A Behavior-based Mobile Malware Detection Model in ... - IEEE Xplore

Download PDF
0 downloads 0 Views 272KB Size Report
Comment
(SDN) provides an opportunity to develop a malware detection model in more efficient and ... propose a network behavior-based malware detection system for.
A Behavior-based Mobile Malware Detection Model in Software-Defined Networking Tri-Hai Nguyen

Myungsik Yoo

Department of ICMC Convergence Technology Soongsil University Seoul, Republic of Korea [email protected]

Department of ICMC Convergence Technology Soongsil University Seoul, Republic of Korea [email protected]

Abstract—In recent years, the number of mobile devices is increasing rapidly. Meanwhile, the amount of malicious software is rising almost exponentially, alongside the diversity and complexity of malware. The flexibility of Software-Defined Networking (SDN) provides an opportunity to develop a malware detection model in more efficient and flexible manner. In this paper, we propose a network behavior-based malware detection system for mobile devices in SDN which is composed of three algorithms including IP Blacklist, Connection Success Ratio, Connection Rate algorithms. The experiment demonstrates that the proposed system is feasible and effective. Index Terms—Software-Defined Networking, mobile malware, malware detection

I. I NTRODUCTION Mobile devices have become an open platform for executing various applications. Because of the rapid growth of the smart phone industry and the rapid promotion of mobile communication technologies, more and more clients use mobile devices to access the Internet and use various services. The mobile applications play an important role in the success of the future mobile ecosystem. However, the mobile devices normally store private user data such as pictures, messages, and personal credentials. Therefore, they are becoming the target of choice for cyber criminals. There are two kinds of detection methods against malware. Firstly, the static signature-based method is usually used by security software developers, however, it cannot effectively detect the variants and complicated techniques or previously unknown malware [1]. Secondly, the dynamic behavior-based method which monitors the system calls, access to the sensitive data and so on, distinguish between normal and abnormal behavior to reach the purpose of identifying, but to provide real time analysis of application behaviors are too resource consuming to be deployed on mobile devices [2], [3]. With recent advancements in Software-Defined Networking (SDN) [4] and its rapid acceptance in the computer network community, many researchers have been actively involved in developing SDN-based network security solutions. In SDN, as the control and data planes are decoupled, the network can be managed in a logically centralized way and the traffic control rules can be imposed in real time. Therefore, it provides a unique opportunity to protect networks in more efficient and flexible way.

978-1-5386-2168-4/17/$31.00 ©2017 IEEE

In this paper, a behavior-based mobile malware detection model in SDN is proposed. The system runs on a controller and can detect infected devices in real-time using only a small number of devices’ connection requests. This system need not parse the content of data packets, thus, can protect users’ privacy, and also makes detecting more efficient. The rest of the paper is organized as follows. Section II briefly overviews of SDN. Section III introduces the approach for mobile malware detection. Section IV evaluates the feasibility and performance of proposed detection method. Finally, conclusion is presented in the section V. II. S OFTWARE -D EFINED N ETWORKING Software-Defined Networking (SDN) [4] simplifies network management by decoupling control plane from data plane. With this separating of control plane and data plane, network switches become simple forwarding device while control logic and functionality are implemented in logically centralized controller.

Fig. 1. An overview of SDN architecture.

Figure 1 shows the overview architecture of SDN. The SDN controller in data plane directly interact with the data plane through a communication mechanism enabled by a southbound interface, e.g., OpenFlow protocol [5] is the first and most widely developed protocol on SDN. Controller pushes packet handling rules in flow tables of OpenFlow switches. The rule matches the incoming traffic and performs certain actions such as forwarding, dropping, modifying on traffic. The OpenFlow switch can take the actions based on the rules installed by the application plane, which is a set of applications such as routing, firewall, load balancing, etc. The application plane communicates with the control plane through a northbound interface. III. P ROPOSED M ALWARE D ETECTION M ODEL Based on the flexibility of SDN architecture and the malware behavior in the network [2], we propose a model that can identify mobile malware through real-time traffic analysis. Figure 2 illustrates how the proposed malware detection method is deployed in the SDN. In SDN, when a new connection request from or to a device, it needs to be sent to a controller for processing. Therefore, the entire network behavior can be managed and controlled by the controller. In proposed model, once the controller received a new connection request, it sends sequentially to three algorithms, which are IP Blacklist, Connection Success Ratio, Connection Rate to determine the whether the connection request is malware action or not.

Fig. 2. Mobile Malware Detection model in SDN.

mechanism can be easily implemented in SDN. In particular, the controller maintains an IP Blacklist and check the list whenever a new connection request is received. The controller drops immediately any connection request that contains an IP address in the blacklist. B. Connection Success Ratio Connection Success Ratio technique takes into account that the probability of successful connection is much higher for a normal device as compared to a malicious device. Whenever the likelihood ratio for a mobile device exceeds a certain threshold, it is declared as infected. In the controller, for each host, the algorithm maintains a list of new connection requests, which have not received a response. If any of these connection times out or receives a reset flag, the algorithm increases the likelihood ratio of the device that has been infected. Upon the response to a connection request is received, the corresponding pending connection will be remove from the list. Then, the controller will process the connection request. If the number of pending connection requests for a device is higher than a predefined threshold X, the controller considers the device as infected and blocks the traffic from this device in a period of time. C. Connection Rate Connection Rate algorithm assumes that a number of connection attempts from a compromised mobile device to a server or other devices are much higher than normal devices. In general, an infected device attempts to connect to many different devices in a short period of time. On the other hand, an uninfected device makes connections at a lower rate and is more likely to repeat connection attempts to recently accessed devices. Connection Rate algorithm uses a threshold to limit the number of new connection attempts within a certain time span. To implement the algorithm in SDN, the controller maintains a list of Recently Accessed Devices (RAD) for each mobile device and check the list whenever a new connection request is received. If a destination of new connection request is in the RAD list, the connection will be accepted. Otherwise, the request connection will be put into a waiting queue and be processed at a predefined number R of requests per second. However, if the length of the waiting queue of a device exceeds a predefined threshold Y , the device will be considered to be infected and then it is blocked by the controller in a period of time.

It is noted that the following algorithms only require a small number of packets related to connection requests, therefore, the additional overhead of controller is quite small. Furthermore, the algorithms run on the controller, thus, the mobile devices will not add any computing cost and the user privacy is unaffected. Finally, the algorithms are independent of each other, so that the model is flexible.

In this section, the implementation of proposed mobile malware detection model is presented and then evaluated on a SDN simulator.

A. IP Blacklist

A. Feasibility

IP Blacklist is a list that contains the malicious IP addresses which can be obtained from public resources [6], [7] or historical data. IP Blacklist-based malware detection

The proposed model is implemented as a module in Floodlight v1.2 controller [8]. The detail of implementation is shown as below.

IV. E VALUATION

IP Blacklist: The blacklist is obtained from Malware Domain Blocklist of [6]. • Connection Success Ratio: The threshold X is set to be 30. • Connection Rate: The threshold Y is set to be 30 and the processing rate R is set to be one request per second. The experiment is conducted in Mininet 2.2.1 [9], which is a widely used emulation tool for SDN. The topology used in the experiments is shown in Figure 3. A few hosts are run the scripts that simulate the malware behaviors. •

can see that the average latency is still barely influenced. The latency caused by the whole model is approximately 4% higher than that in the baseline case. TABLE I AVERAGE L ATENCY R ESULTS Algorithm Baseline IP Blacklist Connection Success Ratio Connection Rate All algorithms activated

Average latency (μs) 72.64 73.76 (+1.54%) 74.42 (+2.45%) 74.80 (+2.97%) 75.49 (+3.92%)

The packet processing delay occurred by additional algorithms is also based on the performance of the controller. However, the average latency results show that the proposed model does not add significantly the packet processing delay or packet latency. Therefore, the proposed model is efficient.

Fig. 3. A topology of the experiment in Mininet.

It is observed that a host is disconnected from the network when the host tries to connect to IP addresses on the blacklist. Also, the controller raised a warning notification and disconnects a host once the number of new connection requests of the host exceeds to threshold X = 30 of Connection Success Ratio algorithm or the length of connection requests queue of the host is higher than threshold Y = 30 of Connection Rate algorithm. It is noted that the parameters of the algorithms can be further optimized based on real traffic characteristics. The experiments confirm the feasibility of the proposed model for mobile malware detection in SDN. B. Efficiency To evaluate the efficiency of the proposed model, we measure and compare the packet processing delay (packet latency) of the Floodlight controller with and without the detection algorithms activated. To measure packet latency, we use Cbench [10] that sends up a packet to controller and measures how long a response has come back from the controller. Floodlight controller is run on a virtual PC with CPU E3-1230 V2 3.30GHz and 2GB RAM. The testing command is “./cbench -c localhost -p 6653 -m 10000 -l 10 -s 16 -M 1000” which means Cbench simulate with 16 switches, the packets are sent from 1000 unique source MACs per switch for 10s and the test is repeated 10 times. The average latency results are shown in Table I. The Floodlight controller without any detection algorithm enabled achieves 13767.02 response/s on average or a latency of 72.64 μs on average (baseline case). When the detection algorithms are sequentially activated, it can be seen that the average latency is risen by less than 3% even in the worst case compared to the baseline case. In a case of all algorithms enabled, we

V. C ONCLUSION This paper proposed a network behavior-based mobile malware detection model that is implemented in SDN. The proposed model uses the detection algorithms such as IP Blacklist, Connection Success Ratio, Connection Rate to detect infected mobile devices by identifying suspicious network activities through the connection requests in the controller. Without extracting the information from packets, user privacy is unaffected in the proposed model. The experiment results show that the proposed malware detection mechanism is feasible and efficient. ACKNOWLEDGMENT This research was supported by the MSIT(Ministry of Science and ICT), Korea, under the ITRC(Information Technology Research Center) support program(IITP-2017-2012-000646) supervised by the IITP(Institute for Information & communications Technology Promotion) R EFERENCES [1] Moser, Andreas, Christopher Kruegel, and Engin Kirda. ”Limits of static analysis for malware detection.” Computer security applications conference, 2007. ACSAC 2007. Twenty-third annual. IEEE, 2007. [2] Faruki, Parvez, et al. ”Android security: a survey of issues, malware penetration, and defenses.” IEEE communications surveys & tutorials 17.2 (2015): 998-1022. [3] Dimjaevi, Marko, et al. ”Evaluation of android malware detection based on system calls.” Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics. ACM, 2016. [4] McKeown, Nick, “Software-defined networking,” in INFOCOM keynote talk 17.2 , 2009. [5] McKeown, Nick, et al. ”OpenFlow: enabling innovation in campus networks.” ACM SIGCOMM Computer Communication Review 38.2 (2008): 69-74. [6] Blocklists of Suspected Malicious IPs and URLs. [Online] https://zeltser.com/malicious-ip-blocklists/ [7] Directory of Malicious IPs. [Online] https://www.projecthoneypot.org/list of ips.php [8] Floodlight Controller. Java-based OpenFlow controller. [Online] http://www.projectfloodlight.org/floodlight/ [9] Lantz, Bob, et al., “A network in a laptop: rapid prototyping for softwaredefined networks.” in Proc. 9th ACM SIGCOMM Workshop on Hot Topics in Networks, 2010. [10] Cbench. [Online] https://sourceforge.net/projects/cbench/