Keisuke Takemori

Kernel-based Behavior Analysis for Android Malware Detection

The most major threat of Android users is malware infection via Android application markets. In case of the Android Market, as security inspections are not applied for many users have uploaded applications. Therefore, malwares, e.g., Geimini and Droid Dream will attempt to leak personal information, getting root privilege, and abuse functions of the smart phone. An audit framework called log cat is implemented on the Dalvik virtual machine to monitor the application behavior. However, only the limited events are dumped, because an application developers use the log cat for debugging. The behavior monitoring framework that can audit all activities of applications is important for security inspections on the market places. In this paper, we propose a kernel-base behavior analysis for android malware inspection. The system consists of a log collector in the Linux layer and a log analysis application. The log collector records all system calls and filters events with the target application. The log analyzer matches activities with signatures described by regular expressions to detect a malicious activity. Here, signatures of information leakage are automatically generated using the smart phone IDs, e.g., phone number, SIM serial number, and Gmail accounts. We implement a prototype system and evaluate 230 applications in total. The result shows that our system can effectively detect malicious behaviors of the unknown applications.

Intrusion Detection for Encrypted Web Accesses

As various services are provided as web applications, attacks against web applications constitute a serious problem. Intrusion detection systems (IDSes) are one solution, however, these systems do not work effectively when the accesses are encrypted by protocols. Because the IDSes inspect the contents of a packet, it is difficult to find attacks by the current IDS. This paper presents a novel approach to anomaly detection for encrypted web accesses. This approach applies encrypted traffic analysis to intrusion detection, which analyzes contents of encrypted traffic using only data size and timing without decryption. First, the system extracts information from encrypted traffic, which is a set comprising data size and timing for each web client. Second, the accesses are distinguished based on similarity of the information and access frequencies are calculated. Finally, malicious activities are detected according to rules generated from the frequency of accesses and characteristics of HTTP traffic. The system does not extract private information or require enormous pre-operation beforehand, which are needed in conventional encrypted traffic analysis. We show that the system detects various attacks with a high degree of accuracy, adopting an actual dataset gathered at a gateway of a network and the DARPA dataset.

On demand distributed public key management for wireless ad hoc networks

A wireless ad hoc network that has no connection to the Internet has difficulty to construct a public key infrastructure (PKI) when the network does not provide online access to trusted authorities. In this paper, we propose an on demand distributed public key management to construct the PKI for wireless ad hoc networks. The proposed system collects effective certificates on demand. Each node holds in its local repository only the certificates issued to it in order to reduce the amount of memory. To collect certificates efficiently, we propose an ad hoc simultaneous nodes search protocol (ASNS) that can search chained nodes using broadcast packets and routing tables. The proposed system can reduce memory size for authentication and does not have to manage a certificate revocation list (CRL). By a computer simulation, we show that the system is advantageous to the network in which density of the node is low.

Forecast techniques for predicting increase or decrease of attacks using Bayesian inference

The analysis techniques of intrusion detection system (IDS) events are actively researched, since it is important to understand attack trends and devise countermeasures against incidents. To aim at a quick response in security operation, it is necessary to forecast a fluctuation of attacks. However, there is no approach for predicting the fluctuation of attacks, since the fluctuation of attacks seems to be random. In this paper, we propose forecast techniques for predicting increase or decrease of the attacks by using the Bayesian inference for calculating the conditional probability based on past-observed event counts. We consider two algorithms by focusing on an attack cycle and a fluctuation range of the event counts. We implement a forecasting system and evaluate it with real IDS events. As a result, our proposed technique can forecast increase or decrease of the event counts, and be effective to various types of attacks.

Detection of Bot Infected PCs Using Destination-Based IP and Domain Whitelists During a Non-Operating Term

Spam e-mails and distributed denial of service (DDoS) attacks have now become critical issues to the Internet. These attacks are considered to be sent from bot infected PCs. As a bot communicates with a malicious controller over an encrypted channel and updates its code frequently, it becomes difficult to detect infected personal computers (PCs) using pattern-based intrusion detection systems (IDSs) and antivirus systems (AVs). As sending attack and control packets from the bot process are independent of the user operation, a behavior monitor is effective to detect an anomaly communication. In this paper, we propose a bot detection technique that checks outbound packets with destination-based whitelists. If any outbound packets during the non-operating term do not match the whitelists, the PC is considered to be infected by the bot. The whitelists are a set of a destination IP address and/or domain names (DNs) that are listed by monitoring outbound packets from an un-infected PC. Because the many IPs and DNs are grouped into a few sub-networks and superior DNs, it is easier to maintain the destination-based whitelists than the pattern-based IDS/AV. We implement the proposal system as a host-based detector and evaluate false negative (FN) and false positive (FP) frequencies for detection of bot activities.

SanAdBox: Sandboxing third party advertising libraries in a mobile application

Seventy percent of smartphone applications employ third party libraries for advertisement and usage analysis. Because the host application and those third party libraries have to be packed into one application package, they share the same set of privileges. This worries users because of the concern that third party libraries might abuse the host applications privileges. This is not a desirable situation for application developers, either, because they are forced to add privileges for advertising libraries that are not necessary for their application, and users tend to avoid applications with sensitive privileges. Although advertising libraries are generally not welcomed by users, mobile advertisements play a key role in a mobile application eco-system that promotes the popularity of free applications. Therefore, we need a solution that will not hamper a mobile advertising agency service while addressing the concerns of users and developers. In this paper, we designed SanAdBox, a privilege separation framework for Android applications and a third party library that will not interfere with the behavior of third party libraries. In SanAdBox, each third party library is installed as an independent application so that it runs in a separate sandbox. In this way, the privileges of applications and libraries are strictly separated, solving the above-mentioned problems. Furthermore, because SanAdBox does not require modification of the Android operating system, we can install it on smartphones with the normal Android operating system.

On Demand Distributed Public Key Management without Considering Routing Tables for Wireless Ad Hoc Networks

A wireless ad hoc network that has no connection to the Internet can not use a public key infrastructure (PKI). Although an on demand distributed public key management to construct the PKI has been proposed, it cannot work without considering routing tables, since nodes broadcast a packet which contains routing tables. In this paper, we propose an on demand distributed public key management which can separate the routing and authentication layers. In the proposed scheme, each node sends a packet which does not contain routing tables by unicasting. The proposed scheme can be applied to various communication protocols and simple terminals because the scheme does not need to consider routing tables in the authentication layer. By a computer simulation, we evaluate average traffic and show the adaptive flexibility of the proposed scheme in the ad hoc network

Intrusion detection system to detect variant attacks using learning algorithms with automatic generation of training data

Although there are many anomaly detection systems based on learning algorithms that are able to detect unknown attacks or variants of known attacks, most systems require sophisticated training data for supervised learning. Because it is difficult to prepare the training data, anomaly detection systems are not widely used in the practical environment. In this paper, we propose an anomaly detection system based on machine learning that requires no prepared training data. The system generates sophisticated training data that is applicable to the learning by processing alerts that a signature based intrusion detection system (IDS) outputs. We evaluated the system using two types of traffic: the 1999 DARPA IDS evaluation data and the security scanner data. The results show that the training data generated by the system is suitable for learning attack behaviors and the system is able to detect variants of worms and known attacks.

LSM-Based Secure System Monitoring Using Kernel Protection Schemes

Monitoring a process and its file I/O behaviors is important for security inspection for a data center server against intrusions, malware infection and information leakage. In the case of the Linux kernel 2.6, a set of hook functions called the Linux Security Module (LSM) has been implemented in order to monitor and control the system calls. By using the LSM we can inspect the activity of unknown malicious processes. However, a sophisticated attacker could breach the kernel configurations using the rootkits. Furthermore since the monitoring results of the malicious process activity are stored as a file on Hard Disk Drive (HDD), it will be easily manipulated by the attacker. In this paper, we propose a secure monitoring scheme that addresses the attacks against the monitoring module and its result for security inspection of the data center server. The monitoring module is implemented as a LSM-based function and protected by the kernel protection technique. The integrity of the monitoring result is guaranteed by using a Mandatory Access Control (MAC) of the Linux kernel and a mechanism of the trusted process invocation. This mechanism can serve as an infrastrucuture of secure inspection platform for data center server because the integrity of the monitoring module and its result is guaranteed.

Traceback Framework against Botmaster by Sharing Network Communication Pattern Information

In order to exterminate a botnet, we have to trace a botnet and arrest its botmaster. In this paper, we make a model of communication pattern of a C&C server that sends/receives packets to/from the botmaster. Then we discuss how botmaster trace back can be achieved. We describe which communication patterns we should focus on to find the botmaster or upper C&C servers. Furthermore, we propose a framework for botmaster trace back. In this framework, owners of servers which become to C&C server will collaborate and share the communication patterns for trace back. To do this, we propose the information sharing using communication pattern monitoring tools with the servers.