1

VirusMeterVirusMeter: Protecting Your : Protecting Your CellphoneCellphonefrom Spiesfrom Spies

Lei Liu George Mason UniversityGeorge Mason University

Guanhuan YanLos Alamos National LabLos Alamos National Lab

Xinwen ZhangSamsung Information Systems AmericanSamsung Information Systems American

Songqing Chen George Mason UniversityGeorge Mason University

2

Outline

• VirusMeter Overview

• Design and Implementation

• Evaluation

3

Malware Threats

• 2004 Cabir spreads through Bluetooth• Over 370 different mobile malware in the

wild• Countermeasures

– Signature matching– Behavior analysis

• Challenges– Power/computation capability

4

VirusMeter Principles

• On mobile devices all behaviors mustconsume battery power

• Abnormal battery power consumption isan indicator of misbehavior

• Precise battery power monitoring candetect mobile malware

5

Our Work• Build user-centric power model

• Monitor user behaviors through statemachine, calculate power consumptionby power model

• Compare power model with actual powerconsumption

6

ArchitecturePower Model Offline

Detection

DataCollector

Log

Power Model

Online

Detection OtherApplications

APIs(CMsvSession,CTelephony…)

Comms Framework TelephoneServices

NetworkingServices

Other Services

Kernel Services and Hardware Interfaces

VirusMeter

VirusMeter

Mobile D

eviceS

erver

Application level

System

level

7

VirusMeter Workflow

State Machine

User-Centric Power Model

Realtime ModeDetector

Charging ModeDetector

Detection

Data Collector/ Symbian APIs

User events System events Battery

User operations

Detector

8

Challenges

• Accurate Power Modeling

• Precise Power Auditing

• Low Execution Overhead

9

Outline

• VirusMeter Overview

• Design and Implementation

• Experiment and Evaluation

10

Existing Battery Power Models• Linear Model

– Simplest model– Pr = Pp - ∫t=t0 t0+ td d(t)dt = Pp - I X td– d(t) draining rate

• Discharge Rate Dependent Model– Pr = C x Pp - ∫t=t0 t0+ td d(t)dt = c x Pp - I x td– C = Peff / Pmax Fraction of the effective battery capacity

maximum capacity

• Relaxation Model– Most comprehensive model– Based on relaxation effect– Over 50 parameters are involved

11

Model Considerations

• Critical parameters in above models such asdraining rate are unavailable without externaldevices– External devices would make it less deployable

• Simple model for mobile devices

• Our solution– User-centric power model

12

User-Centric Power Model

• P = f(Dcalli, SScall

i , Tmsgj, Smsg

j, SSmsgj,

Nmsgj, …. Didle

k, SSidlek),

– P: power consumption– D: duration– SS: current signal strength– T: type of text message– S: size of text message– N: network condition– i,j,k: each user operation

13

Model Variablespropertiesoperations

Calling Incoming/outgoing, duration

Messaging

Emailing

Entertainment

Document Processing

Web surfing

Idle

SMS/MMS, sending/receiving, network condition

Message size, network condition

Game, music …

Duration of operation

Message size, duration

Duration, signal strength

Environmental factors properties

Signal strength Related to a few operations, query by APIs

Network condition Not available directly

14

State Machine for Answering aPhone Call

Idle

Ring

Answer

Start c lock

End

Stop clock

Ring event

Cancel key event/Hangup event

EStatusRinging

Answer key event[0.5<delay<25]

EStatusAnswering

EStatusDisconnecting

Cancel key event/Hangup event

Call operation(Duration)

15

Constructing Power Model• Linear Regression

– Generate a mathematics function which linearlycombines all variables

– Lightweight

• Neural Network– Non-linear statistical data modeling– Can’t be presented by a mathematics function

• Decision Tree– Classification tree trained with normal samples and

malware samples

16

Model Accuracy• Symbian APIs only return battery power

segment– 100, 85, 71, 57, 42, 28, 14, and 0– Bad choice for function value in model building

• Function Transformation Didle = f’(Dcall

i, SScalli , Tmsg

j, Smsgj, SSmsg

j, Nmsgj,

…. ∆P, SSidlek)

– ∆P: constant dependent value– Didle : idle duration

17

Improving Model Accuracy

• Short-term mode– One battery segment

• Middle-term mode– One battery lifecycle: 7 segments

• Long-term mode– 4 battery lifecycles: 28 segments

18

Implementation Options• Online detection vs. offline detection

– Online: on Device, lightweight power model– Offline: on Server, more complicated power model

• System level vs. application level– System level is only accessible to manufacturers– Application level APIs are enough for data collection

• Realtime mode vs. charging mode– Realtime mode: works all the time– Charging mode: works only when device is charging

19

Module Implementation

GUI

Log

Module

StateMachine

Keyboard Module

Telephone Module

MsvSession Module

Power Module

Realtime Mode

Charging Mode

client server

Data Collection Detector

20

VirusMeter on Symbian

21

Outline

• VirusMeter Overview

• Design and Implementation

• Experiment and Evaluation

22

FlexiSPY Overview

GPRS

FlexiSPYOn victim

eavesdropsAnd call interception

FlexiSPY transferPhone activities log

To FlexiSPY web

Read SMS, email, call logsAnd location on FlexiSPY web

Eavesdropping

Call interception

Information leaking

23

Detection Rate(%) onEavesdropping

DecisionTree

NeuralNetwork

LinearRegression

Long-TermMiddle-TermShort-Term

85.1

89.3

89.8

89.9

90.9

90.2

87.1

93.0

88.9

24

Detection Rate(%) onCall Interception

DecisionTree

NeuralNetwork

LinearRegression

Long-TermMiddle-TermShort-Term

66.8

82.9

84.8

79.5

86.0

86.8

82.4

90.5

86.9

25

Detection Rate(%) onMessage Forwarding

DecisionTree

NeuralNetwork

LinearRegression

Long-TermMiddle-TermShort-Term

89.5

90.3

88.7

93.0

94.8

89.1

96.4

98.6

90.7

26

Detection Rate(%) onCabir

DecisionTree

NeuralNetwork

LinearRegression

Long-TermMiddle-TermShort-Term

84.6

88.6

86.8

89.9

93.4

87.6

92.9

93.5

88.7

27

Detection Rate(%) onMutiple Infection

DecisionTree

NeuralNetwork

LinearRegression

Long-TermMiddle-TermShort-Term

84.8

88.9

72.6

87.9

90.2

76.3

88.1

92.0

73.6

28

Detection Rate(%) onFalse Positive Rate

DecisionTree

NeuralNetwork

LinearRegression

Long-TermMiddle-TermShort-Term

22.4

10.0

15.2

14.2

5.1

15.1

10.3

4.3

14.4

29

Performance Evaluation

30

Conclusions

• General power consumption approach ispotentially suitable for various mobiledevices

• Lightweight, no external support required

• Difficult for malware to circumvent

31

Discussion• Battery power indication accuracy

– Different OS might be more accurate

• Power model accuracy– Fine-grained model for complex operation

• Charge mode vulnerability– What if malware only attack when charging

• System level implementation– More resistance to malware

32

Questions?

Thanks &