Vijay Laxmi

Android Security: A Survey of Issues, Malware Penetration, and Defenses

Smartphones have become pervasive due to the availability of office applications, Internet, games, vehicle guidance using location-based services apart from conventional services such as voice calls, SMSes, and multimedia services. Android devices have gained huge market share due to the open architecture of Android and the popularity of its application programming interface (APIs) in the developer community. Increased popularity of the Android devices and associated monetary benefits attracted the malware developers, resulting in big rise of the Android malware apps between 2010 and 2014. Academic researchers and commercial antimalware companies have realized that the conventional signature-based and static analysis methods are vulnerable. In particular, the prevalent stealth techniques, such as encryption, code transformation, and environment-aware approaches, are capable of generating variants of known malware. This has led to the use of behavior-, anomaly-, and dynamic-analysis-based methods. Since a single approach may be ineffective against the advanced techniques, multiple complementary approaches can be used in tandem for effective malware detection. The existing reviews extensively cover the smartphone OS security. However, we believe that the security of Android, with particular focus on malware growth, study of antianalysis techniques, and existing detection methodologies, needs an extensive coverage. In this survey, we discuss the Android security enforcement mechanisms, threats to the existing security enforcements and related issues, malware growth timeline between 2010 and 2014, and stealth techniques employed by the malware authors, in addition to the existing detection methods. This review gives an insight into the strengths and shortcomings of the known research methodologies and provides a platform, to the researchers and practitioners, toward proposing the next-generation Android security, analysis, and malware detection techniques.

AndroSimilar: robust statistical feature signature for Android malware detection

Android Smartphone popularity has increased malware threats forcing security researchers and AntiVirus (AV) industry to carve out smart methods to defend Smartphone against malicious apps. Robust signature based solutions to mitigate threats become necessary to protect the Smartphone and confidential user data. In this paper we present AndroSimilar, a robust approach which generates signature by extracting statistically improbable features, to detect malicious Android apps. Proposed method is effective against code obfuscation and repackaging, widely used techniques to evade AV signature and to propagate unseen variants of known malware. AndroSimilar is a syntactic foot-printing mechanism that finds regions of statistical similarity with known malware to detect those unknown, zero day samples. Syntactic file similarity of whole file is considered instead of just opcodes for faster detection compared to known fuzzy hashing approaches. Results demonstrate robust detection of variants of known malware families. Proposed approach can be refined to deploy as Smartphone AV.

A Node-Disjoint Multipath Routing Method Based on AODV Protocol for MANETs

Frequent link failures are caused in mobile ad-hoc networks due to nodes mobility and use of unreliable wireless channels for data transmission. Due to this, multipath routing protocols become an important research issue. In this paper, we propose and implement a node-disjoint multipath routing method based on AODV protocol. The main goal of the proposed method is to determine all available node-disjoint routes from source to destination with minimum routing control overhead. With the proposed approach, as soon as the first route for destination is determined, the source starts data transmission. All the other backup routes, if available, are determined concurrently with the data transmission through the first route. This minimizes the initial delay caused because data transmission is started as soon as first route is discovered. We also propose three different route maintenance methods. All the proposed route maintenance methods are used with the proposed route discovery process for performance evaluation. The results obtained through various simulations show the effectiveness of our proposed methods in terms of route availability, control overhead, average end-to-end delay and packet delivery ratio.

MOMENTUM: MetamOrphic malware exploration techniques using MSA signatures

Modern malware that are metamorphic or polymorphic in nature mutate their code by employing code obfuscation and encryption methods to thwart detection. Thus, conventional signature based scanners fail to detect these malware. In order to address the problems of detecting known variants of metamorphic malware, we propose a method using bioinformatics techniques effectively used for Protein and DNA matching. Instead of using exact signature matching methods, more sophisticated signature(s) are extracted using multiple sequence alignment (MSA). The results show that the proposed method is capable of identifying malware variants with minimum false alarms and misses. Also, the detection rate achieved with our proposed method is better compared to commercial antivirus products used in the study.

Corner Detection Using Difference Chain Code as Curvature

Discontinuity detection plays an important role in image analysis applications like image registration, comparison, segmentation, time sequence analysis and object recognition. This paper presents a new approach for corner detection using first order difference chain-encoding. The proposed method is based on integer operations it is very simple and efficient. Preliminary results are presented and evaluation with respect to standard corner detectors like Harris and Yung is done as a benchmark.

AndroSimilar: Robust signature for detecting variants of Android malware

Abstract Android Smartphone popularity has increased malware threats forcing security researchers and AntiVirus (AV) industry to carve out smart methods to defend Smartphone against malicious apps. Robust signature based solutions to mitigate threats become necessary to protect the Smartphone and confidential user data. Here we present AndroSimilar, an approach which generates signatures by extracting statistically robust features, to detect malicious Android apps. Proposed method is effective against code obfuscation and repackaging, widely used techniques to propagate unseen variants of known malware by evading AV signatures. AndroSimilar is a syntactic foot-printing mechanism that finds regions of statistical similarity with known malware to detect those unknown, zero day samples. We also show that syntactic similarity considering whole app, rather than just embedded DEX file is more effective, contrary to known fuzzy hashing approach. We also apply clustering algorithm to identify small set of family signatures to reduce overall signature database size. Proposed approach can be refined to deploy as Smartphone AV.

Employing Program Semantics for Malware Detection

In recent years, malware has emerged as a critical security threat. In addition, malware authors continue to embed numerous anti-detection features to evade the existing malware detection approaches. Against this advanced class of malicious programs, dynamic behavior-based malware detection approaches outperform the traditional signature-based approaches by neutralizing the effects of obfuscation and morphing techniques. The majority of dynamic behavior detectors rely on system-calls to model the infection and propagation dynamics of malware. However, these approaches do not account an important anti-detection feature of modern malware, i.e., systemcall injection attack. This attack allows the malicious binaries to inject irrelevant and independent system-calls during the program execution thus modifying the execution sequences defeating the existing system-call-based detection. To address this problem, we propose an evasion-proof solution that is not vulnerable to system-call injection attacks. Our proposed approach characterizes program semantics using asymptotic equipartition property (AEP) mainly applied in information theoretic domain. The AEP allows us to extract information-rich call sequences that are further quantified to detect the malicious binaries. Furthermore, the proposed detection model is less vulnerable to call-injection attacks as the discriminating components are not directly visible to malware authors. We run a thorough set of experiments to evaluate our solution and compare it with the existing system-call-based malware detection techniques. The results demonstrate that the proposed solution is effective in identifying real malware instances.

C-Routing: An adaptive hierarchical NoC routing methodology

Deterministic routing algorithms are easier to design and implement in NoC but these fail to adapt to congestion. Table based adaptive routing solutions are not scalable. As the number of nodes increases, the area required for routing table becomes a penalty. In this paper, we propose a new hierarchical cluster based adaptive routing called ‘C-Routing’ in 2-D Mesh NoC. The solution reduces routing table size and provides deadlock freedom without use of virtual channels while ensuring livelock free routing. Routers in our method use intelligent routing to route information between the processing elements ensuring the correctness, deadlock freeness, and congestion handling. This method has been evaluated against other adaptive algorithms such as PROM, and Q-Routing etc. Results show that the proposed method performs better for given traffic patterns. C-routing uses adaptivity to avoid congestion by uniform distribution of traffic among the cores by sending flits over two different paths to the destination.

Performance analysis of MANET routing protocols for multimedia traffic

Providing requisite Quality of service (QoS) guarantees in wireless multi-hop networks is much more challenging than in wired networks. This is mainly due to its dynamic topology, distributed nature, interference, multi-hop communication and contention for channel access. In particular, it is important for routing protocols to provide QoS guarantees by incorporating metrics like achievable throughput, delay, jitter, packet loss ratio, etc. In this paper, we present comparative analysis of mobile ad-hoc routing protocols over real time video streaming. Our analysis exploits the built-in support for real time multimedia streaming in MANETs. We use H.264/SVC encoded video sequences to evaluate the performance of various routing protocols over a large number of scenarios in terms of throughput and end-to-end delay. Effects of changes in mobility, network scalability and network load are evaluated and presented. Our results show that it is possible to stream some multimedia applications with acceptable quality over MANETs within limited mobility, QoS and network size.

MEDUSA: MEtamorphic malware dynamic analysis usingsignature from API

Malware detection and prevention methods are increasingly becoming necessary for computer systems connected to the Internet. The traditional signature based detection of malware fails for metamorphic malware which changes its code structurally while maintaining functionality at time of propagation. This category of malware is called metamorphic malware. In this paper we dynamically analyze the executables produced from various metamorphic generators through an emulator by tracing API calls. A signature is generated for an entire malware class (each class representing a family of viruses generated from one metamorphic generator) instead of for individual malware sample. We show that most of the metamorphic viruses of same family are detected by the same base signature. Once a base signature for a particular metamorphic generator is generated, all the metamorphic viruses created from that tool are easily detected by the proposed method. A Proximity Index between the various Metamorphic generators has been proposed to determine how similar two or more generators are.