Behavioral Detection

of Malware on Mobile
Handsets
Abhijit Bose IBM TJ Watson Research
Xin Hu University of Michigan
Kang G. Shin University of Michigan
Taejoon Park Samsung Electronics
MobiSys 2008
Outline
 Introduction
 System Overview
 Malicious Behavior Signatures
 Run-time Construction of Behavior Signatures
 Behavior Classification by Machine Learning
Algorithm
 Limitations
 Evaluation
 Conclusions
Introduction
 0.5-1.5% of MMS traffic in a Russian mobile
network is made up of infected message (close
to malicious email traffic)

 By the end of 2006, the known number of

mobile malware families and their variants
increased by 69% and 75%
Introduction
 Payload signature-based detection isn’t suitable
for mobile devices
 Limited resources (power, CPU, memory)
 Crossover worms, obfuscation, polymorphism
System Overview
Malicious Behavior Signatures
 Temporal Logic
 ⊙t true at time t

 ♦t true at some instant before t

 □ t true at all instants before t
 t  k true at some instant in the interval [t −k, t].
t
Malicious Behavior Signatures
 Example:
Commwarrior
Worm
 Target: Symbian S60
 Spread via Bluetooth
and MMS
Malicious Behavior Signatures
 Atomic propositional variables
 ReceviceFile(f,mode,type)
 InstallApp(f,files,dir)
 LaunchProcess(p,parent)
 MakeSIS(f,files)
 BTFindDevice(d)
 OBEXSendFile(f,d)
 MMSFindAddress(a)
 MMSSendMessage(f,a)
 SetDevice(act,< condition >)
 VerifyDayofMonth(date,< mm : dd >)
Malicious Behavior Signatures
 Signature:
 ⊙ t (bt −transfer) = ♦t(BTFindDevice(d))∧ (⊙t (OBEXSendFile(f ,d)))
 ⊙ t (mms−transfer) = ♦t (MMSFindAddress(a))∧ (⊙t
(MMSSendMessage(f ,a)))
 ⊙ t (init −worm) = t (ReceiveFile(mode = Bluetooth))∨(⊙t
(ReceiveFile(mode = MMS)))
 ⊙t (activate−worm) = ♦t (init −worm)∧ (⊙t (InstallApp)∧
⊙t(LaunchProcess))
 ⊙t (run−worm−1) = ♦t (activate−worm)∧ (⊙t (MakeSIS)∧ ⊙t
(VerifyDayofMonth)∧ ( (SetDevice)))
 ⊙t (run−worm−2) = ♦t (activate−worm)∧ (⊙t (MakeSIS)∧(( 10::bt
00
00
−transfer)))
 ⊙t (run−worm−3) = ♦t (activate−worm)∧ (⊙t
(MakeSIS)∧( 0 : 00(mms−transfer)))
6 : 59
Malicious Behavior Signatures
 Generalized Behavior Signatures
 User Data Integrity
 System Data Integrity
 Trojan-like Actions
Run-time Construction of
Behavior Signatures
 Proxy DLL technique

log(timestamp,ret,obj,istatus);
Run-time Construction of
Behavior Signatures
 Generation of
Dependency
Graph
 Graph Pruning
and Aggregation
Behavior Classification by
Machine Learning Algorithm
 Use SVM as Support Vector Classification (SVC)
 A key step in SVM is mapping of the vectors x
from their original input space to a higher-
dimensional dot-product space
Limitations
 Obfuscation?
 Novel malware
 Some malware may bypass the API monitoring
 rootkit
Evaluation
 Malware
 Cabir, Mabir, Lasco, Commwarrior, and a generic worm
 Legitimate
 Bluetooth file transfer, MMS client, MakeSIS utility
 905 distinct signatures for test data set
Evaluation
Evaluation
Evaluation
 Real-world worms
 Cabir has 32 variants
 Cabir.H : fix bug
 Cabir.AF : compression
 New Cabir : obfuscation
Evaluation
 Performance of Proxy DLL
 3%
Conclusions
 Behavioral detection framework
 Behavior signature
 Use SVM to train a classifier from normal and
malicious data