Court Filings

Computational intelligence anti-malware framework for android OS Konstantinos Demertzis & Lazaros Iliadis

Computational intelligence anti-malware framework for android OS Konstantinos Demertzis & Lazaros Iliadis
of 20
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
           1 3 Vietnam Journal of Computer Science  ISSN 2196-8888 Vietnam J Comput SciDOI 10.1007/s40595-017-0095-3 Computational intelligence anti-malwareramework for android OS Konstantinos Demertzis & LazarosIliadis           1 3 Your article is published under the CreativeCommons Attribution license which allowsusers to read, copy, distribute and makederivative works, as long as the author ofthe srcinal work is cited. You may self-archive this article on your own website, aninstitutional repository or funder’s repositoryand make it publicly available immediately.  Vietnam J Comput SciDOI 10.1007/s40595-017-0095-3 REGULAR PAPER Computational intelligence anti-malware framework for androidOS Konstantinos Demertzis 1 ·  Lazaros Iliadis 1 Received: 2 May 2016 / Accepted: 15 February 2017© The Author(s) 2017. This article is published with open access at Abstract  It is a fact that more and more users are adoptingthe online digital payment systems via mobile devices foreverydayuse.Thisattractspowerfulgangsofcybercriminals,which use sophisticated and highly intelligent types of mal-waretobroadentheirattacks.Malicioussoftwareisdesignedtorunquietlyandtoremainunsolvedforalongtime.Itman-agestotakefullcontrolofthedeviceandtocommunicate(viatheTornetwork)withitsCommand&Controlserversoffast-flux botnets’ networks to which it belongs. This is done toachievethemaliciousobjectivesofthebotmasters.Thispaperproposes the development of the computational intelligenceanti-malware framework (CIantiMF) which is innovative,ultra-fastandhaslowrequirements.Itrunsundertheandroidoperatingsystem(OS)anditsreasoningisbasedonadvancedcomputational intelligence approaches. The selection of theandroid OS was based on its popularity and on the numberof critical applications available for it. The CIantiMF usestwoadvancedtechnologyextensionsfortheARTjavavirtualmachinewhichisthedefaultintherecentversionsofandroid.The first is the smart anti-malware extension, which can rec-ognize whether the java classes of an android applicationare benign or malicious using an optimized multi-layer per-ceptron. The optimization is done by the employment of thebiogeography-based optimizer algorithm. The second is theTor online traffic identification extension, which is capableof achieving malware localization, Tor traffic identification B Konstantinos Demertziskdemertz@fmenr.duth.grLazaros 1 Lab of Forest-Environmental Informatics and ComputationalIntelligence, Democritus University of Thrace, 193Pandazidou st., 68200 N.Orestiada, Greece and botnets prohibition, with the use of the online sequentialextreme learning machine algorithm. Keywords  Android malware  ·  Firmware malware  ·  Mobilebanking malware  ·  Rootkits  ·  Ransomware  ·  Onlinesequential extreme learning machine  ·  Tor traffic analysis  · Botnets 1 Introduction 1.1 Android security model One of the most important features that distinguish theandroid OS, is the adoption of user identifiers (UIDs) whichimparts sophisticated security capabilities, compared to themodes of traditional OS. In particular, the android appli-cations run as separate processes with different UIDs anddifferent permissions each. In this way, there is no applica-tion capable to read/write data or code to another, whereasif it is necessary to make data exchange with another appli-cation, it requires the assignment of specific permission. Itshould be noted that the android uses the mandatory accesscontrol (MAC) model in all of the processes, even in thosethat run with root/superuser privileges [1]. Specifically, this modelisbasedonasecuritylabelsystem,whichisattributedto both “subjects” (e.g. applications, users) and “objects”,which are the categories that manage information, relatedto different needs. This means that they can be assigned tosections of individual information within a system. Specifictypesofsecurityclearance(classificationlabels)areassignedto the applications and to their corresponding data. In thisway, the android is based on security clearances, on the clas-sification data labels and on the system’s security policies,  1 3  Vietnam J Comput Sci to reach a decision on which subject is entitled to access anobject.The classification data labels are assigned to each type of object (file, directory, device, network). Based on the secu-rity policies, the system checks the security clearances of a“subject” (e.g. user, application) by comparing them to theclassification data labels of an “object” (e.g. data, files) towhich access is sought. Access is not approved, if securitypolicies are not met. The MAC model is called mandatory[1], because the classification of “subjects” and “objects”is performed automatically by the system, without the inter-ventionofuserswhotheoreticallycannotchangetheseratinglevels. 1.2 Android rootkits An android rootkit [2] is a set of executable scripts and configuration files, allowing the continuous access to theroot/superuser privileges. It should be mentioned that theyactively hide their presence from the system administrators.ThisisdonebytheirincorporationintobasicandroidOSfilesor other legitimate applications.Thus, they enable secret maintenance of the system’scontrol by executing commands or by stealing importantdata (e.g. credit card numbers, passwords, banking appli-cations) totally unnoticed. Typically, an attacker installs anandroidrootkitbyexploitingknownsecurityloopholes(zero-day exploit, unpatched), to obtain passwords (e.g. phishing,clickjacking), or to perform direct attack on encryption(brute-force attack, hijack attack) or through close-in attack(social engineering).The action of the rootkit, starts after the installation of the android OS, which is equivalent to simultaneous acquisi-tion root/superuser privileges and after the installation of thenecessary “Payloads”.Then the rootkit is activated and redirects the system callsto completely conceal its presence. For example, when asystem function accesses a DLL library, it is misled by therootkit, which activates its own code to overtake the controlof its files. The kernel level rootkits [2] (which are the mostdangerous) have the following capabilities:(a) To change the privileges of a process (privilege escala-tion).(b) They can create or open doors against a security gap orprogram(c) They can create a coded or encrypted communicationchannel with C & C servers (HTTPS, Tor)(d) They can “load” drivers or collect and record informa-tion from the system in which they operate through keyloggers or password sniffers (telephone number, coun-try, IMEI, model, android OS version, list of installedapps).(e) Itispossibletoperformunstructuredsupplementaryser-vice data (USSD) request [1], even to neutralize thedefenses of the system by replacing legal with false andmalicious applications (e.g. Rogue security software,fake antivirus) [3].Themalwareresponseprograms,ifnotthemselvesfake,theyperformoutascaninamodified system,wherechanges can-not be traced, since rootkits distort the files so that everysignature-based or difference-based control fails.Thus, the user cannot revoke the full administrator rightsfrom the malicious software, even if he uninstalls all appli-cations that turned his phone a pawn of unknown forces,capable of an imperceptible files interception. It should bementioned that there are cases which even require the fullcancellation of the operating system.The firmware malware [3], a special category of android rootkits,isextremelydifficulttodetectbecausethetraditionalvirus scanners will not detect firmware threats.Android rootkits ransomware encrypt data and then theydemand money to unlock the victim’s files. If the money isnot paid within the period specified by the criminals, theythreatentoholdthedecryption key, which iskept only onthehacker’s C & C server.Finally, the android rootkits are mainly mobile bankingmalware, which have been developed with the objective of financial fraud. They are conducting illegal financial trans-actions and they steal money.The memory dumps analysis method is the most seri-ous approach of treating these threats. It performs a forceddump of the operating system’s virtual memory to identifyan active rootkit. However, this technique is highly spe-cific, it requires access to private source code, it is timeconsuming and it requires specialized personnel with therespective tools (digital forensic investigation tools). More-over,itdoesnothavetheabilitytodetecteverytypeofthreat,as a hypervisor rootkit is able to monitor and to overturn thelower level of the system in an attempt to read the memory[3]. 1.3 Tor-based botnets and Tor traffic analysis The objective of Tor [4] is to conceal the user IDs and theiractivityinthenetworktopreventthemonitoringandanalysisof the traffic and to separate the detection from the routingusingvirtualcircuits,oroverlays,whichchangeperiodically.It is the implementation of onion routing [5], in which multiplelayersofencryptionareemployed,toensureperfectforward secrecy between the nodes and the hidden servicesof Tor, while launching randomly the communication viaTor nodes (consensus) operated by volunteers worldwide.Although the Tor network is operating in the Transport layerof the OSI, the onion proxy software shows customers the  1 3  Vietnam J Comput Sci secure socket interface (SOCKS) which operates in the ses-sion layer.Also, a continuous redirection of traffic requests betweenthe relays (entry guards, middle relays and exit relays), takesplaceinthisnetwork.Boththesenderandrecipientaddressesand the information are in the form of encrypted text, so thatno one at any point along the communication channel candecrypttheinformationoridentifybothendsdirectly[5].Themost famous types of malware are seeking communicationrecovery and its maintenance with the C & C remote serverson a regular basis, so that botmasters can collect or transferinformationandupgradestothecompromiseddevices(bots).This communication is usually performed using hardcodedaddress or default lists address (pool addresses) controlledby the creator of the.The mode of communication of the latest, sophisticatedmalware generations, lies in the creation of an encryptedcommunication channel, based on the chaotic architectureof Tor, to alter the traces and to distort the elements thatdefine an attack and eventually to increase the complexity of the botnets.Although modern programming techniques enable themalware creators to use thousands, alternating and differentsubnet IP address, to communicate with their C2 servers, thetraceofthoseIPsisrelativelystraightforwardforthenetworkengineers,orfortheresponsiblesecurityanalysts.Onceiden-tified, they are included in a blacklist and eventually they areblockedasspam.Ontheotherhand,thelimitationoftheTor-basedbotnetsisextremelydifficultbecausethemovementof the Tor network resembles that of the HTTPS protocol. 1.4 Tor vs HTTPS The Tor network not only performs encryption, but it is alsodesigned to simulate normal HTTPS protocol traffic, whichmakes the identification of its channels an extremely com-plex andspecialized process,even forexperienced engineersor network analyzers. Specifically, the Tor network can usethe TCP port 443, which is used by the HTTPS, so that thesupervision and interpretation of a session exclusively withthe determination of the door cannot constitute a reliablemethod.A successful method for detecting Tor traffic is the sta-tistical analysis and the identification of the secure socketslayer protocol differences (SSL) [6]. The SSL protocol usesacombinationofpublicandsymmetrickeyencryption.EachSSLconnectionalwaysstartswiththeexchangeofmessagesby the server and the client until the secure connection isestablished (handshake). The handshake allows the serverto prove its identity to the client using public-key encryp-tion techniques and then allows the client and the server tocooperate in the creation of a symmetric key to be used toquickly encrypt and decrypt data exchanged between them.Optionally, the handshake also allows the client to prove itsidentity to the server [6]. Given that each Tor client createsself-signed SSL, using a random domain name that changesaround every 30 min, a statistical analysis of the networktraffic based on the specific SSL characteristics can identifythe Tor sessions, in a network full of HTTPS traffic. 2 Innovation of the proposed method Android rootkits are the most sophisticated and highlyintelligent malware techniques that make detection of “con-tamination” and analysis of malicious code, a very complextask. It is a fact that they spread through chaotic Tor-basedbotnetsinwhichcommunicationisdoneusingtheanonymityTornetwork,whichmakesitimpossibletoidentifyandlocatethe C & C servers. In addition, the network traffic for the Torpacket is designed to simulate the respective traffic of theHTTPS protocol, which causes serious Tor traffic identifi-cation weaknesses by the motion analysis systems. Finally,given the passive mode of traditional android mobile secu-ritysystems,whichareunableinmostcasestoidentifythesetypes of major threats, the development and use of alterna-tive more radical and more substantial methods appear as anecessity.Thisworkproposesthedevelopmentandtestingof a novel computational intelligence system named CiantiMF.The system requires the minimum consumption of resourcesand it significantly enhances the security mechanisms of theandroid OS [7].Specifically, the architecture of the proposed systemis based on the hybrid use of two advanced ART JVM(ANDROID) extensions, namely the SAME and the OTTIE.The SAME uses a neural network, optimized with the BBOalgorithm and it is capable of recognizing whether the javaclassesofanandroidapplicationarebenignormalicious.TheOTTIE employs the OSELIM algorithm to perform malwarelocalization,Tortrafficidentificationandbotnetsprohibition.The CiantiMF system is a biologically inspired artifi-cial intelligence computer security technique [8–12]. Unlike otherexistingapproacheswhicharebasedonindividualpas-sive safety techniques, the CiantiMF is an integrated activesafety system. It provides intelligent surveillance mecha-nismsand classification of malware, itis able todefend itself andtoprotectfromRootkitsmalware,itdetectsandpreventsencryptedTornetworkactivitiesanditcanefficientlyexploitthe potential of the hardware, with minimal computationalcost.AmajorinnovationoftheCiantiMFapproachisrelatedtothearchitectureoftheproposedhybridcomputationalintelli-gencesystem,whichcombinesforthefirsttimetwoveryfastand highly effective biologically inspired machine learningalgorithms towards the solution of a multidimensional andcomplex IT security problem. Another novelty is the addi-  1 3
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks