Karim O. Elish

Profiling user-trigger dependence for Android malware detection

As mobile computing becomes an integral part of the modern user experience, malicious applications have infiltrated open marketplaces for mobile platforms. Malware apps stealthily launch operations to retrieve sensitive user or device data or abuse system resources. We describe a highly accurate classification approach for detecting malicious Android apps. Our method statically extracts a data-flow feature on how user inputs trigger sensitive API invocations, a property referred to as the user-trigger dependence. Our evaluation with 1433 malware apps and 2684 free popular apps gives a classification accuracy (2.1% false negative rate and 2.0% false positive rate) that is better than, or at least competitive against, the state-of-the-art. Our method also discovers new malicious apps in the Google Play market that cannot be detected by virus scanning tools. Our thesis in this mobile app classification work is to advocate the approach of benign property enforcement, i.e., extracting unique behavioral properties from benign programs and designing corresponding classification policies.

Comprehensive Behavior Profiling for Proactive Android Malware Detection

We present a new method of screening for malicious Android applications that uses two types of information about the application: the permissions that the application requests in its installation manifest and a metric called percentage of valid call sites (PVCS). PVCS measures the riskiness of the application based on a data flow graph. The information is used with machine learning algorithms to classify previously unseen applications as malicious or benign with a high degree of accuracy. Our classifier outperforms the previous state of the art by a significant margin, with particularly low false positive rates. Furthermore, the classifier evaluation is performed on malware families that were not used in the training phase, simulating the accuracy of the classifier on malware yet to be developed. We found that our PVCS metric and the SEND_SMS permission are the specific pieces of information that are most useful to the classifier.

High Precision Screening for Android Malware with Dimensionality Reduction

We present a new method of classifying previously unseen Android applications as malware or benign. The algorithm starts with a large set of features: the frequencies of all possible n-byte sequences in the applications byte code. Principal components analysis is applied to that frequency matrix in order to reduce it to a low-dimensional representation, which is then fed into any of several classification algorithms. We utilize the implicitly restarted Lanczos bidiagonalization algorithm and exploit the sparsity of the n-gram frequency matrix in order to efficiently compute the low-dimensional representation. When trained upon that low-dimensional representation, several classification algorithms achieve higher accuracy than previous work.

MR-Droid: A Scalable and Prioritized Analysis of Inter-App Communication Risks

Inter-Component Communication (ICC) enables useful interactions between mobile apps. However, misuse of ICC exposes users to serious threats, allowing malicious apps to access privileged user data via another app. Unfortunately, existing ICC analyses are largely insufficient in both accuracy and scalability. Most approaches rely on single-app ICC analysis which results in inaccurate and excessive alerts. A few recent works use pairwise app analysis, but are limited by small data sizes and scalability. In this paper, we present MR-Droid, a MapReduce-based computing framework for accurate and scalable inter-app ICC analysis in Android. MR-Droid extracts data-flow features between multiple communicating apps to build a large-scale ICC graph. We leverage the ICC graph to provide contexts for inter-app communications to produce precise alerts and prioritize risk assessments. This scheme requires quickly processing a large number of app-pairs, which is enabled by our MapReduce-based program analysis. Extensive experiments on 11,996 apps from 24 app categories (13 million pairs) demonstrate the effectiveness of our risk prioritization scheme. Our analyses also reveal new real-world hijacking attacks and collusive app pairs. Based on our findings, we provide practical recommendations for reducing inter-app communication risks.

Device-based Isolation for Securing Cryptographic Keys☆☆☆

We describe an effective device-based isolation approach for achieving data security. We show its use in protecting the secrecy of highly sensitive data that is crucial to security operations, such as cryptographic keys used for decrypting ciphertext or signing digital signatures. Private key is usually encrypted in its storage when not used; however, when being used, the plaintext key is loaded into the memory of the host for access. We present a novel and practical solution and its prototype called DataGuard to protect the secrecy of the highly sensitive data through the storage isolation and secure tunneling enabled by a mobile handheld device. DataGuard can be deployed for the key protection of individuals or organizations. We implement three prototypes and conduct extensive experiments to evaluate the feasibility and performance of DataGuard. The results show that our approach performs well without significant overhead.

Prioritized Analysis of Inter-App Communication Risks

Inter-Component Communication (ICC) enables useful interactions between mobile apps. However, misuse of ICC exposes users to serious threats such as intent hijacking/spoofing and app collusions, allowing malicious apps to access privileged user data via another app. Unfortunately, existing ICC analyses are largely incompetent in both accuracy and scale. This poster points out the need and technical challenges of prioritized analysis of inter-app ICC risks. In this poster, we propose MR-Droid, a MapReduce-based computing framework for accurate and scalable inter-app ICC analysis in Android. MR-Droid extracts data-flow features between multiple communicating apps and the target apps to build a large-scale ICC graph. Our approach is to leverage the ICC graph to provide contexts for inter-app communications to produce precise alerts and prioritize risk assessments. This process requires large app-pair data, which is enabled by our MapReduce-based program analysis. Our initial extensive experiments on 11,996 apps from 24 app categories (13 million pairs) demonstrate the scalability of our approach.

BetterChoice: A migraine drug recommendation system based on Neo4J

Migraine is a common disease throughout the world. Not only does it affect the life of people tremendously, but it also leads to high costs, e.g. due to inability to work or various required drug-taking cycles for finding the best drug for a patient. Solving the latter aspect could help to improve the life of patients and decrease the impact of the other consequences. Therefore, in this paper, we present an approach for a drug recommendation system based on the highly scalable native graph database Neo4J. The presented system uses simulated patient data to help physicians gain more transparency about which drug fits a migraine patient best considering her individual features. Our evaluation shows that the proposed system works as intended. This means that only drugs with highest relevance scores and no interactions with the patients diseases, drugs or pregnancy are recommended.

On the Need of Security Standards in Big Data Information Flow

Big Data has become increasingly popular due to its ability to deliver information and optimize current business, health, economic, and research processes. Even though the use of Big Data spans over multiple industries, there is still a lack of security standards and regulations surrounding what data can be captured and how it can be used. This absence of laws and regulations surrounding Big Data security has potentially led to many data breaches. Since there are many participants within the Big Data information flow, each one needs to be further inspected to determine what security measures should be implemented at each stage to prevent these data breaches from occurring. The objective of this position paper is to point out the need for practical security standards in Big Data information flow. In particular, we identify which security standards should be applied at each stage of the Big Data information flow to ensure the privacy and security of valuable and sensitive data.