TY - GEN
T1 - Smartphone dual defense protection framework
T2 - 2012 8th International Conference on Mobile Ad Hoc and Sensor Networks, MSN 2012
AU - Su, X.
AU - Chuah, M.
AU - Tan, G.
PY - 2012
Y1 - 2012
N2 - In this paper, we present a smart phone dual defense protection framework that allows Official and Alternative Android Markets to detect malicious applications among those new applications that are submitted for public release. Our framework consists of servers running on clouds where developers who wish to release their new applications can upload their software for verification purpose. The verification server first uses system call statistics to identify potential malicious applications. After verification, if the software is clean, the application will then be released to the relevant markets. To mitigate against false negative cases, users who run new applications can invoke our network traffic monitoring (NTM)tool which triggers network traffic capture upon detecting some suspicious behaviors e.g. detecting sensitive data being sent to output stream of an open socket. The network traffic will be analyzed to see if it matches network characteristics observed from malware applications. If suspicious network traffic is observed, the relevant Android markets will be notified tore move the application from the repository. We trained our system call and network traffic classifiers using 32 families of known Android malware families and some typical normal applications. Later, we evaluated our framework using other malware and normal applications that used in the training set. Our experimental results using 120 test applications (which consist of 50 malware and 70 normal applications) indicate that we can achieve a 94.2% and 99.2% accuracy with J.48 and Random forest classifier respectively using our framework.
AB - In this paper, we present a smart phone dual defense protection framework that allows Official and Alternative Android Markets to detect malicious applications among those new applications that are submitted for public release. Our framework consists of servers running on clouds where developers who wish to release their new applications can upload their software for verification purpose. The verification server first uses system call statistics to identify potential malicious applications. After verification, if the software is clean, the application will then be released to the relevant markets. To mitigate against false negative cases, users who run new applications can invoke our network traffic monitoring (NTM)tool which triggers network traffic capture upon detecting some suspicious behaviors e.g. detecting sensitive data being sent to output stream of an open socket. The network traffic will be analyzed to see if it matches network characteristics observed from malware applications. If suspicious network traffic is observed, the relevant Android markets will be notified tore move the application from the repository. We trained our system call and network traffic classifiers using 32 families of known Android malware families and some typical normal applications. Later, we evaluated our framework using other malware and normal applications that used in the training set. Our experimental results using 120 test applications (which consist of 50 malware and 70 normal applications) indicate that we can achieve a 94.2% and 99.2% accuracy with J.48 and Random forest classifier respectively using our framework.
UR - http://www.scopus.com/inward/record.url?scp=84878708192&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84878708192&partnerID=8YFLogxK
U2 - 10.1109/MSN.2012.43
DO - 10.1109/MSN.2012.43
M3 - Conference contribution
AN - SCOPUS:84878708192
SN - 9780769549613
T3 - Proceedings - 2012 8th International Conference on Mobile Ad Hoc and Sensor Networks, MSN 2012
SP - 153
EP - 160
BT - Proceedings - 2012 8th International Conference on Mobile Ad Hoc and Sensor Networks, MSN 2012
Y2 - 14 December 2012 through 16 December 2012
ER -