Mobile Guard Demo: Network Based Malware Detection

2015 IEEE Trustcom/BigDataSE/ISPA

Mobile Guard Demo Network Based Malware Detection

Vikramajeet Khatri

Joerg Abendroth

Nokia Networks Research, Finland Espoo, Finland [email protected]

Nokia Networks Munich, Germany [email protected]

Abstract—The growing trend of data traffic in mobile networks brings new security threats such as malwares, botnets, premium SMS frauds etc; and these threats affect the network resources in terms of revenue as well as performance. Some end user devices are using antivirus and anti-malware clients for protection against malware attacks; but the malicious activity affects mobile network elements as well. Therefore, a network based malware detection system, such as Mobile Guard, is essential in detecting malicious activities within a network, as well as protecting end users from malware attacks that are propagated through mobile operator’s network. We present Mobile Guard – a network based malware detection system and discuss its necessity, solution architecture and key features.

is being done today already in cases where Antivirus utilize heuristics. In cellular networks, the domain name system (DNS) traffic initiated by mobile devices has been investigated in [12], but little attention has been spent on monitoring other traffic initiated by mobile malware. This is particularly surprising as all mobile malware, except ransomware, requires some sort of communication over the network to fulfill its malicious goal [5]. Thus, filtering traffic initiated by mobile malware should stop the malicious intent of almost any mobile malware currently out in the wild [13]. Unlike [13], Mobile Guard does not require virtual private network (VPN) technology, since it is deployed at the mobile network operator network directly.

Keywords—Antivirus; Malware; Mobile Guard; Network Based Malware Detection

Note that netflow analysis [14] and intrusion detection and prevention systems [15] cannot directly be used to filter traffic initiated by mobile malware as these systems are typically designed for the TCP/IP protocol stack, which substantially differs from a 3G or 4G protocol stack, and is in particular not able to contextualize additional traffic streams such as SMS messages and voice traffic initiated by mobile malware.

Network; Mobile

I. INTRODUCTION Malware threats in Mobile Networks are increasing [1], [2]. Whilst in the desktop computer domain, Antivirus solutions are widely used; however it is less common on smartphone devices. Currently, on Internet of Things (IoT) devices, consumers do not have the option to use device-side Antivirus. Device vendors take great care in screening applications offered in their markets. However since the restrictions are strict, some users resort to installing applications from third party markets.

B. Network Based Malware Detection Device based Antivirus and also the mechanism proposed in [11] relies on a client side part and does not rely purely on network traffic observation. Malware attacks on the device are able to disable Antivirus client as described in [16], and has been observed in [17]. By contrast, such malware attacks cannot disable a network based malware detection system; and end users will have improved protection if an attack occurs. End users are also utilizing Wi-Fi on their devices and smartphone vendors recommend using Wi-Fi to download and install system updates due to their larger size as well. In such cases, the end users are a target of malware attacks due to absence of network based malware detection system; but when they are utilizing data services from mobile network again – the network based malware detection system detects the malicious activity. Therefore a combination of Antivirus client at end user’s device and network based malware detection system will improve the protection against malware attacks.

The lack of adequate level of security in third-party markets is well known to mobile malware authors. They lure victims into installing mobile malware on their devices by employing various social engineering techniques like repackaging, update at runtime or a uniform resource identifier (URI) download [3], [4], [5] and then send, forward, intercept SMS messages, generate spam emails, initiate fraudulent inapp-purchases, gather sensitive information or perform distributed denial of service attacks. II. BACKGROUND A. Problem Space Many approaches to mitigate the mobile malware threat have been proposed (e.g. [6], [7], [8], [9], [10]). However, most of these proposals concentrate on detecting mobile malware on the mobile device itself. Moving the analysis from the device to the network cloud has been proposed in [11], this

978-1-4673-7952-6/15 $31.00 © 2015 IEEE DOI 10.1109/Trustcom.2015.501 10.1109/Trustcom-BigDataSe-ISPA.2015.501

C. Solution Architecture The solution architecture can be seen in Fig. 1 Nokia Mobile Guard is a network based malware detection system that works on top of a mobile network. Nokia

1177

Fig. 1. Solution Architecture for Mobile Guard

Mobile Guard monitors for data and SMS traffic flowing in and out of the network on Gn/S5 and P-SMS respectively and analyzes it for malicious activity. Mobile Guard receives a copy of Gn traffic via a fiber tap and searches for patterns that are consistent with the malware behaviors known to it. Nokia receives the information on known malware behaviors from its partner F-Secure, and configures it in the Mobile Guard engine database. Furthermore, Mobile Guard is also able to detect suspicious patterns using machine learning capability even if some malicious patterns are not included in its database. At the moment, Mobile Guard detects malicious activity by analyzing traffic, and any detected malicious events are reported to the network operator via the Security Insight dashboard which is discussed in the next section. D. User View The Security Insight dashboard can be seen in Fig. 2.

The dashboard gives the mobile network provider a view into the real-time status of the malware on its network. It shows the detected malwares in specified intervals e.g., last minute(s) or hour(s); destination IP address, type of device and affected locations of network. It also shows the timeline and groups the detected malwares by its category i.e., whether they are blacklist match, SMS malware, recurrence events etc. The ‘Data Statistics’ section in the Security Insight dashboard shows statistics such as top malwares, number of infected devices etc; whereas ‘Mobile Devices’ section reveals more information about devices. The dashboard also offers an automated Action Engine for the mobile operator. This allows the operator to inform the infected subscriber via SMS to visit a customer care unit or to clean the device using a recommended scan client. III. DEMO DESCRIPTION We demonstrate Mobile Guard as a network based malware detection system and show its key features. We will simulate Mobile Guard using demonstration data, send the malicious traffic to Mobile Guard instance and show the detection results of malicious events on dashboard. We further demonstrate the dashboard statistics and Action Engine as well. IV. CONCLUSION The growing mobile malware threats are a concern to mobile operators as well as end users. Mobile Guard – a network based malware detection system helps mobile networks to detect malicious activity and take needed actions to prevent malicious activity and frauds (e.g., Premium SMS frauds) in their network. A combination of Antivirus client at end user’s device and Mobile Guard – a network based malware detection system improves protection against malware attacks. REFERENCES [1]

Fig. 2. Security Insight dashboard for Mobile Guard

1178

Various Lookout, “2014 Mobile Threat Report”, https://www.lookout.com/resources/reports/mobile-threat-report , last visited 30th March 2015

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

McAfee Labs “Report Previews 2015 Developments in Exploits and Evasion”, http://www.mcafee.com/us/about/news/2014/q4/2014120901.aspx , last visited 30th March 2015 W. Zhou, Y. Zhou, X. Jiang, and P. Ning, “Detecting repackaged smartphone applications in third-party android marketplaces” Proceedings of the second ACM conference on Data and Application Security and Privacy, CODASPY '12, pp. 317-326, 2012 A. Felt, M. Finifter and E. Chin, “A survey of mobile malware in the wild”, Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, SPSM '11, pp. 3-14, 2011 Y. Zhou, and X. Jiang, “Dissecting Android Malware: Characterization and Evolution”, Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pp. 95-109, 2012 W. Enck, P. Gilbert, B-G Chun, L. Cox, J. Jung, P. McDaniel, and A. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones”, Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI’10, pp. 255-270, 2010 T. Blasing, L. Batyuk, A-D Schmidt, S. Camtepe, and S. Albayrak, “An android application sandbox system for suspicious software detection”, Proceedings of MALWARE 2010, the 5th Intl. Conf. on Malicious and Unwanted Software, pp 55-62, 2010 I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: behaviorbased malware detection system for android”, Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, pp. 15-26, 2011 K. Elish, D. Yao, and B. Ryder, “User-centric Dependence Analysis for Identifying Malicious Mobile Apps”, Workshop on Mobile Security Technologies, MoST '12, 2012

1179

[10] J. Oberheide, F. Jahanian, “When mobile is harder than fixed (and vice versa): demystifying security challenges in mobile environments”, Proceedings of the Eleventh Workshop on Mobile Computing Systems & Applications, HotMobile '10, pp. 43-48, 2010 [11] J. Oberheide, E. Cooke, F. Jahanian, “Rethinking antivirus: executable analysis in the network cloud”, Proceedings of the 2nd USENIX workshop on Hot topics in security, HOTSEC '07, 2007 [12] C. Lever, M. Antonakakis, B. Reaves, P. Traynor and W. Lee, “The Core of the Matter:Analyzing Malicious Traffic in Cellular Carriers”, 20th Annual Network and Distributed System Security Symposium, 2013 [13] L. Qing and G. Clark, “Mobile Security: A Look Ahead”, Security & Privacy, IEEE (Volume:11 , Issue: 1 ), pp. 78-81, 2013 [14] L. bilge, D. Balzarotti, W. Robertson, E. Kirda and C. Kruegel, “Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis”, Proceedings of the 28th Annual Computer Security Applications Conference, ACSAC '12, pp. 129-138, 2012 [15] K. Scarfone, and P. Mell, “Guide to Intrusion Detection and Prevention Systems,” Technical Report NIST SP 800-94, National Institute of Standards and Technology, 2007 [16] A. Baliga, V. Ganapathy, and L. Iftode, “Detecting Kerenl-Level Rootkits Using Data Structure Invariants”, IEEE Transactions on Dependable And Secure Computing, pp. 670-684, 2011 [17] Chen, T. M., and Peikari, C., “Malicious Software in Mobile Devices”, Handbook of Research on Wireless Security, pp. 1-10, 2008.