research-article

On-device anomaly detection for resource-limited systems

Authors:

Maroua Ben Attia,

Chamseddine Talhi,

Abdelwahab Hamou-Lhadj,

Babak Khosravifar,

Vincent Turpaud,

Mario CoutureAuthors Info & Claims

SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

Pages 548 - 554

https://doi.org/10.1145/2695664.2695813

Published: 13 April 2015 Publication History

Abstract

As small-scale embedded systems such as Smartphones rapidly evolve, mobile malwares grow increasingly more sophisticated and dangerous. An important attack vector targeting Android Smartphone is repackaging legitimate applications to inject malicious activities, where such repackaging can be performed before or after the installation of applications on the Smartphone. To detect the behaviour deviation of applications caused by the injected malicious activities, complex anomaly detection algorithms are usually applied, however they require a system resources budget that is beyond the capacities of these small-scale devices. This paper focuses on the usability of on-device anomaly detection algorithms and proposes a detection framework for Android-based devices. The proposed solution allows using a remote server without relying entirely on it. The experimental results allow building resources consumption profiles of the studied anomaly detections algorithms and thus, provide reliable measurements that help define trade-offs between detection accuracy and resource consumption.

References

[1]

M. Frazier, The BeagleBoard: $149 Linux System, 2008. Available from: http://www.linuxjournal.com/content/beagleboard-149-linux-system

[2]

S. Joly, TBS2910 Mini PC ARM Matrix, 2014. Available from: http://domotique-info.fr/2014/04/tbs2910-mini-pc-arm-matrix/

[3]

E. Millard, "Cabir: World's First Wireless Worm", 2004. Available from: http://www.technewsworld.com/story/34542.html

[4]

J. Abhishek, "Android SMS malware hosted on Google Play infects 1.2 Million users". Available from: http://www.hackleaks.in/2014/02/android-sms-malware-hosted-on-google.html

[5]

Sophos, "Mobile Security Threat Report 2014". Available from: http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-mobile-security-threat-report.pdf

[6]

M. Zhao et al. "AntiMalDroid: an efficient SVM-based malware detection framework for Android." Information Computing and Applications. Springer Berlin Heidelberg, 2011. 158--166.

[7]

Aafer, Yousra, Wenliang Du, and Heng Yin. "DroidAPIMiner: Mining API-level features for robust malware detection in android." Security and Privacy in Communication Networks. Springer International Publishing, 2013. 86--103.

[8]

gumstix.com, "Overoő FE COM", 2014. Available from: https://store.gumstix.com/index.php/products/256/

[9]

apc.io, "APC 8750", 2014. Available from: http://apc.io/products/8750a/

[10]

Gary Ng, "The 16GB Samsung Galaxy S5 Has Less Than 8GB of Usable Storage", 2014. Available from: http://www.iphoneincanada.ca/news/galaxy-s5-8gb-usable-storage/

[11]

Warrender, C., Forrest, S., & Pearlmutter, B. (1999). "Detecting intrusions using system calls: Alternative data models". In Security and Privacy, 1999. Proceedings of the 1999 IEEE Symposium on (pp. 133--145). IEEE.

[12]

Sultana, A., Hamou-Lhadj, A., & Couture, M. (2012, June). "An improved Hidden Markov Model for anomaly detection using frequent common patterns". In Communications (ICC), 2012 IEEE International Conference on (pp. 1113--1117). IEEE.

[13]

Jain, R., & Abouzakhar, N. S. (2013). "Comparative Study of Hidden Markov Model and Support Vector Machine in Anomaly Intrusion Detection".

[14]

Li, W., & Meng, Y. (2013). "Improving the performance of neural networks with random forest in detecting network intrusions". In Advances in Neural Networks --- ISNN 2013 (pp. 622--629). Springer Berlin Heidelberg.

Digital Library

[15]

S. Forrest, SA. Hofmeyr, and A. Somayaji. "A sense of self for Unix process". In Proceedings of the 1996 IEEE symposium on research in security and privacy, Oakland California, pp. 120--128, 1996.

Digital Library

[16]

N. Hubballi, S. Biswas, and S. Nandi. (2010). "Layered Higher Order N-grams for Hardening Payload Based Anomaly Intrusion Detection". Availability, Reliability, and Security, 2010. ARES '10 International Conference on, vol., no., pp. 321, 326.

[17]

M. C. T. Kymie and A. M Roy. 2002. "Why 6?" Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (SP '02). IEEE Computer Society, Washington, DC, USA, 188-.

Digital Library

[18]

P. Amontamavut, Y. Nakagawa, and E. Hayakawa. "Separated Linux Process Logging Mechanism for Embedded Systems" Embedded and Real-Time Computing Systems and Applications (RTCSA), 2012 IEEE 18th International Conference on, vol., no., pp.411, 414, 19-22 Aug. 2012

Digital Library

[19]

Panda labs. "Panda Security Annual Report PandaLabs 2013 Summary", 2013. Available from: http://m.itcafe.hu/dl/cnt/2014-03/107032/pandalabs-annual-report-2013.pdf

[20]

S. Forrest, S. Hofmeyr, and A. Somayaji. "The evolution of system-call monitoring" Computer Security Applications Conference, 2008. ACSAC 2008. Annual. IEEE, 2008.

Digital Library

[21]

A. Amamra, C. Talhi, and J-M Robert. "Impact of Dataset Representation on Smartphone Malware Detection Performance" Trust Management VII. Springer Berlin Heidelberg, 2013. 166--176.

[22]

H. Neminath, B. Santosh, and N. Sukumar. "Sequencegram: n-gram modeling of system calls for program based anomaly detection". In Communication Systems and Networks (COMSNETS), pp. 1--10, Jan 2011

[23]

J. Guofei, Chen. Haifeng, C. Ungureanu, and K. Yoshihira. "Multi-resolution Abnormal Trace Detection Using Varied-length N-grams and Automata". International Conference on Autonomic Computing (ICAC 2005), pp. 111, 122, 13-16 June 2005

Digital Library

[24]

N. Wang, J. Han, and J. Fang. "Anomaly Sequences Detection from Logs Based on Compression". arXiv preprint arXiv:1109.1729, 2011.

[25]

J. Alakuijala and V. Lode. "Data compression using Zopfli". Tech. rep. Google Inc., Feb.

Cited By

Hartwell AMontana FJacobs WKadirkamanathan VAmeri NMills A(2024)Distributed digital twins for health monitoring: resource constrained aero-engine fleet managementThe Aeronautical Journal10.1017/aer.2024.23(1-20)Online publication date: 15-Apr-2024
https://doi.org/10.1017/aer.2024.23
Kumar VPaul K(2023)Device Fingerprinting for Cyber-Physical Systems: A SurveyACM Computing Surveys10.1145/358494455:14s(1-41)Online publication date: 21-Feb-2023
https://dl.acm.org/doi/10.1145/3584944
Jin ZLi NLiu CLi MAn SHuang W(2021)A Contextual and Content Features-Based Device Behavioral Fingerprinting Method in Smart Grid2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00079(415-422)Online publication date: Dec-2021
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00079
Show More Cited By

Index Terms

On-device anomaly detection for resource-limited systems

Recommendations

A Novel Hybrid Mobile Malware Detection System Integrating Anomaly Detection With Misuse Detection
MCS '15: Proceedings of the 6th International Workshop on Mobile Cloud Computing and Services

As the dominator of the Smartphone operating system market, Android has attracted the attention of malware authors and researchers alike. The number of Android malware is increasing rapidly regardless of the considerable number of proposed malware ...
SpotCheck: On-Device Anomaly Detection for Android
SIN 2020: 13th International Conference on Security of Information and Networks

In recent years the PC has been replaced by mobile devices for many security sensitive operations, both from a privacy and a financial standpoint. While security mechanisms are deployed at various levels, these are frequently put under strain by ...
An intelligent intrusion detection system (IDS) for anomaly and misuse detection in computer networks

In this paper, we propose a novel Intrusion Detection System (IDS) architecture utilizing both anomaly and misuse detection approaches. This hybrid Intrusion Detection System architecture consists of an anomaly detection module, a misuse detection ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SAC '15: Proceedings of the 30th Annual ACM Symposium on Applied Computing

April 2015

2418 pages

ISBN:9781450331968

DOI:10.1145/2695664

Conference Chairs:
Roger L. Wainwright
University of Tulsa
,
Juan Manuel Corchado
University of Salamanca, Spain
,
Program Chairs:
Alessio Bechini
University of Pisa, Italy
,
Jiman Hong
Soongsil University, South Korea

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGAPP: ACM Special Interest Group on Applied Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 April 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

SAC 2015

Sponsor:

SIGAPP

SAC 2015: Symposium on Applied Computing

April 13 - 17, 2015

Salamanca, Spain

Acceptance Rates

SAC '15 Paper Acceptance Rate 291 of 1,211 submissions, 24%;

Overall Acceptance Rate 1,650 of 6,669 submissions, 25%

Upcoming Conference

SAC '25

Sponsor:
sigapp

The 40th ACM/SIGAPP Symposium on Applied Computing

March 31 - April 4, 2025

Catania , Italy

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
216
Total Downloads

Downloads (Last 12 months)13
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Hartwell AMontana FJacobs WKadirkamanathan VAmeri NMills A(2024)Distributed digital twins for health monitoring: resource constrained aero-engine fleet managementThe Aeronautical Journal10.1017/aer.2024.23(1-20)Online publication date: 15-Apr-2024
https://doi.org/10.1017/aer.2024.23
Kumar VPaul K(2023)Device Fingerprinting for Cyber-Physical Systems: A SurveyACM Computing Surveys10.1145/358494455:14s(1-41)Online publication date: 21-Feb-2023
https://dl.acm.org/doi/10.1145/3584944
Jin ZLi NLiu CLi MAn SHuang W(2021)A Contextual and Content Features-Based Device Behavioral Fingerprinting Method in Smart Grid2021 IEEE 23rd Int Conf on High Performance Computing & Communications; 7th Int Conf on Data Science & Systems; 19th Int Conf on Smart City; 7th Int Conf on Dependability in Sensor, Cloud & Big Data Systems & Application (HPCC/DSS/SmartCity/DependSys)10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00079(415-422)Online publication date: Dec-2021
https://doi.org/10.1109/HPCC-DSS-SmartCity-DependSys53884.2021.00079
Sanchez PValero JCeldran ABovet GPerez MPerez G(2021)A Survey on Device Behavior Fingerprinting: Data Sources, Techniques, Application Scenarios, and DatasetsIEEE Communications Surveys & Tutorials10.1109/COMST.2021.306425923:2(1048-1077)Online publication date: Oct-2022
https://doi.org/10.1109/COMST.2021.3064259
Khanmohammadi KHamou-Lhadj A(2017)HyDroid: A Hybrid Approach for Generating API Call Traces from Obfuscated Android Applications for Mobile Security2017 IEEE International Conference on Software Quality, Reliability and Security (QRS)10.1109/QRS.2017.27(168-175)Online publication date: Jul-2017
https://doi.org/10.1109/QRS.2017.27
Usui TChu TKise K(2016)A Cost-Effective and Scalable Merge Sorter Tree on FPGAs2016 Fourth International Symposium on Computing and Networking (CANDAR)10.1109/CANDAR.2016.0023(47-56)Online publication date: Nov-2016
https://doi.org/10.1109/CANDAR.2016.0023

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten