Takamasa Isohara

Kernel-based Behavior Analysis for Android Malware Detection

The most major threat of Android users is malware infection via Android application markets. In case of the Android Market, as security inspections are not applied for many users have uploaded applications. Therefore, malwares, e.g., Geimini and Droid Dream will attempt to leak personal information, getting root privilege, and abuse functions of the smart phone. An audit framework called log cat is implemented on the Dalvik virtual machine to monitor the application behavior. However, only the limited events are dumped, because an application developers use the log cat for debugging. The behavior monitoring framework that can audit all activities of applications is important for security inspections on the market places. In this paper, we propose a kernel-base behavior analysis for android malware inspection. The system consists of a log collector in the Linux layer and a log analysis application. The log collector records all system calls and filters events with the target application. The log analyzer matches activities with signatures described by regular expressions to detect a malicious activity. Here, signatures of information leakage are automatically generated using the smart phone IDs, e.g., phone number, SIM serial number, and Gmail accounts. We implement a prototype system and evaluate 230 applications in total. The result shows that our system can effectively detect malicious behaviors of the unknown applications.

Detection of HTTP-GET flood Attack Based on Analysis of Page Access Behavior

Recently, there are many denial-of-service (DoS) attacks by computer viruses or botnet. DoS attacks to Web services are called HTTP-GET flood attack and threats of them increase day by day. In this type of attacks, malicious clients send a large number of HTTP-GET requests to the target Web server automatically. Since these HTTP-GET requests have legitimate formats and are sent via normal TCP connections, an intrusion detection system (IDS) can not detect them. In this paper, we propose HTTP-GET flood detection techniques based on analysis of page access behavior. We propose two detection algorithms, one is focusing on a browsing order of pages and the other is focusing on a correlation with browsing time to page information size. We implement detection techniques and evaluate attack detection rates, i.e., false positive and false negative. The results show that our techniques can detect the HTTP-GET flood attack effectively.

SanAdBox: Sandboxing third party advertising libraries in a mobile application

Seventy percent of smartphone applications employ third party libraries for advertisement and usage analysis. Because the host application and those third party libraries have to be packed into one application package, they share the same set of privileges. This worries users because of the concern that third party libraries might abuse the host applications privileges. This is not a desirable situation for application developers, either, because they are forced to add privileges for advertising libraries that are not necessary for their application, and users tend to avoid applications with sensitive privileges. Although advertising libraries are generally not welcomed by users, mobile advertisements play a key role in a mobile application eco-system that promotes the popularity of free applications. Therefore, we need a solution that will not hamper a mobile advertising agency service while addressing the concerns of users and developers. In this paper, we designed SanAdBox, a privilege separation framework for Android applications and a third party library that will not interfere with the behavior of third party libraries. In SanAdBox, each third party library is installed as an independent application so that it runs in a separate sandbox. In this way, the privileges of applications and libraries are strictly separated, solving the above-mentioned problems. Furthermore, because SanAdBox does not require modification of the Android operating system, we can install it on smartphones with the normal Android operating system.

LSM-Based Secure System Monitoring Using Kernel Protection Schemes

Monitoring a process and its file I/O behaviors is important for security inspection for a data center server against intrusions, malware infection and information leakage. In the case of the Linux kernel 2.6, a set of hook functions called the Linux Security Module (LSM) has been implemented in order to monitor and control the system calls. By using the LSM we can inspect the activity of unknown malicious processes. However, a sophisticated attacker could breach the kernel configurations using the rootkits. Furthermore since the monitoring results of the malicious process activity are stored as a file on Hard Disk Drive (HDD), it will be easily manipulated by the attacker. In this paper, we propose a secure monitoring scheme that addresses the attacks against the monitoring module and its result for security inspection of the data center server. The monitoring module is implemented as a LSM-based function and protected by the kernel protection technique. The integrity of the monitoring result is guaranteed by using a Mandatory Access Control (MAC) of the Linux kernel and a mechanism of the trusted process invocation. This mechanism can serve as an infrastrucuture of secure inspection platform for data center server because the integrity of the monitoring module and its result is guaranteed.

SKI: Security Key Infrastructure for a Server Audit Certification

An authentication technology such as public key infrastructure (PKI) is used for a server authentication. However, it does not certificate a status of a server side security countermeasures, e.g., a configuration and operating condition of a firewall (FW), a virus detection system (VDS) and an intrusion detection system (IDS). When a client machine communicates the server that is vulnerable to the attack, the server may affect the critical damage to the client machine. In this paper, we propose a security key infrastructure (SKI) scheme that verifies the server side security countermeasures by linkage between an external and an internal audit. We consider requirements for designs of the SKI scheme, and implement communication modules between the server and the client machine. It is shown that the proposed SKI can achieve a quick response of the server and provide the certification of the security countermeasures to the client machine