You will always have trouble determining malicious application behavior: Kymie M.C. Tan, Roy A. Maxion, ""Why 6? " Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector," sp, pp.188, 2002 IEEE Symposium on Security and Privacy, 2002.
You will always have trouble determining malicious application behavior: Kymie M.C. Tan, Roy A. Maxion, ""Why 6? " Defining the Operational Limits of Stide, an Anomaly-Based Intrusion Detector," sp, pp.188, 2002 IEEE Symposium on Security and Privacy, 2002 But if you really want to try, perhaps the starting point is here: "Intrusion Detection Using Sequences of System Calls."
S. Hofmeyr, S. Forrest, and A.
Somayaji Journal of Computer Security Vol. 6, pp. 151-180 (1998).
Do you plan a "learning phase" where everything a certain app does, is recorded (if that's possible without root access in the first place! ) and then saved as the "profile" of "normal behavior" of that app? Say you record whatever behavior an application has, e.g. A tool to organize icons on the homescreen.
Now say this application also offers the function to call one of your favorite contacts directly, it will need the permission to access your contacts and to make phonecalls. If this feature is hardly used, you would probably not record it during your "learning" period of this app and rate the app as malicious once it tries to make a phone call. And what if an app shows malicious behavior during the "learning phase" where you can't detect it because you haven't determined the "normal behavior" yet?
Sounds like the "normal behavior" has to be saved somewhere to rate an app before you install it and it starts acting weird or performs unwanted actions. But then again: what is anwanted for one user may be perfectly normal for another one ... I'm interested in whatever fancy solutions people come up with, but I guess this will be a hard one ...
If a planning report of my Masters' Thesys will help you understanding better this idea of what I'm going to do, I can provide to you, always knowing that no one is going to copy the idea :). – Martin Solac Jan 13 '11 at 10:31 I understand your skepticism. I'm going to use Android Raw data collected from Strace and Logcat (from trustfull app and concrete final version), and try to filter the main features of the program.
I'll use this transformed data with a data mining algorithm in order to detect rules or patterns. I was thinking in clustering this information using a clustering algorithm, e. G kmeans.
Finally to test the application I'll use the same application but with selft-written malware on it. If everything works fine, the program will be able to detect the anomaly and therefore the malware. – Martin Solac Feb 2 '11 at 14:07 Now the main problem that I have is that there's too many raw data from strace a logcat and I've to decide which ones are important and which not.
Any suggestion – Martin Solac Feb 2 '11 at 14:07.
What if you use sets of malicious calls in Android first rather than profiling the normal ones. Also, take note, if you're using unsupervised classification, it does not know what kind of data that it classifies.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.