Agent‐based modeling of malware dynamics in heterogeneous environments

The increasing convergence of power‐law networks such as social networking and peer‐to‐peer applications, web‐delivered applications, and mobile platforms makes today's users highly vulnerable to entirely new generations of malware that exploit vulnerabilities in web applications and mobile platforms for new infections, while using the power‐law connectivity for finding new victims. The traditional epidemic models based on assumptions of homogeneity, average‐degree distributions, and perfect‐mixing are inadequate to model this type of malware propagation. In this paper, we study four aspects crucial to modeling malware propagation: application‐level interactions among users of such networks , local network structure , user mobility , and network coordination of malware such as botnets . Since closed‐form solutions of malware propagation considering these aspects are difficult to obtain, we describe an open‐source, flexible agent‐based emulation framework that can be used by malware researchers for studying today's complex malware. The framework, called Agent‐Based Malware Modeling (AMM), allows different applications, network structure, network coordination, and user mobility in either a geographic or a logical domain to study various infection and propagation scenarios. In addition to traditional worms and viruses, the framework also allows modeling network coordination of malware such as botnets. The majority of the parameters used in the framework can be derived from real‐life network traces collected from a network, and therefore, represent realistic malware propagation and infection scenarios. As representative examples, we examine two well‐known malware spreading mechanisms: (i) a malicious virus such as Cabir spreading among the subscribers of a cellular network using Bluetooth and (ii) a hybrid worm that exploit email and file‐sharing to infect users of a social network. In both cases, we identify the parameters most important to the spread of the epidemic based upon our extensive simulation results. Copyright © 2011 John Wiley & Sons, Ltd. This paper presents a novel agent‐based framework for realistic modeling of malware propagation in heterogeneous networks, applications and platforms. The majority of the parameters used in the framework can be derived from real‐life network traces collected from a network, and therefore, represent realistic malware propagation and infection scenarios for the given network. Two well‐known malware spreading mechanisms in traditional as well as mobile environments were studied using extensive simulations within the framework and the most important spreading parameters were identified.Peer Reviewedhttp://deepblue.lib.umich.edu/bitstream/2027.42/101832/1/sec298.pd

Discovering Network Control Vulnerabilities and Policies in Evolving Networks

The range and number of new applications and services are growing at an unprecedented rate. Computer networks need to be able to provide connectivity for these services and meet their constantly changing demands. This requires not only support of new network protocols and security requirements, but often architectural redesigns for long-term improvements to efficiency, speed, throughput, cost, and security. Networks are now facing a drastic increase in size and are required to carry a constantly growing amount of heterogeneous traffic. Unfortunately such dynamism greatly complicates security of not only the end nodes in the network, but also of the nodes of the network itself. To make matters worse, just as applications are being developed at faster and faster rates, attacks are becoming more pervasive and complex. Networks need to be able to understand the impact of these attacks and protect against them. Network control devices, such as routers, firewalls, censorship devices, and base stations, are elements of the network that make decisions on how traffic is handled. Although network control devices are expected to act according to specifications, there can be various reasons why they do not in practice. Protocols could be flawed, ambiguous or incomplete, developers could introduce unintended bugs, or attackers may find vulnerabilities in the devices and exploit them. Malfunction could intentionally or unintentionally threaten the confidentiality, integrity, and availability of end nodes and the data that passes through the network. It can also impact the availability and performance of the control devices themselves and the security policies of the network. The fast-paced evolution and scalability of current and future networks create a dynamic environment for which it is difficult to develop automated tools for testing new protocols and components. At the same time, they make the function of such tools vital for discovering implementation flaws and protocol vulnerabilities as networks become larger and more complex, and as new and potentially unrefined architectures become adopted. This thesis will present the design, implementation, and evaluation of a set of tools designed for understanding implementation of network control nodes and how they react to changes in traffic characteristics as networks evolve. We will first introduce Firecycle, a test bed for analyzing the impact of large-scale attacks and Machine-to-Machine (M2M) traffic on the Long Term Evolution (LTE) network. We will then discuss Autosonda, a tool for automatically discovering rule implementation and finding triggering traffic features in censorship devices. This thesis provides the following contributions: 1. The design, implementation, and evaluation of two tools to discover models of network control nodes in two scenarios of evolving networks, mobile network and censored internet 2. First existing test bed for analysis of large-scale attacks and impact of traffic scalability on LTE mobile networks 3. First existing test bed for LTE networks that can be scaled to arbitrary size and that deploys traffic models based on real traffic traces taken from a tier-1 operator 4. An analysis of traffic models of various categories of Internet of Things (IoT) devices 5. First study demonstrating the impact of M2M scalability and signaling overload on the packet core of LTE mobile networks 6. A specification for modeling of censorship device decision models 7. A means for automating the discovery of features utilized in censorship device decision models, comparison of these models, and their rule discover

Design of a hybrid command and control mobile botnet

The increasing popularity and improvement in capabilities offered by smartphones caught the attention of botnet developers. Now the threat of botnets is moving towards the mobile environment. This study presents the design of a hybrid command and control mobile botnet. The hybrid design explores the efficiency of multiple command and control channels against the following objectives: no single point of failure within the topology, low cost for command dissemination, limited network activities and low battery consumption. The objectives are measured with a prototype that is deployed on a small collection of Android-based smartphones. The results indicate that current mobile technology exhibits all the capabilities needed to create a mobile botnet.http://www.jinfowar.comam2017Computer Scienc

Dynamic monitoring of Android malware behavior: a DNS-based approach

The increasing technological revolution of the mobile smart devices fosters their wide use. Since mobile users rely on unofficial or thirdparty repositories in order to freely install paid applications, lots of security and privacy issues are generated. Thus, at the same time that Android phones become very popular and growing rapidly their market share, so it is the number of malicious applications targeting them. Yet, current mobile malware detection and analysis technologies are very limited and ineffective. Due to the particular traits of mobile devices such as the power consumption constraints that make unaffordable to run traditional PC detection engines on the device; therefore mobile security faces new challenges, especially on dynamic runtime malware detection. This approach is import because many instructions or infections could happen after an application is installed or executed. On the one hand, recent studies have shown that the network-based analysis, where applications could be also analyzed by observing the network traffic they generate, enabling us to detect malicious activities occurring on the smart device. On the other hand, the aggressors rely on DNS to provide adjustable and resilient communication between compromised client machines and malicious infrastructure. So, having rich DNS traffic information is very important to identify malevolent behavior, then using DNS for malware detection is a logical step in the dynamic analysis because malicious URLs are common and the present danger for cybersecurity. Therefore, the main goal of this thesis is to combine and correlate two approaches: top-down detection by identifying malware domains using DNS traces at the network level, and bottom-up detection at the device level using the dynamic analysis in order to capture the URLs requested on a number of applications to pinpoint the malware. For malware detection and visualization, we propose a system which is based on dynamic analysis of API calls. Thiscan help Android malware analysts in visually inspecting what the application under study does, easily identifying such malicious functions. Moreover, we have also developed a framework that automates the dynamic DNS analysis of Android malware where the captured URLs at the smartphone under scrutiny are sent to a remote server where they are: collected, identified within the DNS server records, mapped the extracted DNS records into this server in order to classify them either as benign or malicious domain. The classification is done through the usage of machine learning. Besides, the malicious URLs found are used in order to track and pinpoint other infected smart devices, not currently under monitoring

Intersection Features For Android Botnet Classification

The evolution of the Internet of things (IoT) has made a significant impact and availed opportunities for mobile device usage on human life. Many of IoT devices will be supposedly controlled through a mobile, giving application (apps) developers great opportunities in the development of new applications. However, hackers are continuously developing malicious applications especially Android botnet to steal private information, causing financial losses and breach user privacy. This paper proposed an enhancement approach for Android botnet classification based on features selection and classification algorithms. The proposed approach used requested permissions in the Android app and API function as features to differentiate between the Android botnet apps and benign apps. The Chi Square was used to select the most significant permissions, then the classification algorithms like Naïve Bayes and Decision Tree were used to classify the Android apps as botnet or benign apps. The results showed that Decision Tree with Chi-Square feature selection achieved the highest detection accuracy of 98.6% which was higher than other classifiers