research-article

pBMDS: a behavior-based malware detection system for cellphone devices

Authors:

Jean-Pierre Seifert,

Sencun ZhuAuthors Info & Claims

WiSec '10: Proceedings of the third ACM conference on Wireless network security

Pages 37 - 48

https://doi.org/10.1145/1741866.1741874

Published: 22 March 2010 Publication History

Abstract

Computing environments on cellphones, especially smartphones, are becoming more open and general-purpose, thus they also become attractive targets of malware. Cellphone malware not only causes privacy leakage, extra charges, and depletion of battery power, but also generates malicious traffic and drains down mobile network and service capacity. In this work we devise a novel behavior-based malware detection system named pBMDS, which adopts a probabilistic approach through correlating user inputs with system calls to detect anomalous activities in cellphones. pBMDS observes unique behaviors of the mobile phone applications and the operating users on input and output constrained devices, and leverages a Hidden Markov Model (HMM) to learn application and user behaviors from two major aspects: process state transitions and user operational patterns. Built on these, pBDMS identifies behavioral differences between malware and human users. Through extensive experiments on major smartphone platforms, we show that pBMDS can be easily deployed to existing smartphone hardware and it achieves high detection accuracy and low false positive rates in protecting major applications in smartphones.

References

[1]

http://en.wikipedia.org/wiki/cross_validation.

[2]

http://trolltech.com/products/qtopia.

[3]

http://trolltech.com/products/qtopia/qtopiainuse/qtopiadevices.

[4]

http://www.elinux.org/osk.

[5]

http://www.f-secure.com/v-descs/flexispy_a.shtml.

[6]

http://www.us-cert.gov/press_room/trendsandanalysisq108.pdf.

[7]

http://www.virtuallogix.com/.

[8]

Mcafee mobile security report 2008, mcafee.com/us/research/mobile_security_report_2008.html.

[9]

Mcafee mobile security report 2009, mcafee.com/us/local_content/reports/mobile_security_report_2009.pdf.

[10]

Mobile device ui design, http://blueflavor.com/blog/2006/apr/04/mobile-device-ui-design/.

[11]

OpenMoko. http://wiki.openmoko.org.

[12]

TCG mobile reference architecture specification version 1.0. https://www.trustedcomputinggroup.org/specs/mobilephone.

[13]

Virtualization for embedded systems, http://www.ok-labs.com/.

[14]

A. Bose and et al. Behavioral detection of malware on mobile handsets. In Proc. of MobiSys, 2008.

Digital Library

[15]

A. Bose and K. Shin. Proactive security for mobile messaging networks. In Proc. of WiSe, 2006.

Digital Library

[16]

J. Chen, S. Wongand, H. Yang, and S. Lu. Smartsiren: Virus detection and alert for smartphones. In Proc. of MobiSys, 2007.

Digital Library

[17]

E. Chien. Security response: Symbos.lasco.a, symantec, 2005.

[18]

E. Chien. Security response: Symbos.mabir, symantec, 2005.

[19]

E. Chien. Security response: Symbos.skull, symantec, 2004.

[20]

P. Ferrie, P. Szor, R. Stanev, and R. Mouritzen. Security response: Symbos.cabir. Symantec Corporation, 2004.

[21]

S. Forrest, S. Hofmeyr, A. Somayaji, and T. longstaff. A sense of self for unix processes. In Proc. of the IEEE Symposium in Security and Privacy, 1996.

Digital Library

[22]

S. Forrest and B. Pearlmutter. Detecting instructions using system calls: Alternative data models. In IEEE Symposium on Security and Privacy, 1999.

[23]

C. Guo, H. Wang, and W. Zhu. Smartphone attacks and defenses. In HotNets-III, UCSD, Nov. 2004.

[24]

C. Heath. Symbian os platform security. In Symbian Press, 2006.

Digital Library

[25]

M. Hypponen. State of cell phone malware in 2007, http://www.usenix.org/events/sec07/tech/hypponen.pdf.

[26]

A.K. Karlson and B.B. Bederson. One-handed touchscreen input for legacy applications. In Proc. of CHI, pages 1399--1408, 2008.

Digital Library

[27]

E. Kirda and et al. Behavior-based spyware detection. In Proc of USENIX Security Symposium, 2006.

Digital Library

[28]

M. Lactaotao. Security information: Virus encyclopedia: Symbos_comwar.a: Technical details. Trend Micro Inc., 2005.

[29]

W. Lee, S. Stolfo, and P. Chan. Learning patterns from unix process execution traces for intrustion detection. In Proc. of AAAI, 1997.

[30]

C. Mulliner and G. Vigna. Vulnerability analysis of mms user agents. In Proc. of ACM ACSAC, 2006.

Digital Library

[31]

C. Mulliner, G. Vigna, D. Dagon, and W. Lee. Using labeling to prevent cross-service attacks against smartphones. In DIMVA, 2006.

Digital Library

[32]

D. Muthukumaran, A. Sawani, J. Schiffman, B.M. Jung, and T. Jaeger. Measuring integrity on mobile phone systems. In Proc. of the 13th ACM Symposium on Access Control Models and Technologies, 2008.

Digital Library

[33]

L. Rabiner. A tutorial on hidden markov models and selected applications in speech recognition. In Proc. of the IEEE, 1989.

[34]

R. Racic, D. Ma, and H. Chen. Exploiting mms vulnerabilities to stealthily exhause mobile phone's battery. In IEEE SecureComm, 2006.

[35]

R. Sailer, X. Zhao, T. Jaeger, and L. Doom. Design and implementation of a tcg-based integrity measurement architecture. In Proc. of Usenix Security Symposium, 2004.

Digital Library

[36]

C. Warrender, S. Forrest, and B. Pearlmutter. Detecting intrusions using system calls: Alternative data models. In IEEE Symposium in Security and Privacy, 1999.

[37]

L. Welch. The shannon lecture: Hidden markov models and the baum-welch algorithm. In IEEE Information Theory Society Newsletter, 2003.

[38]

A. Wespi, M. Dacier, and H. Debar. Intrusion detection using variable length audit trail patterns. In Proc. of RAID, 2000.

Digital Library

[39]

L. Xie, H. Song, T. Jaeger, and S. Zhu. Towards a systematic approach for cell-phone worm containment. In Proc. of International World Wide Web Conference (WWW), poster, 2008.

Digital Library

[40]

D. Yeung and Y. Ding. Host-based intrustion detection using dynamic and static behavioral models. In Pattern Recognition, Issue.1, 2003.

[41]

X. Zhang, O. Aciicmez, and J. Seifert. A trusted mobile phone reference architecture via secure kernel. In ACM workshop on Scalable trusted computing, 2007.

Digital Library

Cited By

Surendran RThomas T(2022)Detection of malware applications from centrality measures of syscall graphConcurrency and Computation: Practice and Experience10.1002/cpe.683534:10Online publication date: 20-Jan-2022
https://doi.org/10.1002/cpe.6835
Surendran RThomas TEmmanuel S(2021) On Existence of Common Malicious System Call Codes in Android Malware Families IEEE Transactions on Reliability10.1109/TR.2020.298253770:1(248-260)Online publication date: Mar-2021
https://doi.org/10.1109/TR.2020.2982537
Alzubaidi A(2021)Recent Advances in Android Mobile Malware Detection: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.31231879(146318-146349)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3123187
Show More Cited By

Index Terms

pBMDS: a behavior-based malware detection system for cellphone devices
1. Hardware
  1. Communication hardware, interfaces and storage
2. Networks

Recommendations

IMAD: in-execution malware analysis and detection
GECCO '09: Proceedings of the 11th Annual conference on Genetic and evolutionary computation

The sophistication of computer malware is becoming a serious threat to the information technology infrastructure, which is the backbone of modern e-commerce systems. We, therefore, advocate the need for developing sophisticated, efficient, and accurate ...
Malware Detection Systems Based on API Log Data Mining
COMPSAC '15: Proceedings of the 2015 IEEE 39th Annual Computer Software and Applications Conference - Volume 03

As information technology improves, the Internet is involved in every area in our daily life. When the mobile devices and cloud computing technology start to play important parts of our life, they have become more susceptible to attacks. In recent years,...
Identifying android malicious repackaged applications by thread-grained system call sequences

Android security has become highly desirable since adversaries can easily repackage malicious codes into various benign applications and spread these malicious repackaged applications (MRAs). Most MRA detection mechanisms on Android focus on detecting a ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '10: Proceedings of the third ACM conference on Wireless network security

March 2010

186 pages

ISBN:9781605589237

DOI:10.1145/1741866

General Chair:
Susanne Wetzel
Stevens Institute of Technology, USA
,
Program Chairs:
Cristina Nita-Rotaru
Purdue University, USA
,
Frank Stajano
University of Cambridge, UK

Copyright © 2010 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2010

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

WISEC '10

Sponsor:

SIGSAC

WISEC '10: Third ACM Conference on Wireless Network Security

March 22 - 24, 2010

New Jersey, Hoboken, USA

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

78
Total Citations
View Citations
1,357
Total Downloads

Downloads (Last 12 months)14
Downloads (Last 6 weeks)0

Reflects downloads up to 27 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Surendran RThomas T(2022)Detection of malware applications from centrality measures of syscall graphConcurrency and Computation: Practice and Experience10.1002/cpe.683534:10Online publication date: 20-Jan-2022
https://doi.org/10.1002/cpe.6835
Surendran RThomas TEmmanuel S(2021) On Existence of Common Malicious System Call Codes in Android Malware Families IEEE Transactions on Reliability10.1109/TR.2020.298253770:1(248-260)Online publication date: Mar-2021
https://doi.org/10.1109/TR.2020.2982537
Alzubaidi A(2021)Recent Advances in Android Mobile Malware Detection: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2021.31231879(146318-146349)Online publication date: 2021
https://doi.org/10.1109/ACCESS.2021.3123187
Mohsen FAbdelhaq HBisgin H(2021)Security‐centric ranking algorithm and two privacy scores to mitigate intrusive appsConcurrency and Computation: Practice and Experience10.1002/cpe.657134:14Online publication date: 2-Sep-2021
https://doi.org/10.1002/cpe.6571
Barbhuiya SKilpatrick PNikolopoulos D(2020)DroidLightProceedings of the 21st International Conference on Distributed Computing and Networking10.1145/3369740.3369796(1-10)Online publication date: 4-Jan-2020
https://dl.acm.org/doi/10.1145/3369740.3369796
Sewak MSahay SRathore H(2020)DeepIntent: ImplicitIntent based Android IDS with E2E Deep Learning architecture2020 IEEE 31st Annual International Symposium on Personal, Indoor and Mobile Radio Communications10.1109/PIMRC48278.2020.9217188(1-6)Online publication date: Aug-2020
https://doi.org/10.1109/PIMRC48278.2020.9217188
Surendran RThomas TEmmanuel S(2020)GSDroid: Graph Signal Based Compact Feature Representation for Android Malware DetectionExpert Systems with Applications10.1016/j.eswa.2020.113581(113581)Online publication date: May-2020
https://doi.org/10.1016/j.eswa.2020.113581
Heras RPerez-Pons A(2020)Malware Analysis with Machine Learning for Evaluating the Integrity of Mission Critical DevicesIntelligent Computing10.1007/978-3-030-52243-8_18(224-243)Online publication date: 4-Jul-2020
https://doi.org/10.1007/978-3-030-52243-8_18
Heras RPerez-Pons A(2019)Ensemble malware analysis for evaluating the integrity of mission critical devices posterProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3326301(302-303)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3326301
Caranica AVulpe AParvu MDraghicescu DFratu OLupan T(2019)ToR-SIM - A mobile malware analysis platform2019 International Conference on Speech Technology and Human-Computer Dialogue (SpeD)10.1109/SPED.2019.8906638(1-8)Online publication date: Oct-2019
https://doi.org/10.1109/SPED.2019.8906638
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten