Three-Phase Detection and Classification for Android Malware Based on Common Behaviors

Android is one of the most popular operating systems used in mobile devices. Its popularity also renders it a common target for attackers. We propose an efficient and accurate three-phase behavior-based approach for detecting and classifying malicious Android applications. In the proposedapproach, the first two phases detect a malicious application and the final phase classifies the detected malware. The first phase quickly filters out benign applications based on requested permissions and the remaining samples are passed to the slower second phase, which detects malicious applications based on system call sequences. The final phase classifies malware into known or unknown types based on behavioral or permission similarities. Our contributions are three-fold: First, we propose a self-contained approach for Android malware identification and classification. Second, we show that permission requests from an Application are beneficial to benign application filtering. Third, we show that system call sequences generated from an application running inside a virtual machine can be used for malware detection. The experiment results indicate that the multi-phase approach is more accurate than the single-phase approach. The proposed approach registered true positive and false positive rates of 97% and 3%, respectively. In addition, more than 98% of the samples were correctly classified into known or unknown types of malware based on permission similarities.We believe that our findings shed some lights on future development of malware detection and classification

Three-Phase Detection and Classification for Android Malware Based on Common Behaviors

Android is one of the most popular operating systems used in mobile devices. Its popularity also renders it a common target for attackers. We propose an efficient and accurate three-phase behavior-based approach for detecting and classifying malicious Android applications. In the proposed approach, the first two phases detect a malicious application and the final phase classifies the detected malware. The first phase quickly filters out benign applications based on requested permissions and the remaining samples are passed to the slower second phase, which detects malicious applications based on system call sequences. The final phase classifies malware into known or unknown types based on behavioral or permission similarities. Our contributions are three-fold: First, we propose a self-contained approach for Android malware identification and classification. Second, we show that permission requests from an Application are beneficial to benign application filtering. Third, we show that system call sequences generated from an application running inside a virtual machine can be used for malware detection. The experiment results indicate that the multi-phase approach is more accurate than the single-phase approach. The proposed approach registered true positive and false positive rates of 97% and 3%, respectively. In addition, more than 98% of the samples were correctly classified into known or unknown types of malware based on permission similarities.We believe that our findings shed some lights on future development of malware detection and classification

Multi-Operator Fairness in Transparent RAN Sharing by Soft-Partition With Blocking and Dropping Mechanism

Radio access network (RAN) sharing has attracted significant attention from telecom operators as a means of accommodating data surges. However, current mechanisms for RAN sharing ignore the fairness issue among operators, and hence the RAN may be under- or over-utilized. Furthermore, the fairness among different operators cannot be guaranteed, since the RAN resources are distributed on a first come, first served basis. Accordingly, the present study proposes a “soft-partition with blocking and dropping” (SBD) mechanism that offers inter-operator fairness using a “soft-partition” approach. In particular, the operator subscribers are permitted to overuse the resources specified in the predefined service-level-agreement when the shared RAN is under-utilized, but are blocked (or even dropped) when the RAN is over-utilized. The simulation results show that SBD achieves an inter-operator fairness of 0.997, which is higher than that of both a hard-partition approach (0.98) and a no-partition approach (0.6) while maintaining a shared RAN utilization rate of 98%. Furthermore, SBD reduces the blocking rate from 35% (hard partition approach) to almost 0%, whereas controlling the dropping rate at 5%. Notably, the dropping rate can be reduced to almost 0% using a newly proposed bandwidth scale down procedure.This work was supported in part by H2020 collaborative Europe/Taiwan research project 5G-CORAL under Grant 761586, and in part by the Ministry of Science and Technology, Taiwan under Contract MOST 106-2218- E-009-018

Offloading in P4 Switch Integrated with Multiple Virtual Network Function Servers

Software Defined Networking (SDN) and Network Function Virtualization (NFV) are two transformative technologies that offer distinct benefits. SDN virtualizes the control plane by separating it from the data plane, while NFV virtualizes the data plane by moving network functions from hardware and implementing them in software. Therefore, combining SDN and NFV can fully exploit the benefits of both technologies. As Programming Protocol-independent Packet Processors (P4) become popular due to its flexibility, traditional SDN switches are being replaced by P4 switches. In the P4+NFV architecture, network functions can be provided in both P4 switches (PNF) and NFV servers (VNF). However, to minimize packet delay, the offloading problem between P4 switches and NFV needs to be addressed. The novelty of our paper lies in investigating the offloading problem and evaluating the impact of employing multiple VNFs with varying computing capacities within the P4+NFV architecture. We also use M/M/1 queuing theory to derive the average packet delay and propose an optimization solution based on gradient descent to find out the optimal offloading probabilities of various VNF servers. Results show that optimal offloading from P4 switch to multiple VNFs can reduce the average packet delay from 4.76% to 40.02%

Three-Tier Capacity and Traffic Allocation for Core, Edges, and Devices for Mobile Edge Computing

In order to satisfy the 5G requirements of ultra-low latency, mobile edge computing (MEC)-based architecture, composed of three-tier nodes, core, edges, and devices, is proposed. In MEC-based architecture, previous studies focused on the controlplane issue, i.e., how to allocate traffic to be processed at different nodes to meet this ultra-low latency requirement. Also important is how to allocate the capacity to different nodes in the management plane so as to establish a minimal-capacity network. The objectives of this paper is to solve two problems: 1) to allocate the capacity of all nodes in MEC-based architecture so as to provide a minimal-capacity network and 2) to allocate the traffic to satisfy the latency percentage constraint, i.e., at least a percentage of traffic satisfying the latency constraint. In order to achieve these objectives, a two-phase iterative optimization (TPIO) method is proposed to try to optimize capacity and traffic allocation in MEC-based architecture. TPIO iteratively uses two phases to adjust capacity and traffic allocation respectively because they are tightly coupled. In the first phase, using queuing theory calculates the optimal traffic allocation under fixed allocated capacity, while in the second phase, allocated capacity is further reduced under fixed traffic allocation to satisfy the latency percentage constraint. Simulation results show that MEC-based architecture can save about 20.7% of capacity of two-tier architecture. Further, an extra 12.2% capacity must be forfeited when the percentage of satisfying latency is 90%, compared to 50%.This work was supported in part by H2020 collaborative Europe/Taiwan research project 5G-CORAL (grant number 761586), and Ministry of Science and Technology, Taiwan for financially supporting this research under Contract No. MOST 106-2218-E-009-018

Toward Optimal Resource Allocation of Virtualized Network Functions for Hierarchical Datacenters

Telecommunications service providers (TSPs) previously provided network functions to end users with dedicated hardware, but they are resorting to virtualized infrastructure for reducing costs and increasing flexibility in resource allocation. A representative case is the Central Office Re-architected as Datacenter (CORD) project from AT&T, which aims to deploy virtualized network functions (VNFs) to over 4000 central offices (COs) across the U.S. However, there is a wide spectrum of options for deploying VNFs over the COs, varying from highly distributed to highly centralized manners. The former benefits end users with short response time but has its inherent limitation on utilizing geographically dispersed resources, while the latter allows resources to be better utilized at a cost of longer response time. In this work, we model the TSP's virtualized infrastructure as hierarchical datacenters, namely hierarchical CORD, and provide a resource allocation solution to strike the optimal balance between the two extreme options. Our evaluations reveal that in general, the 3-tier architecture incurs the least cost in case of deploying VNFs under moderate or loose delay constraints. Furthermore, the margin of improvement on the resource allocation cost increases inversely with the overall system utilization rate. Our results also suggest that as heavy request load overwhelms the network infrastructure, the relevant VNFs shall be migrated to lower-tier edge datacenters or to some nearby datacenters with superior network capacity. The evaluations also demonstrate that the proposed model allows highly adaptive VNF deployment in the hierarchical architecture under various conditions.This work was supported in part by H2020 Collaborative Europe/Taiwan Research Project 5G-CORAL under Grant 761586, and in part by the Ministry of Science and Technology, Taiwan, under Grant MOST-106-2218-E-009-018 and Grant MOST-106-2221-E-194-021-MY3

Promoter Polymorphism G-6A, which Modulates Angiotensinogen Gene Expression, Is Associated with Non-Familial Sick Sinus Syndrome

Background: It is well known that familial sick sinus syndrome (SSS) is caused by functional alterations of ion channels and gap junction. Limited information is available on the mechanism of age-related non-familial SSS. Although evidence shows a close link between arrhythmia and the renin-angiotensin system (RAS), it remains to be determined whether the RAS is involved in the pathogenesis of non-familial SSS. Methods: In this study, 113 patients with documented non-familial SSS and 125 controls were screened for angiotensinogen (AGT) and gap junction protein-connexin 40 (Cx40) promoter polymorphisms by gene sequencing, followed by an association study. A luciferase assay was used to determine the transcriptional activity of the promoter polymorphism. The interaction between nuclear factors and the promoter polymorphism was characterized by an electrophoretic mobility shift assay (EMSA). Results: Association study showed the Cx40 -44/+71 polymorphisms are not associated with non-familial SSS; however, it indicated that four polymorphic sites at positions -6, -20, -152, and -217 in the AGT promoter are linked to non-familial SSS. Compared to controls, SSS patients had a lower frequency of the G-6A AA genotype (OR 2.88, 95% CI 1.58–5.22, P = 0.001) and a higher frequency of the G allele at -6 position (OR 2.65, 95% CI 1.54–4.57, P = 0.0003). EMSA and luciferase assays confirmed that nucleotide G at position -6 modulates the binding affinity with nuclear factors and yields a lower transcriptional activity than nucleotide A (P,0.01). Conclusion: G-6A polymorphism, which modulates the transcriptional activity of the AGT promoter, may contribute to nonfamilial SSS susceptibility

Mobile Edge Computing Platform Deployment in 4G LTE Networks: A Middlebox Approach

This paper has been presented at : USENIX Workshop on Hot Topics in Edge Computing (Hot Edge '18)Low-latency demands for cellular networks have at-tracted much attention. Mobile edge computing (MEC), which deploys a cloud computing platform at the edge closer to mobile users, has been introduced as an enabler of low-latency performance in 4G and 5G networks. In this paper, we propose an MEC platform deployment so-lution in 4G LTE networks using a middlebox approach. It is standard-compliant and transparent to existing cel-lular network components, so they need not be modified. The MEC middlebox sits on the S1 interface, which con-nects an LTE base station to its core network, and does traffic filtering, manipulation and forwarding. It enables the MEC service for mobile users by hosting application servers. Such middlebox approach can save deployment cost and be easy to install. It is different from other stud-ies that require modifications on base stations or/and core networks. We have confirmed its viability through a pro-totype based on the OpenAirInterface cellular platform.We thank our shepherd Weisong Shi for his help, and also thank the anonymous reviewers for their valuable comments on improving this paper. This work was partially supported by the Ministry of Science and Technology, Taiwan, under grant numbers 106-2622-8-009-017 and 106-2218-E-009-018, and by the H2020 collaborative Europe/Taiwan research project 5G-CORAL (grant number 761586)