Android Encrypted Network Traffic to Identify User Actions

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation. Network forensics generally has two uses. The first, relating to security, involves monitoring a network for anomalous traffic and identifying intrusions. The second form relates to law enforcement. In this case analysis of captured network traffic can include tasks such as reassembling transferred files, searching for keywords and parsing human communication such as emails or chat sessions. Nowadays use of mobile apps to communicate with friends. Not only communication purpose it gets information about sensitive topics such as diseases, sexual or religious preferences, etc. Numerous worries have been raised about the capabilities of these portable devices to occupy the privacy of users actually becoming “tracking devices”. Above problem they influence in our work to find solution using machine learning techniques. It is used to protect the content of a packet. Our framework analyzes the network communications and leverages information available in TCP/IP packets like IP addresses and ports, together with other information like the size, the direction, and the timing. Our system, for each app they ?rst pre-process a dataset of network packets labeled with the user actions that originated them, they cluster them in ?ow typologies that represent recurrent network ?ows, and ?nally it analyze them in order to create a training set that will be used to feed a classi?er. The trained classi?er will then be able to classify new traf?c traced. Our approach results shows it accuracy and precision more than 95% for most of the considered actions

Profile Analysis of Mobile Application Security

ABSTRACT This thesis conducts profile analysis on the mobile application security using peer-review articles that were published from 2010 to 2018. From the analysis, we will identify prolific authors, intuitions, and geographic regions as well as the topics addressed by the articles. The profile analysis will reveal most frequently used research methods, research approaches (quantitative, qualitative and mixed), and theories used to study the field. This thesis reveals that none of the researchers have made significant contributions to the field, and researches are not collaborating to solve their research problems. The profile analysis shows that surveys and experiments are the most utilized research methods, and most researchers studied the field at a higher level, i.e., security was the focus of the research but did not go deeper into various aspects of security such as privacy, security vulnerabilities, and mobile application security best practices

SmartDisability: A Smart System of Systems approach to Disability

This paper introduces the SmartDisability Framework; a System of Systems to consider mappings between the Disability Types, Range of Movement and Interaction Mediums to produce Technology and Task recommendations. Each element is seen as a constituent system that relies on interaction between the user and technology. The recommended technologies are viewed as independent and operable constituent systems that are networked together to assist people with disability. The SmartDisability conceptual model (based on the familiar disability symbol) and extracts from the initial development stage of the framework are presented. The framework has been populated through a systematic literature review of disability classification, Range of Movement, interaction mediums, `off-the-shelf' technologies and tasks. The framework was augmented by the results of a previously conducted requirements elicitation process, involving surveys and semi-structured interviews, and a user evaluation with head tracking technology. Quality Function Deployment determined the relationships within the framework to ensure that user requirements were fully analysed. The anticipated validation process involving a focus group utilising fictional personas and routes to exploitation (through the development of an application) are also discussed

Cognitive vs Chronological Age as Barriers to Using Wearable Activity Monitors in Older Adults

Despite widespread availability, the use of smart devices is still very limited among seniors who could benefit from adopting these systems. This research-in-progress study draws on the theory of aging and subjective assessments of health, as well as information systems adoption literature to propose a theoretical model to explore the effects of older adults’ cognitive age on their disability perceptions which can influence their adoption of smart devices. The results will be achieved using a combination of qualitative and quantitative methods. Potential contributions from this research to theory and practice are also outlined

Android HIV: A Study of Repackaging Malware for Evading Machine-Learning Detection

Machine learning based solutions have been successfully employed for automatic detection of malware in Android applications. However, machine learning models are known to lack robustness against inputs crafted by an adversary. So far, the adversarial examples can only deceive Android malware detectors that rely on syntactic features, and the perturbations can only be implemented by simply modifying Android manifest. While recent Android malware detectors rely more on semantic features from Dalvik bytecode rather than manifest, existing attacking/defending methods are no longer effective. In this paper, we introduce a new highly-effective attack that generates adversarial examples of Android malware and evades being detected by the current models. To this end, we propose a method of applying optimal perturbations onto Android APK using a substitute model. Based on the transferability concept, the perturbations that successfully deceive the substitute model are likely to deceive the original models as well. We develop an automated tool to generate the adversarial examples without human intervention to apply the attacks. In contrast to existing works, the adversarial examples crafted by our method can also deceive recent machine learning based detectors that rely on semantic features such as control-flow-graph. The perturbations can also be implemented directly onto APK's Dalvik bytecode rather than Android manifest to evade from recent detectors. We evaluated the proposed manipulation methods for adversarial examples by using the same datasets that Drebin and MaMadroid (5879 malware samples) used. Our results show that, the malware detection rates decreased from 96% to 1% in MaMaDroid, and from 97% to 1% in Drebin, with just a small distortion generated by our adversarial examples manipulation method.Comment: 15 pages, 11 figure

Euphony:Harmonious Unification of Cacophonous Anti-Virus Vendor Labels for Android Malware

Android malware is now pervasive and evolving rapidly. Thousands of malware samples are discovered every day with new models of attacks. The growth of these threats has come hand in hand with the proliferation of collective repositories sharing the latest specimens. Having access to a large number of samples opens new research directions aiming at efficiently vetting apps. However, automatically inferring a reference ground-truth from those repositories is not straightforward and can inadvertently lead to unforeseen misconceptions. On the one hand, samples are often mis-labeled as different parties use distinct naming schemes for the same sample. On the other hand, samples are frequently mis-classified due to conceptual errors made during labeling processes. In this paper, we analyze the associations between all labels given by different vendors and we propose a system called EUPHONY to systematically unify common samples into family groups. The key novelty of our approach is that no a-priori knowledge on malware families is needed. We evaluate our approach using reference datasets and more than 0.4 million additional samples outside of these datasets. Results show that EUPHONY provides competitive performance against the state-of-the-art

A Hybrid Approach for Android Malware Detection and Family Classification

With the increase in the popularity of mobile devices, malicious applications targeting Android platform have greatly increased. Malware is coded so prudently that it has become very complicated to identify. The increase in the large amount of malware every day has made the manual approaches inadequate for detecting the malware. Nowadays, a new malware is characterized by sophisticated and complex obfuscation techniques. Thus, the static malware analysis alone is not enough for detecting it. However, dynamic malware analysis is appropriate to tackle evasion techniques but incapable to investigate all the execution paths and also it is very time consuming. So, for better detection and classification of Android malware, we propose a hybrid approach which integrates the features obtained after performing static and dynamic malware analysis. This approach tackles the problem of analyzing, detecting and classifying the Android malware in a more efficient manner. In this paper, we have used a robust set of features from static and dynamic malware analysis for creating two datasets i.e. binary and multiclass (family) classification datasets. These are made publically available on GitHub and Kaggle with the aim to help researchers and anti-malware tool creators for enhancing or developing new techniques and tools for detecting and classifying Android malware. Various machine learning algorithms are employed to detect and classify malware using the features extracted after performing static and dynamic malware analysis. The experimental outcomes indicate that hybrid approach enhances the accuracy of detection and classification of Android malware as compared to the case when static and dynamic features are considered alone

HIDROID: prototyping a behavioral host-based intrusion detection and prevention system for android

Previous research efforts on developing an Intrusion Detection and Prevention Systems (IDPS) for Android mobile devices rely mostly on centralized data collection and processing on a cloud server. However, this trend is characterized by two major limitations. First, it requires a continuous connection between monitored devices and the server, which might be infeasible, due to mobile network's outage or partial coverage. Second, it increases the risk of sensitive information leakage and the violation of user's privacy. To help alleviate these problems, in this paper, we develop a novel Host-based IDPS for Android (HIDROID), which runs completely on a mobile device, with a minimal computation burden. It collects data in run-time, by periodically sampling features reflecting the utilization of scarce resources on a mobile device (e.g. CPU, memory, battery, bandwidth, etc.). The detection engine exploits statistical and machine learning algorithms to build a data-driven model for the benign behavior. Any observation failing to match this model triggers an alert, and the preventive agent takes proper countermeasure(s) to minimize the risk. HIDROID requires no malicious data for training or tuning, which makes it handy for day-to-day usage. Experimental test results, on a real-life device, show that HIDROID is well able to learn and discriminate normal from malicious behavior, with very promising accuracy of up to 0.9, while maintaining false positive rate by 0.03

DENDROID: A text mining approach to analyzing and classifying code structures in Android malware families

The rapid proliferation of smartphones over the last few years has come hand in hand with and impressive growth in the number and sophistication of malicious apps targetting smartphone users. The availability of reuse-oriented development methodologies and automated malware production tools makes exceedingly easy to produce new specimens. As a result, market operators and malware analysts are increasingly overwhelmed by the amount of newly discovered samples that must be analyzed. This situation has stimulated research in intelligent instruments to automate parts of the malware analysis process. In this paper, we introduce DENDROID, a system based on text mining and information retrieval techniques for this task. Our approach is motivated by a statistical analysis of the code structures found in a dataset of ANDROID OS malware families, which reveals some parallelisms with classical problems in those domains. We then adapt the standard Vector Space Model and reformulate the modelling process followed in text mining applications. This enables us to measure similarity between malware samples, which is then used to automatically classify them into families. We also investigate the application of hierarchical clustering over the feature vectors obtained for each malware family. The resulting dendo-grams resemble the so-called phylogenetic trees for biological species, allowing us to conjecture about evolutionary relationships among families. Our experimental results suggest that the approach is remarkably accurate and deals efficiently with large databases of malware instances.Publicad