Professional Documents
Culture Documents
of Malware on Mobile
Handsets
Abhijit Bose IBM TJ Watson Research
Xin Hu University of Michigan
Kang G. Shin University of Michigan
Taejoon Park Samsung Electronics
MobiSys 2008
Outline
Introduction
System Overview
Malicious Behavior Signatures
Run-time Construction of Behavior Signatures
Behavior Classification by Machine Learning
Algorithm
Limitations
Evaluation
Conclusions
Introduction
0.5-1.5% of MMS traffic in a Russian mobile
network is made up of infected message (close
to malicious email traffic)
log(timestamp,ret,obj,istatus);
Run-time Construction of
Behavior Signatures
Generation of
Dependency
Graph
Graph Pruning
and Aggregation
Behavior Classification by
Machine Learning Algorithm
Use SVM as Support Vector Classification (SVC)
A key step in SVM is mapping of the vectors x
from their original input space to a higher-
dimensional dot-product space
Limitations
Obfuscation?
Novel malware
Some malware may bypass the API monitoring
rootkit
Evaluation
Malware
Cabir, Mabir, Lasco, Commwarrior, and a generic worm
Legitimate
Bluetooth file transfer, MMS client, MakeSIS utility
905 distinct signatures for test data set
Evaluation
Evaluation
Evaluation
Real-world worms
Cabir has 32 variants
Cabir.H : fix bug
Cabir.AF : compression
New Cabir : obfuscation
Evaluation
Performance of Proxy DLL
3%
Conclusions
Behavioral detection framework
Behavior signature
Use SVM to train a classifier from normal and
malicious data