to anomaly malware detection systems. In this approach, the behaviour patterns of applications while in execution are analysed. The behaviour features that Android as a system allows access permissions to depend on the type of device; either rooted or not. Android is based on the Linux kernel at the bottom layer, all layers on top of the kernel run without privileged mode. Thus, if a behaviour feature vector is created from features of Android (Application Programming Interface) API in unrooted mode, then only system information made available by Android can be used. In this paper, a Device Monitoring system for an unrooted device is developed and used to collect Android application data. The application data is used to build feature vectors that describes the Android application behaviour for Anomaly malware detection. This application is able to collect essential information from Android application such as installed applications and services running within the device before or after the Monitoring application was started, the date/time stamp, calls initiated from the device, calls received by the device, sent short message services (SMSs), SMSs received, and the status of the device as at when the event took place. This information is loggedin a comma separated value (.csv) file format and stored on the SDcard of the device. The .csv file is converted toattribute relation file format (.arff); the format acceptable by WEKA machine learning tool. This.arff file of feature vectors is then used as input to the Classifier in the Android malware detection system

IoT Sentinel: Automated Device-Type Identification for Security Enforcement in IoT

With the rapid growth of the Internet-of-Things (IoT), concerns about the security of IoT devices have become prominent. Several vendors are producing IP-connected devices for home and small office networks that often suffer from flawed security designs and implementations. They also tend to lack mechanisms for firmware updates or patches that can help eliminate security vulnerabilities. Securing networks where the presence of such vulnerable devices is given, requires a brownfield approach: applying necessary protection measures within the network so that potentially vulnerable devices can coexist without endangering the security of other devices in the same network. In this paper, we present IOT SENTINEL, a system capable of automatically identifying the types of devices being connected to an IoT network and enabling enforcement of rules for constraining the communications of vulnerable devices so as to minimize damage resulting from their compromise. We show that IOT SENTINEL is effective in identifying device types and has minimal performance overhead