Behavioral detection of malware on mobile handsets Export

@inproceedings{bose:behavioral, abstract = {A novel behavioral detection framework is proposed to detect mobile worms, viruses and Trojans, instead of the signature-based solutions currently available for use in mobile devices. First, we propose an efficient representation of malware behaviors based on a key observation that the logical ordering of an application's actions over time often reveals the malicious intent even when each action alone may appear harmless. Then, we generate a database of malicious behavior signatures by studying more than 25 distinct families of mobile viruses and worms targeting the Symbian OS - the most widely-deployed handset OS - and their variants. Next, we propose a two-stage mapping technique that constructs these signatures at run-time from the monitored system events and API calls in Symbian OS. We discriminate the malicious behavior of malware from the normal behavior of applications by training a classifier based on Support Vector Machines (SVMs). Our evaluation on both simulated and real-world malware samples indicates that behavioral detection can identify current mobile viruses and worms with more than 96\% accuracy. We also find that the time and resource overheads of constructing the behavior signatures from low-level API calls are acceptably low for their deployment in mobile devices.}, address = {New York, NY, USA}, author = {Bose, Abhijit and Hu, Xin and Shin, Kang G. and Park, Taejoon}, booktitle = {MobiSys '08: Proceeding of the 6th international conference on Mobile systems, applications, and services}, citeulike-article-id = {3361281}, citeulike-linkout-0 = {http://portal.acm.org/citation.cfm?id=1378600.1378626}, citeulike-linkout-1 = {http://dx.doi.org/10.1145/1378600.1378626}, doi = {10.1145/1378600.1378626}, isbn = {978-1-60558-139-2}, keywords = {anomaly-detection, malware, mobile}, location = {Breckenridge, CO, USA}, month = {June}, pages = {225--238}, posted-at = {2009-07-15 23:04:05}, priority = {2}, publisher = {ACM}, title = {Behavioral detection of malware on mobile handsets}, url = {http://dx.doi.org/10.1145/1378600.1378626}, year = {2008} }

TY - CONF ID - bose:behavioral L3 - citeulike-article-id:3361281 N2 - A novel behavioral detection framework is proposed to detect mobile worms, viruses and Trojans, instead of the signature-based solutions currently available for use in mobile devices. First, we propose an efficient representation of malware behaviors based on a key observation that the logical ordering of an application's actions over time often reveals the malicious intent even when each action alone may appear harmless. Then, we generate a database of malicious behavior signatures by studying more than 25 distinct families of mobile viruses and worms targeting the Symbian OS - the most widely-deployed handset OS - and their variants. Next, we propose a two-stage mapping technique that constructs these signatures at run-time from the monitored system events and API calls in Symbian OS. We discriminate the malicious behavior of malware from the normal behavior of applications by training a classifier based on Support Vector Machines (SVMs). Our evaluation on both simulated and real-world malware samples indicates that behavioral detection can identify current mobile viruses and worms with more than 96% accuracy. We also find that the time and resource overheads of constructing the behavior signatures from low-level API calls are acceptably low for their deployment in mobile devices. CY - Breckenridge, CO, USA SN - 978-1-60558-139-2 AD - New York, NY, USA EP - 238 TI - Behavioral detection of malware on mobile handsets PB - ACM T2 - MobiSys '08: Proceeding of the 6th international conference on Mobile systems, applications, and services SP - 225 KW - anomaly-detection KW - malware KW - mobile AU - Bose, Abhijit AU - Hu, Xin AU - Shin, Kang AU - Park, Taejoon PY - 2008/June// UR - http://dx.doi.org/10.1145/1378600.1378626 ER -