Upload
doankien
View
222
Download
6
Embed Size (px)
Citation preview
1
VirusMeterVirusMeter: Protecting Your : Protecting Your CellphoneCellphonefrom Spiesfrom Spies
Lei Liu George Mason UniversityGeorge Mason University
Guanhuan YanLos Alamos National LabLos Alamos National Lab
Xinwen ZhangSamsung Information Systems AmericanSamsung Information Systems American
Songqing Chen George Mason UniversityGeorge Mason University
2
Outline
• VirusMeter Overview
• Design and Implementation
• Evaluation
3
Malware Threats
• 2004 Cabir spreads through Bluetooth• Over 370 different mobile malware in the
wild• Countermeasures
– Signature matching– Behavior analysis
• Challenges– Power/computation capability
4
VirusMeter Principles
• On mobile devices all behaviors mustconsume battery power
• Abnormal battery power consumption isan indicator of misbehavior
• Precise battery power monitoring candetect mobile malware
5
Our Work• Build user-centric power model
• Monitor user behaviors through statemachine, calculate power consumptionby power model
• Compare power model with actual powerconsumption
6
ArchitecturePower Model Offline
Detection
DataCollector
Log
Power Model
Online
Detection OtherApplications
APIs(CMsvSession,CTelephony…)
Comms Framework TelephoneServices
NetworkingServices
Other Services
Kernel Services and Hardware Interfaces
VirusMeter
VirusMeter
Mobile D
eviceS
erver
Application level
System
level
7
VirusMeter Workflow
State Machine
User-Centric Power Model
Realtime ModeDetector
Charging ModeDetector
Detection
Data Collector/ Symbian APIs
User events System events Battery
User operations
Detector
8
Challenges
• Accurate Power Modeling
• Precise Power Auditing
• Low Execution Overhead
9
Outline
• VirusMeter Overview
• Design and Implementation
• Experiment and Evaluation
10
Existing Battery Power Models• Linear Model
– Simplest model– Pr = Pp - ∫t=t0 t0+ td d(t)dt = Pp - I X td– d(t) draining rate
• Discharge Rate Dependent Model– Pr = C x Pp - ∫t=t0 t0+ td d(t)dt = c x Pp - I x td– C = Peff / Pmax Fraction of the effective battery capacity
maximum capacity
• Relaxation Model– Most comprehensive model– Based on relaxation effect– Over 50 parameters are involved
11
Model Considerations
• Critical parameters in above models such asdraining rate are unavailable without externaldevices– External devices would make it less deployable
• Simple model for mobile devices
• Our solution– User-centric power model
12
User-Centric Power Model
• P = f(Dcalli, SScall
i , Tmsgj, Smsg
j, SSmsgj,
Nmsgj, …. Didle
k, SSidlek),
– P: power consumption– D: duration– SS: current signal strength– T: type of text message– S: size of text message– N: network condition– i,j,k: each user operation
13
Model Variablespropertiesoperations
Calling Incoming/outgoing, duration
Messaging
Emailing
Entertainment
Document Processing
Web surfing
Idle
SMS/MMS, sending/receiving, network condition
Message size, network condition
Game, music …
Duration of operation
Message size, duration
Duration, signal strength
Environmental factors properties
Signal strength Related to a few operations, query by APIs
Network condition Not available directly
14
State Machine for Answering aPhone Call
Idle
Ring
Answer
Start c lock
End
Stop clock
Ring event
Cancel key event/Hangup event
EStatusRinging
Answer key event[0.5<delay<25]
EStatusAnswering
EStatusDisconnecting
Cancel key event/Hangup event
Call operation(Duration)
15
Constructing Power Model• Linear Regression
– Generate a mathematics function which linearlycombines all variables
– Lightweight
• Neural Network– Non-linear statistical data modeling– Can’t be presented by a mathematics function
• Decision Tree– Classification tree trained with normal samples and
malware samples
16
Model Accuracy• Symbian APIs only return battery power
segment– 100, 85, 71, 57, 42, 28, 14, and 0– Bad choice for function value in model building
• Function Transformation Didle = f’(Dcall
i, SScalli , Tmsg
j, Smsgj, SSmsg
j, Nmsgj,
…. ∆P, SSidlek)
– ∆P: constant dependent value– Didle : idle duration
17
Improving Model Accuracy
• Short-term mode– One battery segment
• Middle-term mode– One battery lifecycle: 7 segments
• Long-term mode– 4 battery lifecycles: 28 segments
18
Implementation Options• Online detection vs. offline detection
– Online: on Device, lightweight power model– Offline: on Server, more complicated power model
• System level vs. application level– System level is only accessible to manufacturers– Application level APIs are enough for data collection
• Realtime mode vs. charging mode– Realtime mode: works all the time– Charging mode: works only when device is charging
19
Module Implementation
GUI
Log
Module
StateMachine
Keyboard Module
Telephone Module
MsvSession Module
Power Module
Realtime Mode
Charging Mode
client server
Data Collection Detector
20
VirusMeter on Symbian
21
Outline
• VirusMeter Overview
• Design and Implementation
• Experiment and Evaluation
22
FlexiSPY Overview
GPRS
FlexiSPYOn victim
eavesdropsAnd call interception
FlexiSPY transferPhone activities log
To FlexiSPY web
Read SMS, email, call logsAnd location on FlexiSPY web
Eavesdropping
Call interception
Information leaking
23
Detection Rate(%) onEavesdropping
DecisionTree
NeuralNetwork
LinearRegression
Long-TermMiddle-TermShort-Term
85.1
89.3
89.8
89.9
90.9
90.2
87.1
93.0
88.9
24
Detection Rate(%) onCall Interception
DecisionTree
NeuralNetwork
LinearRegression
Long-TermMiddle-TermShort-Term
66.8
82.9
84.8
79.5
86.0
86.8
82.4
90.5
86.9
25
Detection Rate(%) onMessage Forwarding
DecisionTree
NeuralNetwork
LinearRegression
Long-TermMiddle-TermShort-Term
89.5
90.3
88.7
93.0
94.8
89.1
96.4
98.6
90.7
26
Detection Rate(%) onCabir
DecisionTree
NeuralNetwork
LinearRegression
Long-TermMiddle-TermShort-Term
84.6
88.6
86.8
89.9
93.4
87.6
92.9
93.5
88.7
27
Detection Rate(%) onMutiple Infection
DecisionTree
NeuralNetwork
LinearRegression
Long-TermMiddle-TermShort-Term
84.8
88.9
72.6
87.9
90.2
76.3
88.1
92.0
73.6
28
Detection Rate(%) onFalse Positive Rate
DecisionTree
NeuralNetwork
LinearRegression
Long-TermMiddle-TermShort-Term
22.4
10.0
15.2
14.2
5.1
15.1
10.3
4.3
14.4
29
Performance Evaluation
30
Conclusions
• General power consumption approach ispotentially suitable for various mobiledevices
• Lightweight, no external support required
• Difficult for malware to circumvent
31
Discussion• Battery power indication accuracy
– Different OS might be more accurate
• Power model accuracy– Fine-grained model for complex operation
• Charge mode vulnerability– What if malware only attack when charging
• System level implementation– More resistance to malware
32
Questions?
Thanks &