A Methodology for Reliable Detection of Anomalous Behavior in Smartphones

Smartphones have become the most preferred computing device for both personal and business use. Different applications in smartphones result in different power consumption patterns. The fact that every application has been coded to perform different tasks leads to the claim that every action onboard (whether software or hardware) will consequently have a trace in the power consumption of the smartphone. When the same sequence of steps is repeated on it, it is observed that the power consumption patterns hold some degree of similarity. A device infected with malware can exhibit increased CPU usage, lower speeds, strange behavior such as e-mails or messages being sent automatically and without the user's knowledge; and programs or malware running intermittently or in cycles in the background. This deviation from the expected behavior of the device is termed an anomalous behavior and results in a reduction in the similarity of the power consumption. The anomalous behavior could also be due to gradual degradation of the device or change in the execution environment in addition to the presence of malware. The change in similarity can be used to detect the presence of anomalous behavior on smartphones. This thesis focuses on the detection of anomalous behavior from the power signatures of the smartphone. We have conducted experiments to measure and analyze the power consumption pattern of various smartphone apps. The test bench used for the experiments has a Monsoon Power Meter, which supplies power to the smartphone, and an external laptop collects the power samples from the meter. To emulate the presence of anomalous behavior, we developed an app which runs in the background with varying activity windows. Based on our experiments and analysis, we have developed two separate models for reliable detection of anomalous behavior from power signatures of the smartphone. The first model is based on Independent Component Analysis (ICA) and the second model is based on a Similarity Matrix developed using an array of low pass filters. These models detect the presence of anomalies by comparing the current power consumption pattern of the device under test with that of its normal behavior

Multimodal Approach for Malware Detection

Although malware detection is a very active area of research, few works were focused on using physical properties (e.g., power consumption) and multimodal features for malware detection. We designed an experimental testbed that allowed us to run samples of malware and non-malicious software applications and to collect power consumption, network traffic, and system logs data, and subsequently to extract dynamic behavioral-based features. We also extracted code-based static features of both malware and non-malicious software applications. These features were used for malware detection based on: feature level fusion using power consumption and network traffic data, feature level fusion using network traffic data and system logs, and multimodal feature level and decision level fusion. The contributions when using feature level fusion of power consumption and network traffic data are: (1) We focused on detecting real malware using the extracted dynamic behavioral features (both power-based and network traffic-based) and supervised machine learning algorithms, which has not been done by any of the prior works. (2) We ran a large number of machine learning experiments, which allowed us to identify the best performing learner, DC voltage rails that led to the best malware detection performance, and the subset of features that are the best predictors for malware detection. (3) The comparison of malware detection performance was done using a comprehensive set of metrics that reflect different aspects of the quality of malware detection. In the case of the feature level fusion using network traffic data and system logs, the contributions are: (1) Most of the previous works that have used network flows-based features have done classification of the network traffic, while our focus was on classifying the software running in a machine as malware and non-malicious software using the extracted dynamic behavioral features. (2) We experimented with different sizes of the training set (i.e., 90%, 75%, 50%, and 25% of the data) and found that smaller training sets produced very good classification results. This aspect of our work has a practical value because the manual labeling of the training set is a tedious and time consuming process. In this dissertation we present a multimodal deep learning neural network that integrates different modalities (i.e., power consumption, system logs, network traffic, and code-based static data) using decision level fusion. We evaluated the performance of each modality individually, when using feature level fusion, and when using decision level fusion. The contributions of our multimodal approach are as follow: (1) Collecting data from different modalities allowed us to develop a multimodal approach to malware detection, which has not been widely explored by prior works. Even more, none of the previous works compared the performance of feature level fusion with decision level fusion, which is explored in this dissertation. (2) We proposed a multimodal decision level fusion malware detection approach using a deep neural network and compared its performance with the performance of feature level fusion approaches based on deep neural network and standard supervised machine learning algorithms (i.e., Random Forest, J48, JRip, PART, Naive Bayes, and SMO)

Cyber Security and Critical Infrastructures 2nd Volume

The second volume of the book contains the manuscripts that were accepted for publication in the MDPI Special Topic "Cyber Security and Critical Infrastructure" after a rigorous peer-review process. Authors from academia, government and industry contributed their innovative solutions, consistent with the interdisciplinary nature of cybersecurity. The book contains 16 articles, including an editorial that explains the current challenges, innovative solutions and real-world experiences that include critical infrastructure and 15 original papers that present state-of-the-art innovative solutions to attacks on critical systems