View
215
Download
0
Category
Preview:
Citation preview
Knowledge-based Temporal Abstraction Host-based
Intrusion Detection System for Android
KB-IDS
Academic Advisor:
Dr. Yuval Elovici
Technical Advisor:Asaf Shabtai
Team Members: Eliya Rahamim
Elad AnkryUri Kanonov
BackgroundAn IDS is used to detect malicious behaviors that
indicates a breach in the security of a computer systemThe Knowledge-based Temporal-Abstraction (KBTA)
method in which a computational mechanism extracts meaningful conclusions from raw time-stamped data and knowledge.
Android is an operating system for mobile devices, based on the Linux kernel, developed by Google. It allows development of applications in Java, controlling the phone via Google-developed Java libraries.
Problem Domain
In the modern age Smartphones as well as the threats they are susceptible to, are a growing trend
This strengthens the need for sophisticated defense mechanisms to protect them
Threat
Current SituationMobile devices lack the computational strength needed to
support PC-like security solutions
Android, being an open source and open platform introduces new potential risks and types of attacks
Android has some inherent security mechanisms that cannot cope with all possible threats
Due to application sandboxing, conventional methods such as AntiVirus are futile. There is a need for a different solution…
Proposed Solution - HIDS
Threat
Knowledge-basedTemporal AbstractionDeveloped by Prof. Yuval Shahar, 1997
Knowledge (KBTA Security ontology)
Four inference mechanisms:- Temporal Context Forming- Contemporaneous
Abstraction- Temporal Interpolation- Temporal Pattern Matching
Higher Level Meaningful Temporal Information:
- Contexts- Abstractions- Temporal Patterns
Time-Stamped Raw Data:
- Primitive Parameters- Events
KBTA – cont.
TimeT1 T2 T3
I1
I2
TCP Packets Sent ( ) Primitives
Abstractions
PatternsWorm Pattern
Internet Connection Mode Context
Contexts
EventsT0
TCP Packets Sent State = HIGH
Events ( ) Wi-Fi Connection
HighMediumLow
Func. Requirements - Agent
Registration/LoginAbility to register with the Control Center.Ability to login to the Control Center and to receive configuration for the various installed components
MonitorEvery predefined time window, the agent samples state parameters, and counts the number of system/user events that occurred in the time-window.
Send monitored dataThe agent will send the monitored data to the analysis servers and the Control Center at the end of each predefined time window.
Receive alerts Ability to receive alerts along with any associated data from the Threat Weighting Unit.
Func. Requirements – Analysis Servers
Receive and analyze monitored data
Ability to receive and analyze the data received from the agent and output a conclusion regarding the existence of a threat
Send analysis result Ability to send the analysis result to the Threat Weighting Unit
Func. Requirements – KBTA Server
KBTA processing
Ability to incrementally process the received data according to the KBTA method supporting the following elements: - Primitive- Event- Context- State- Trend- Pattern
Configure monitored patterns
Ability to set which patterns will be computed and monitored for threat presence
Func. Requirements – Threat Weighting Unit
Weight Threat Assessments
Ability to receive threat assessments (along with any associated data) from multiple local analysis servers and weight them, outputting a single assessment.
AlertAbility to dispatch an alert (along with any associated data) to both the agent and the Control Center in case of threat detection
Non-Func. Requirements
Gathering a feature batch (maximum 40) by the agent should take less than 10 seconds.
CPU usage by the HIDS should be under 10%The HIDS should take at most 10MB on the data partition
of the deviceThe HIDS will be developed in Java using the Android SDKFor demo and testing purposes, a real device will be
supplied by DT Labs
Collect features, Analyze Data and Weight Assessments
Primary actors: AndroidDescription: After a time trigger the agent collects the monitored
feature values and sends them to all of the local analysis servers. Each of the servers analyzes the data and outputs a threat assessment. The assessments are weighted by the TWU and if a threat is found, an alert along with any associated data, is dispatched to the agent and the Control Center.
Trigger: A time trigger from AndroidPre-conditions: The agent is installed on the device and is running Post-conditions: If a threat is found, an alert along with any
associated data has been dispatched
RisksRisk: The HIDS consumes too much CPUSolution: Reducing the quantity of the features collected by
the agent and/or decreasing the collection rate
Risk: The HIDS consumes too much memorySolution: Reducing the time frame for keeping raw data in the
KBTA’s memory
Risk: The HIDS consumes too much bandwidthSolution: Lessening the amount of data transmitted to and
from the Control Center
The EndAnd so Android lived happily ever after…
Recommended