Propagation, Detection and Containment of Mobile Malware.

Today's enterprise systems and networks are frequent targets of malicious attacks, such as worms, viruses, spyware and intrusions that can disrupt, or even disable critical services. Recent trends suggest that by combining spyware as a malicious payload with worms as a delivery mechanism, malicious programs can potentially be used for industrial espionage and identity theft. The problem is compounded further by the increasing convergence of wired, wireless and cellular networks, since virus writers can now write malware that can crossover from one network segment to another, exploiting services and vulnerabilities specific to each network. This dissertation makes four primary contributions. First, it builds more accurate malware propagation models for emerging hybrid malware (i.e., malware that use multiple propagation vectors such as Bluetooth, Email, Peer-to-Peer, Instant Messaging, etc.), addressing key propagation factors such as heterogeneity of nodes, services and user mobility within the network. Second, it develops a proactive containment framework based on group-behavior of hosts against such malicious agents in an enterprise setting. The majority of today's anti-virus solutions are reactive, i.e., these are activated only after a malicious activity has been detected at a node in the network. In contrast, proactive containment has the potential of closing the vulnerable services ahead of infection, and thereby halting the spread of the malware. Third, we study (1) the current-generation mobile viruses and worms that target SMS/MMS messaging and Bluetooth on handsets, and the corresponding exploits, and (2) their potential impact in a large SMS provider network using real-life SMS network data. Finally, we propose a new behavioral approach for detecting emerging malware targeting mobile handsets. Our approach is based on the concept of generalized behavioral patterns instead of traditional signature-based detection. The signature-based methods are not scalable for deployment in mobile devices due to limited resources available on today's typical handsets. Further, we demonstrate that the behavioral approach not only has a compact footprint, but also can detect new classes of malware that combine some features from existing classes of malware.Ph.D.Computer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/60849/1/abose_1.pd

GekkoFS: A temporary burst buffer file system for HPC applications

Many scientific fields increasingly use high-performance computing (HPC) to process and analyze massive amounts of experimental data while storage systems in today’s HPC environments have to cope with new access patterns. These patterns include many metadata operations, small I/O requests, or randomized file I/O, while general-purpose parallel file systems have been optimized for sequential shared access to large files. Burst buffer file systems create a separate file system that applications can use to store temporary data. They aggregate node-local storage available within the compute nodes or use dedicated SSD clusters and offer a peak bandwidth higher than that of the backend parallel file system without interfering with it. However, burst buffer file systems typically offer many features that a scientific application, running in isolation for a limited amount of time, does not require. We present GekkoFS, a temporary, highly-scalable file system which has been specifically optimized for the aforementioned use cases. GekkoFS provides relaxed POSIX semantics which only offers features which are actually required by most (not all) applications. GekkoFS is, therefore, able to provide scalable I/O performance and reaches millions of metadata operations already for a small number of nodes, significantly outperforming the capabilities of common parallel file systems.Peer ReviewedPostprint (author's final draft

Detection of Anomalous Behavior of Wireless Devices using Power Signal and Changepoint Detection Theory.

Anomaly detection has been applied in different fields of science and engineering over many years to recognize inconsistent behavior, which can affect the regular operation of devices, machines, and even organisms. The main goal of the research described in this thesis is to extract the meaningful features of an object's characteristics that allow researchers recognize such malicious behavior. Specifically, this work is focused on identifying malicious behavior in Android smartphones caused by code running on it. In general, extraneous activities can affect different parameters of such devices such as network traffic, CPU usage, hardware and software resources. Therefore, it is possible to use these parameters to unveil malicious activities. Using only one parameter can not guarantee an accurate model since a parameter may be modified by cybercriminals to act as a benign application. In contrast, using many parameters can produce excessive usage of smartphone's resources, or/and it can affect the time of detection of a proposed methodology. Considering that malicious activities are injected through the software applications that manage the usage of all hardware components, a smartphone's overall power consumption is a better choice for detecting malicious behavior. This metric is considered critical for anomaly analysis because it summarizes the impact of all hardware components' power consumption. Using only one metric is guaranteed to be efficient and accurate methodology for detecting malware on Android smartphones. This thesis analyzes the accuracy of two methodologies that are evaluated with emulated and real malware. It is necessary to highlight that the detection of real malware can be a challenging task because malicious activities can be triggered only if a user executes the correct combination of actions on the application. For this reason, in the present work, this drawback is solved by automating the user inputs with Android Debug Bridge (ADB) commands and Droidbot. With this automation tool, it is highly likely that malicious behavior can act, leaving a fingerprint in the power consumption. It should be noted that power consumption consist of time-series data that can be considered non-stationary signals due to changes in statistical parameters such as mean and variance over time. Therefore, the present work approaches the problem by analyzing each signal as a stochastic, using Changepoint detection theory to extract features from the time series. Finally, these features become the input of different machine learning classifiers used to differentiate non-malicious from malicious applications. Furthermore, the efficiency of each methodology is assessed in terms of the time of detection