Yuval Fledel

Google Android: A Comprehensive Security Assessment

This research provides a security assessment of the Android framework-Googles software stack for mobile devices. The authors identify high-risk threats to the framework and suggest several security solutions for mitigating them.

Securing Android-Powered Mobile Devices Using SELinux

Googles Android framework incorporates an operating system and software stack for mobile devices. Using a general-purpose operating system such as Linux in mobile devices has advantages but also security risks. Security-Enhanced Linux (SELinux) can help reduce potential damage from a successful attack.

Automated Static Code Analysis for Classifying Android Applications Using Machine Learning

In this paper we apply Machine Learning (ML) techniques on static features that are extracted from Androids application files for the classification of the files. Features are extracted from Android’s Java byte-code (i.e.,.dex files) and other file types such as XML-files. Our evaluation focused on classifying two types of Android applications: tools and games. Successful differentiation between games and tools is expected to provide positive indication about the ability of such methods to learn and model Android benign applications and potentially detect malware files. The results of an evaluation, performed using a test collection comprising 2,285 Android. apk files, indicate that features, extracted statically from. apk files, coupled with ML classification algorithms can provide good indication about the nature of an Android application without running the application, and may assist in detecting malicious applications. This method can be used for rapid examination of Android. apks and informing of suspicious applications.

Using the KBTA method for inferring computer and network security alerts from time-stamped, raw system metrics

In this study, we propose a new approach for detecting previously unencountered instances of known classes of malicious software based on their temporal behavior. In the proposed approach, time-stamped security data are continuously monitored within the target computer system or network and then processed by the knowledge-based temporal abstraction (KBTA) methodology. Using KBTA, continuously measured data (e.g., the number of running processes) and events (e.g., installation of a software) are integrated with a security-domain, temporal-abstraction knowledge-base (i.e., a security ontology for abstracting meaningful patterns from raw, time-oriented security data), to create higher-level, time-oriented concepts and patterns, also known as temporal abstractions. Automatically-generated temporal abstractions can be monitored to detect suspicious temporal patterns. These patterns are compatible with a set of predefined classes of malware as defined by a security expert employing a set of time and value constraints. The new approach was applied for detecting worm-related malware using two different ontologies. Evaluation results demonstrated the effectiveness of the new approach. The approach can be used for detecting other types of malware by updating the security ontology with new definitions of temporal patterns.

Method for Detecting Unknown Malicious Executables

We present a method for detecting new malicious executables, which comprises the steps of: (a) in a training phase, finding a collection of system call sequences that are characteristic only to malicious files, and storing said sequences in a database; (b) in a runtime phase, for each running executable, continuously monitoring its issued run-time system calls and comparing with the stored sequences within the database, and when a match is found, declaring said executable as malicious.

A Method for Detecting Unknown Malicious Executables

We present a method for detecting new malicious executables, which comprise the following steps: (a) in an offline training phase, finding a set of (not necessary consecutive) system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database, (b) in a real time detection phase, for each running executable, continuously monitoring its issued system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious. We have evaluated our method and the preliminary results are promising and justify the use of system calls sequences for the purpose of detection of new malicious executables.

Google Android: An Updated Security Review

Among the most significant smartphone operating systems that have arisen recently is Google’s Android framework. Google’s Android is a software framework for mobile communication devices. The Android framework includes an operating system, middleware and a set of key applications. Designed as open, programmable, networked devices, Android is vulnerable to various types of threats. This paper provides a security assessment of the Android framework and the security mechanisms incorporated into it. In addition, a review of recent academic and commercial solutions in the area of smartphone security in general and Android in particular is presented.

Cost-Sensitive Detection of Malicious Applications in Mobile Devices

Mobile phones have become a primary communication device nowadays. In order to maintain proper functionality, various existing security solutions are being integrated into mobile devices. Some of the more sophisticated solutions, such as host-based intrusion detection systems (HIDS) are based on continuously monitoring many parameters in the device such as CPU and memory consumption. Since the continuous monitoring of many parameters consumes considerable computational resources it is necessary to reduce consumption in order to efficiently use HIDS. One way to achieve this is to collect less parameters by means of cost-sensitive feature selection techniques. In this study, we evaluate ProCASH, a new cost-sensitive feature selection algorithm which considers resources consumption, misclassification costs and feature grouping. ProCASH was evaluated on an Android-based mobile device. The data mining task was to distinguish between benign and malicious applications. The evaluation demonstrated the effectiveness of ProCASH compared to other cost sensitive algorithms.

NewApproach for Detecting Unknown Malicious Executables

We present a method for detecting new malicious executables, which comprise the following steps: (a) in an offline training phase, finding a set of system call sequences that are characteristic only to malicious files, when such malicious files are executed, and storing said sequences in a database; (b) in a real time detection phase, for each running executable, continuously monitoring its issued system calls and comparing with the stored sequences of system calls within the database to determine whether there exists a match between a portion of the sequence of the run-time system calls and one or more of the database sequences, and when such a match is found, declaring said executable as malicious. We have evaluated our method and the preliminary results are promising and justify the use of system calls sequences for the purpose of detection of new malicious executables