Upload
zubaile-abdullah
View
217
Download
0
Embed Size (px)
Citation preview
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
1/45
A New Model for Mobile Botnet Detection and Response Using Innate
Immune System
A PhD Proposal
andidate!
"ubaile Bin Abdullah
Information Security Department
#aculty of omputer Science and Information $echnology
Uni%ersiti $un &ussein 'nn Malaysia
Super%isor!Dr( Madihah Binti Saudi
Information Security and Assurance
#aculty of Science and $echnology
Uni%ersiti Sains Islam Malaysia
o)Super%isor!
Dr( Nor Badrul Anuar
Department of omputer System * $echnology
#aculty of omputer Science * Information $echnology
Uni%ersity of Malaya
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
2/45
ABSTRACT
Nowadays mobile de%ices such as smartphones had widely been used and became as one of themain target of mobile malware especially mobile botnets( Mobile botnets threat has been growing
tremendously howe%er there are gaps in current solutions to counter that treats( &ence+ a new
model for mobile botnets detection and response is proposed to impro%e this problem( $he model
is built from an analysis of a mobile application and mobile malware datasets collected from the
,oogle Play Store and Android Malware ,enome Pro-ect( Static Analysis and Dynamic Analysis
of mobile application is conducted to determine whether the mobile application is benign or
malware( #rom the analysis+ new parameters for mobile botnets classification is constructed to
enable the model detect the malware accurately( $he model also integrates different fields of
computer security+ human immunology system and .nowledge disco%ery techni/ues(
ii
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
3/45
PUBLICATIONS
"ubaile Abdullah+ Madihah Mohd Saudi * Nor Badrul Anuar + 012345( Mobile Malware
Detection! Proof of oncept( 4 rd International Conference of Software Engineering & Computer
Systems 2013 (ICSECS13), Uni%ersiti Malaysia Pahang( 0$o be published in Springer Publication5
iii
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
4/45
TABLE OF CONTENTS
ABS$RA $((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
PUB6I A$I'NS((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
TABLE OF CONTENTS (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
LIST OF FIGURES ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
6IS$ '# $AB67S(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
6IS$ '# ABBR78IA$I'NS((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
CHAPTER 1 INTRODUCTION (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
3(3 Bac.ground(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
3(1 Problem Statement((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
3(4 Research 'b-ecti%es(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
3(: Scopes of Research((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
3(9 Significance of Study(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
3(; Proposal 'rgani
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
5/45
1(= Summary(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
CHAPTER 3 RESEARCH METHODOLOGY (((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(3 Research Methodology(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(1 Research Design((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((4(1(3 Datasets(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(1(1 $esting 6ab Architecture((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(4 7@pected Result((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(: Planning and 7@ecution((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(9 Preliminary Study(((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
4(; Summary((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
REFERENCES ((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
%
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
6/45
LIST OF FIGURES
#igure 3(3! New Mobile $hreat #amilies and 8ariants across Platforms 1
#igure 3(1! $ypes of Mobile $hreats 4
#igure 1(3! Android 'S Architecture
#igure 4(3! An '%er%iew of Proposed Research Methodology 14
#igure 4(1! Mobile Botnet Detection and Response Model 1;
#igure 4(4! Mobile Botnet Static Analysis 41
%i
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
7/45
LIST OF TABLES
$able 1(3! omparison between Mobile Botnet with 'thers Malware 3:
$able 1(1! Related or.s of Malware Detection on Android 12
%ii
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
8/45
LIST OF ABBREVIATIONS
AIS Artificial Immune System
AP? Android pac.age
&IS &uman Immunology SystemIIS Innate Immune System
%iii
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
9/45
CHAPTER 1
INTRODUCTION
$his chapter gi%es an e@planation of this research proposal including bac.ground of mobile
botnet+ current state of threats and issues in counter the threats(
1.1 Backgr !"#
#or the past few years+ the popularity of mobile de%ices has risen significantly( $his fact is
accompanied by the increased functionality of the mobile de%ices 0"hou et al(+ 1231C 6i et al(+
12345( Nowadays+ mobile de%ices such as smartphone are no longer limited for phone calling or
sending messages but also being used for web browsing+ social networ.ing+ applications
downloading and installing and online ban.ing transaction( $o certain e@tend smartphone user
.ept confidential information such as contacts+ ban. account number+ username and password for
online ban.ing+ credit card number+ memorable and pri%ate pictures in these de%ices( As a result
of their popularity+ functionality and as a storage of confidential information+ mobile de%ices are
now become main target for the malware authors or attac.ers(
$he malware threats on mobile de%ices come in %arious form+ such as %iruses+ tro-ans+
worms and mobile botnets 07slahi et al(+ 1231a5( Among these malware+ mobile botnets are more
dangerous as they pose serious threats to mobile de%ices and mobile networ.s 0Polla et al(+ 1231C
"eng+ et al(+ 12315( In their research+ Polla et al( 012315 had defined mobile botnets as set of mobile de%ices that are infected by a speci c malware without user consent or .nowledge( 'nce
infected by mobile botnets+ the de%ices can be controlled by an attac.er called a bot master %ia
command and control 0 * 5 mechanism such as Bluetooth+ Short Messages Ser%ices+ peer to
peer 0P1P5+ the Internet or any combination of them( $he bot master will utili
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
10/45
premium te@t messaging ser%ices+ spreading others malware+ identity theft and collecting
confidential information which can be e@ploited further for illegal purposes(
In recent years+ attac.s and threats of mobile malware and mobile botnets ha%e been on the
rise( Recent sur%ey conducted by anti)%irus company+ #)Secure 0#)Secure+ 12345 stated that the
number of mobile malware threat families risen 1; percent from the second to the third /uarter of 1234 compared with the same time period in pre%ious year( As shown in #igure 3(3+ there are 19
new threats in third /uarter of year 1234 compared to third /uarter of year 1231( #urther the
sur%ey also found that in e%ery fi%e malware threats+ there is one mobile botnet threats as shown
in #igure 3(1(
#igure 3(3! New Mobile $hreat #amilies and 8ariants across Platforms
0Adapted from #)Secure 1234 Report5
1
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
11/45
#igure 3(1! $ypes of Mobile $hreats
0Adapted from #)Secure 1234 Report5
'ne remar.able mobile botnets attac. is "eus Botnet 7urograbber in 1231 which attac.ed
Android+ Symbian+ indows and Blac.berry smartphones( 7urograber was responsible for more
than E:= million dollar losses in fraudulent transfers from %ictimsF ban. accounts 0?alige *
Bur.ey+ 12315 ( Although mobile botnets ha%e not yet caused ma-or outbrea.s in the mobile
world+ it e@istence already poses serious threat( In addition+ studies by #elt+ et al( 012335 and
Arabo * Pranggono 012345 ha%e predicted that in future there will be more financial oriented
mobile botnets attac. to the smartphones(
1.2 Pr $%&' S(a(&'&"(
$here are numerous solutions to detect and handle mobile botnet attac.s( $hese include
installing and updating anti)%irus software+ updating latest security patches of mobile operating
system and a%oid downloading and installing mobile application from third)party applicationsmar.et or from un.nown lin.s send to smartphone 0Saudi et al(+ 122 C Arabo * Pranggono+
12345( $hough these are the suggested solutions+ there are still rooms of impro%ement to detect
mobile botnet attac. more accurately and efficiently(
A paper by Botha et al( 0122 5 had found there is a gap in anti)%irus solution which is
inefficient of anti)%irus when used on mobile de%ices( #or an e@ample+ to detect mobile botnets+4
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
12/45
anti)%irus software needs to install large database of .nown malware signatures( Searching large
database during detection will consume much processing power and memory thus might result in
rapid draining of the mobile de%ices battery( In addition+ e@isting mobile anti)%irus software is
found inaccurate in identifying new or mutated mobile botnets because anti)%irus relies solely
upon an earlier .nowledge of malware samples 0Ahmed * Dharas.ar+ 12315
Apart from that+ there are also issues related with updating security patches( $his solution is
not %iable to smartphone that used Android mobile operating system 0Android 'S5( ,oogle as
de%eloper of Android 'S had allowed smartphone manufacturers to modify the 'S to suits into
their smartphones( &owe%er+ none of the manufacturers are re/uired to pro%ide Android security
updates or patches to their smartphone users 0$eufl et al(+ 12315( #urthermore+ due to the different
modification the Android 'S+ security patches pro%ided by ,oogle cannot rapidly be deployed to
the user+ as the patches must be modified and integrated into %arious Android 'S modifications(
As a result+ many Android smartphones are not immediately update with security patches when it
been released+ thus ma.e them %ulnerable to mobile botnet attac.s(
6astly+ a sur%ey by 0&( Peng et al(+ 12315 found there is also an issue on smartphone userGs
security .nowledge( Users tend to download malware as they usually lured by social engineering
techni/ues and an unaware of the threats( &ence lea%ing smartphoneGs security solely to users is
not practical(
In recent years+ numerous researches ha%e been done to detect mobile malware such by
Schmidt et al(+ 0122 5+ Shabtai et al( 012325+ Burguera * "urutu
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
13/45
obser%ation and literature studies+ one most promising approach to respond on mobile botnets
attac. is by using Innate Immune System 0IIS5+ one of immune system e@isted in &uman
Immunology System( IIS has the ability to defend the human body from an intruder such as %irus
by automatically .illing the intruder when they entered into human body 0Med
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
14/45
$his research obser%es mobile botnet threats and attac. through malicious application
installation( $he propose model of mobile botnet detection and response is based on Android
botnet and Android 'S(
1. S,g",0,ca"c& 0 (*& S(!#
$he propose model enhances mobile botnet detection and offering better response to
mobile botnets attac.( $his new model encounter issues for anti)%irus solutions and mobile botnet
installation through infected applications( $he model does not re/uire an update because this
model classify mobile botnets based on generic and inheritance features or beha%ior thus new
%ariant can easily detected(
1. Pr / )a% Orga",4a(, "
$he rest of the proposal is structured as follow!
C*a/(&r 2 contains related studies literature and the fundamental .nowledge of the sub-ect matter
is discussed( $his includes an o%er%iew of Android 'S+ Android application+ mobile botnets
definition+ comparisons with other mobile malware+ mobile botnets propagation+ mobile malware
detection and response techni/ues+ related studies re%iew+ data mining+ .nowledge disco%ery and
Innate Immune System(
C*a/(&r 3 discusses in detail the research methods used in this research( $his includes the dataset
uses+ phases and processes in%ol%ed(
1.5 S!''ar
;
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
15/45
$he popularity and functionality of mobile de%ices not only attract user but also an attac.er(
Mobile de%ices such as smartphones can be infected by malware and turn this de%ices into botnet
which later being used for cyber)criminal awhile current solutions for mobile botnet threats can
still to be impro%ed( $herefore there is an urgent need to produce more research on mobile botnet
classification+ detection and response( $he moti%ation to pursue research in this area is to pro%ide
high accuracy and efficiency model for mobile botnet detection and response which are not pro%ided by current solution(
=
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
16/45
CHAPTER 2
LITERATURE REVIEW
$his chapter contains the related studies literature( $his includes an o%er%iew of Android 'S and
applications+ definition of mobile botnets+ comparison with others malware+ mobile botnets
propagation and mobile malware detection and response techni/ues( Related studies of mobile
malware detection and response are also being re%iewed here in terms of methods used+ strengths
and potential impro%ements( #urther+ data mining+ .nowledge disco%ery+ Innate Immunology
System is also presented(
$. O-&r-,&6 0 A"#r ,# OS Arc*,(&c(!r&
Android currently is e%ol%ing as one of the most prominent open source platform for mobile
de%ices li.e smartphones+ netboo.s and tablets 0 erima et al(+ 12345( ItGs not -ust an operating
system but a complete software stac. that includes application framewor.+ libraries and some core
applications as shown in #igure 1(3( Android architecture is made up of different components+
which are composed into different layers 0 erima et al(+ 12345(
$he first or core layer is based on the 6inu@ .ernel which acts as a hardware abstraction
layer and pro%ides a %ariety of de%ice dri%ers( $his 6inu@ .ernel layer is also responsible for
managing memory+ power functionalities+ processes management and networ.ing(
$he second layer is the nati%e libraries layer such as SJ6ite+ eb?it and Secure Soc.et
6ayer 0SS65 and itGs layered on top of the 6inu@ .ernel( $hese libraries pro%ide access to lower
le%el system ser%ices and core functionalities and are incorporated into Android using Ha%a
interfaces( Ne@t layer is the Android runtime layer+ composed of two ma-or components namely
Android core libraries and Dal%i. 8irtual Machine 0D8M5( $he Android core libraries contain all
of the collection of classes+ input and output 0IK'5 and networ.ing utilities( $he core libraries also>
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
17/45
contain some Android)specific libraries re/uired for accessing different capabilities offered by
Android hardware+ operating system and nati%e libraries( $he D8M on the other hand+ functions
to interpret and e@ecute an Android application represented by (de@ files(
$he Application #ramewor. layer which layered on top of nati%e libraries layer enables the
use and reuse of different low)le%el Android components( $his layer pro%ides all the APIs that an
Android application re/uires to access such as location information and running bac.groundser%ices of de%ice hardware( $he important components of application framewor. layer are the
Acti%ity Manager component+ ontent Pro%iders and Resource Manager( Acti%ity Manager is
responsible for managing life cycle of applications+ ontent Pro%iders used to enable data sharing
between applications and Resource Manager is used to pro%ide access to non)code resources e(g(+
locali
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
18/45
Android user application is distributed as a pac.age called Android Pac.age
0AP?s5( An AP? is a compressed file consists of AndroidManifest(@ml 0manifest file5+
classes(de@ and other binary or LM6)based resources re/uired by the application to run(
Android user application or app is written in the Ha%a programming language( Since the
Android Application #ramewor. forces a component)based application model to increase
the code reusability+ Android applications must be de%eloped in terms of components( $hecore components of Android application are the Acti%ities+ Ser%ice+ Broadcast Recei%ers and
ontent Pro%iders 0"hang et al(+ 12345(
Acti%ities pro%ide user interfaces of an application and handle the application
interactions with user( Meanwhile+ Ser%ices run in the bac.ground and do not interact with
the user( Downloading an application or decompressing an archi%e+ are e@amples of
operations done in Ser%ices( Broadcast Recei%ers component handles messages from other
components+ including messages from the Android system( Broadcast Recei%ers are
triggered by the receipt of an appropriate message and then run in the bac.ground to handle
the e%ent( ontent Pro%iders are databases addressable by their application)defined URIs(
An application must declare its components in a manifest file located at application pro-ect
root directory( By default+ applications do not ha%e the ability to interact with sensiti%e parts
of the system API or pri%ilege components such as SMS system access+ internet access or
read access to the userGs contacts list( In order to access and interact with such pri%ilege+
permission must be re/uested by an application in their manifest file and it will appear to
mobile de%ices users during installation( hene%er the user installs a new app+ he would be
prompt to grant or re-ect all permissions re/uested by the application( If granted+ that
application can interact with these pri%ileged components(
#or the purpose of this research+ certain features from app manifest file and de@ bytecode are
e@tracted through reengineering and static analysis process( $hese could ser%e as parameters of suspicious acti%ity+ such as intending to access to sensiti%e information and resources or e@ecuting
malicious payload( $hese features mapped together with application beha%ior at runtime in
dynamic analysis process to form the basis of classifier+ which later is used in detection and
response phase to determine whether a gi%en Android application is benign or malicious(
32
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
19/45
2.2 M $,%& B ("&(
It is an e%itable to ha%e clear understanding of a mobile botnets in order to detect and
response to it threats accurately and efficiently( In this section+ the definition+ comparison of
mobile botnets with other malware and propagation are e@plained
2.2.1 D&0,",(, "
According to Polla et al( 012315+ mobile botnets are set of mobile de%ices that are
infected by a speci c malware without user consent or .nowledge( 'nce infected by mobile
botnets+ the de%ices can be controlled by an attac.er called a bot master %ia command and
control 0 * 5 mechanism such as Bluetooth+ Short Messages Ser%ices+ peer to peer 0P1P5+
the Internet or any combination of them( $he bot master will utili
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
20/45
used as references( $hese malware had their own characteristic but the public usually term
all the malware as %irus( $hus+ it is critical to differentiate each malware to ensure the
detection and response techni/ues are suitable based on malware characteristics( A paper by
0S( Peng+ u+ * ang+ 12345 had comprehensi%ely defined and categori
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
21/45
$able 1(3! omparison between Mobile Botnet with 'thers Malware
$ype 8irus orm $ro-an Spyware Botnet
7@isting #orm Non)self)
replicating
Need host file as
carrier
Self)replicating
Independent
Non)self)
replicating
Mas/uerade as
legitimate and
benign software
Non)self)replicating
Bundled with other
software
Non)self)
replicating
Need host file as
carrier
&uman
Inter%ention
es If e@ploits system
%ulnerabilities! No
'thers! es
es es es
Spreading
Speed
#ast 8ery #ast 8ery #ast Slow 8ery #ast
Attac.er
ontrol
annot control
smartphone
remotely
annot control
smartphone
remotely
annot control
smartphone
remotely
annot control
smartphone
remotely
ontrol
smartphone
remotely by
attac.er Attac.er
Intention
Intention is to
malfunction the
smartphone or
application
Intention is to
slower the
performance of
smartphone
Intention to steal
confidential
information
Intention to monitor
smartphone user
beha%ior such as
sites %isits+ interest
and personali
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
22/45
Mobile botnets can come in different si
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
23/45
clic.ing a misleading lin.( Attac.ers or malware authors usually enticing users to
download interesting or feature)rich applications without user .nows the
applications is actually a malware(
2.3 M $,%& Ma%6ar& D&(&c(, " T&c*",9!&)
$he main purpose of a mobile malware detection and response techni/ue is to detect the
presence of mobile malware in application which+ if found could be cleaned+ /uarantined+ bloc.ed
or deleted( Se%eral approaches to mobile malware detection techni/ues ha%e been attempted by
Schmidt et al(+ 0122 5+ 7nc. et al(+ 0122 5+ Shabtai et al(+ 012325+ Bl sing et al(+ 012325+ Burguera
* "urutu
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
24/45
In contrast to static analysis+ dynamic analysis does not inspect the source code but
the application sample is analy
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
25/45
In same year+ 7nc. et al(+ 0122 5+ proposed another static analysis which scans the
application for matching malicious patterns namely ?irin( $hey define %arious of potential
dangerous permission combinations as rules to bloc. the installation of potential unsafe
applications( &owe%er+ ?irin is more on %ulnerability assessment of application instead of mobile
malware detection(
u et al(+ 012315 also used static analysis and proposed Android malware detection tool
named DroidMat( DroidMat detects malwares through the manifest file and traces of API calls(
$hey demonstrated that this tool capable of finding more Android malware than other Android
detection tool+ the Andro,uard 0 u et al(+ 12315( &owe%er+ with a single sample android
malware+ DroidMat cannot predict and learn beha%iour of new malware( Moreo%er+ there are two
families of malwares 0BaseBridge and Droid?ung#u5 which used update attac. techni/ue that not
detected by DroidMat 0 u et al(+ 12315(
In 1232+ Shabtai et al( proposed a malware detection that monitors %arious features and
e%ents obtained from the mobile de%ices while e@ecute the application( $hen they applied
machine learning anomaly detectors to classify the collected data as normal for benign or
abnormal for malicious( $he features they consider including cpu consumption+ number of sent
pac.ets through the i#i+ number of running processes+ .eyboard or touch)screen pressing and
application start)up( $o %alidate their models+ they selected features using three selection methods+
Information ,ain+ #isher Score and hi)S/uare( $heir approach achie%ed 1O of accuracy
howe%er two drawbac.s of their system are not using real malware sample and the use of an
application that simulates user interaction .nown as ADB Mon.ey+ which is not a real user(
Burguera * "urutu
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
26/45
set( #urthermore+ e%aluation was also carried out using a self)implemented set of malware
samples instead of malware from the wild(
hile abo%e studies+ choose to analysis the application either statically or dinamically+
Bl sing et al(+ 012325 proposed a hybrid method called AAsandbo@( AAsandbo@ used of static and
dynamic analyses approach( $he static analysis runs by decompresses the ap. file+ con%erts their class files into -a%a source code+ searches for suspicious patterns and mar.s them as benign or
malicious( During the application e@ecution in Android 7mulator+ AAsandbo@ counted the
number of all system calls to detect malicious beha%iours( &owe%er+ the data obtained by
AASandbo@ is %ery di%erse+ causing low detection accuracy 06in et al(+ 12345( In addition they
also used ADB Mon.ey in dynamic analysis simulation(
"hou et al(+ 012315 proposed another hybrid solution named DroidRanger( DroidRanger uses
both static and dynamic analysis techni/ues to de%elop beha%ior profiles for scalable mobile
malware detection which scanning large numbers of third)party Android applications for
malicious beha%ior( DroidRanger implements a combination of permission)based beha%ioral
footprinting to detect samples of already .nown malware families and a heuristic)based filtering
scheme to detect un.nown malicious families( ithin their dynamic part they use a .ernel module
to log only system calls used by .nown Android e@ploits or malware howe%er these authors only
monitor those system calls used by e@isting root e@ploits with root pri%ilege+ and hence new
malwares which a%oid calling such system calls with root permissions may a%oid being detected(
'n the other hand+ the detection heuristics used by authors present a high false negati%e rate+
ranging from 9(2:O to 14(91O 0Suare
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
27/45
dynamic analysis to counter obfuscated and encrypted application source code( Since the means
for collection and run)time analysis of mobile botnets by itself is not sufficient to lessen a threat
posed by no%el mobile botnets+ this research also adopt .nowledge disco%ery techni/ue 0?DD5
and data mining( In term on response perspecti%e which is not applied by pre%ious researchers+
this research adopts Innate Immune System( Summary and comparisons of this reseach with
related studies is presented in $able 1(1(
$able 1(1! Related or.s of Malware Detection on Android
Related or. $ype of Analysis ?ey #eature Detecting $arget Main Drawbac.sSchmidt et al(+
0122 5Static #unction alls Mobile Malware
Small Sample
7nc. et al(+ 0122 5 Static Data #low
Mobile Malware+
8ulnerability
Assessment
,eneral Malware
Detection
Shabtai et al(+
012325Dynamic Abnormal Beha%iour Mobile Malware
,enerates Many
#alse Positi%esBurguera *
"urutu
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
28/45
Many studies that integrate ?DD ha%e been conducted o%er the past few years for e@ample
in &ealth+ ,eology+ Mar.eting+ #inance and Molecular Biology 0Mhamdi * 7lloumi+ 122>5(
?DD also being adopted in computer and cyber security for e@ample %irus detection 0Deng+
12245+ worms detection 0Saudi et al(+ 12335 and botnets detection 0Shahrestani et+ al(+ 122 5(
#or this research+ the ?DD is used as a techni/ue to identify the mobile botnets patterns inthe datasets( $his includes datasets preparation+ data cleansing+ features e@traction+ clustering+
classification and interpretation( Data mining which is part of ?DD is used to e@tract features of
Android application(
2. I""a(& I''!"& S )(&' 7IIS8
In this section+ IIS is defined and comparison between IIS and mobile botnets is conducted(
Apart from this+ pre%ious wor. that is related to this research is also presented(
2. .1 D&0,",(, "
&umans li%e in an en%ironment where their bodies are constantly being attac.ed by
intruders such as %iruses+ bacteria and other organisms+ yet the ma-ority of humans sur%i%ed
these attac.s for many decades 0Saudi+ 12335( &uman do not need to download any security
patches since the bodies ha%e adapted to li%ing in such a harsh en%ironment with the help
&uman Immunology System 0&IS5( 8arious approaches ha%e been proposed in the
literatures that aim to de%elop Artificial Immune System 0AIS5 which mimic the beha%iour
of &IS( Somaya-i+ et( al(+ 03 =5 pro%ided %arious possible architectures of AIS for
computer security( Dasgupta+ et al(+ 012335 on the other hand pro%ide a good re%iew of the
AIS eld(
Based on those literature re%iewed+ Innate Immune System 0IIS5 is seen as one of
the specialisms in human immunology that can be further e@plored and integrated into this
research+ particularly in detection and response to mobile botnets infection( According to
0Marhusin+et al(+ 122>5+ the term innate immune system refers to the fast)acting non)specific
immunological actions of human that recogni
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
29/45
human( $he innate immune system can be thought of human front line of defense against
pathogens(
2.5 S!''ar
$his chapter presented the related studies for this research( $hese literatures are foundation of
.nowledge in doing this research( It includes an o%er%iew of Android 'S and applications+
definition of mobile botnets+ comparison with others malware+ mobile botnets propagation and
mobile malware detection and response techni/ues( Related studies of mobile malware detection
and response are also being re%iewed here in terms of methods used+ strengths and potential
impro%ements( #urther+ .nowledge disco%ery and Innate Immunology System is also presented(
CHAPTER 3
RESEARCH METHODOLOGY
$his chapter e@plains on how this research is conducted including method used in data collection
and analysis+ e@planation of research tools and en%ironment+ o%er%iew of proposed model and
research schedule including preliminary wor. that ha%e been done(
13
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
30/45
3.1 R&)&arc* M&(* # % g
$his research proposes high accuracy and efficiency model for mobile botnet detection and
response( All the processes in%ol%ed in forming this model are illustrated in #igure 4(3( $here are
two phases for this proposes model which are mobile botnet detection and mobile botnetresponse(
#igure 4(3! An '%er%iew of Proposed Research Methodology
$hirteen processes in%ol%e in de%eloping these two phases which started by outlining the research
bac.ground( $hese processes are simplified in #igure 4(1( Prior formation of this proposes model+
the aims and ob-ecti%es are well defined and focused to ensure the contribution of this research
has significant %alue( Details of these can be found in hapter 3(
'nce the first process is completed+ it is followed by re%iewing the e@isting wor.s and
literatures( $he proposed model co%ers the gaps identified in studies conducted by pre%ious
researchers( Analysis and comparison of pre%ious related wor.s had been addressed in hapter 1
11
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
31/45
#igure 4(1! Mobile Botnet Detection and Response Model
3.2 R&)&arc* D&),g"
In this section+ all the techni/ues and applied for analysis and testing are clearly e@plained(
$his includes sources and reasons of using datasets from Android Malware ,enome Pro-ect and
,oogle Play(
3.2.1Da(a)&()
$here are two datasets for this researchC training dataset and testing dataset(
$raining dataset is use to build up a detection and response model+ while a testing dataset is
to %alidate the model( $he training dataset is a benign application downloaded from ,oogle
Play+ an official mar.et that host Android application( Android emulator is used to download
the applications(
$he testing dataset for this research is ta.en from Android Malware ,enome
Pro-ect initiated and collected by 0"hou * Hiang+ 12315( $he dataset consist of 31;2
Android malware samples in : different malware families( $hese malware samples co%er
the ma-ority of e@isting Android malware which appear from Aug 1232 to 'ctober 1233(
$here are four reasons why this research chooses to use data from Android Malware
,enome Pro-ect(
14
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
32/45
#irstly+ many studied ha%e used this data for their testing for e@ample researches
conducted by 0 u et al(+ 12315+ 0 erima+ et al(+ 12345+ 0"hang et al(+ 12345 0Amos+ et al(+
12345 and 0Demme et al(+ 12345( Secondly+ this dataset contains Android malware samples
that within the scope of this research+ which focuses on Android 'S mobile botnet( $hirdly+
this dataset also being downloaded and used by well).nown anti)%irus companies such as6oo.out+ A8,+ NJ Mobile+ and McAfee( $he dataset also being downloaded by more than
42> entities including higher learning institution+ research companies and go%ernment
sectors 0"hou * Hiang+ 12315( 6astly+ it is one of largest mobile malware database freely
a%ailable from the Internet(
1:
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
33/45
3.2.2 T&)(,"g La$ Arc*,(&c(!r&
$he lab architecture in this research is illustrated in #igure 4(1( It is a controlled lab
en%ironment with the software used for the testing is open source software which freely
a%ailable on the Internet( No outgoing connection allows in this architecture so no harm of
mobile malware threats will e@posed to public( $ools and software installed used for thisresearch is summari
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
34/45
$able 4(3( ! Software Installed in $esting 6ab omputers
#unction Software K $ools Purpose of Action0s58irtual P 8M are or. Station $o allow multiple operating systems to
run on single computer
$o pro%ide operating system for
installation of tools or software for the
mobile malware detectionSmartphone 7mulator AndroidSD? $o pro%ide smartphone emulator for
installations of applications 0benign
and malicious applications5
$o crawl ,oogle Play and download
applicationsScan $ools ?aspers.y Internet Security for
Android
a%ast #ree Mobile Security
#)Secure Mobile Security
Andrubis 0'nline5
$o scan and detect Android application
and datasets used in this research
Unpac. $ool in
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
35/45
$his proposal present high accuracy and efficiency model for mobile botnets detection and
response( $he proposed model reali
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
36/45
3. P%a"","g a"# E;&c!(, "
Ac(,-,(,&)2
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
37/45
! onference K Hournal paper writing(
Hanuary 123: Q 'ctober 1234 032 months5 ! De%elop phase 1(
May 123: Q December 123: 0> months5 ! Phase 1 simulation(
! onference K Hournal paper writing(
No%ember 123: Q Hune 1239 0>months5 ! Phase 3 and phase 1 combined final simulation(
#ebruary 1239 Q Huly 1239 0> months5 ! Analysis and e%aluation of complete model of mobile botnet detection and response
! onference K Hournal paper writing(
March 1239 Q #ebruary 123; 033 months5 ! $hesis writing(
1
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
38/45
3. Pr&%,',"ar S(!#
Prior to this research a research paper titled Mobile Malware Detection: A Proof Of Concept had
been presented in to the 4 rd International Conference of Software Engineering & Computer
Systems 2013 (ICSECS13), Uni%ersiti Malaysia Pahang on 12 ) 11 August 1234(
A case study using a sample from Android Malware ,enome Pro-ect shows the proof of concept
how the mobile malware wor.s( $he architecture used for the testing was conducted in a
controlled lab en%ironment as same as in #igure 4(1( Static and dynamic analyses were conducted
to analyse the code( Ap.$ool+ De@1Har and HD),UI are used for static analysis+ while
AndroidSD? is used for dynamic analysis(
$he testing results showed+ one of the payloads for this code is to send and to forward messages
recei%ed from infected phone to the code author phone number! T:;=; :4;2 : as shown in #ig(
4(4( $his phone number is located in ,erman( It is similar li.e mobile te@t bot+ where in Malaysia
it is called as $ransactional Authori
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
39/45
#igure 4(4! Mobile Botnet Static Analysis
3. S!''ar
In this chapter+ the research processes use for this study is discussed( Research design+ datasets+
data mining+ testing lab architecture+ proposed model and e@pected result are clearly defined and
presented( At the time planning and e@ecution act as a guideline on how research will be
conducted with proper acti%ities carried out(
43
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
40/45
REFERENCES
Ahmed+ R(+ * Dharas.ar+ R( 1231( Study of mobile botnets! An analysis from the perspecti%e of
efficient generali4>2;
Arabo+ A(+ * Pranggono+ B( 1234( Mobile Malware and Smart De%ice Security! $rends+
hallenges and Solutions( In 2013 1 t' International Conference on Control Systems an#
Computer Science 0pp( 91;Q9435( I777( doi!32(332 K S S(1234(1=
Bl sing+ $(+ Batyu.+ 6(+ Schmidt+ A(+ amtepe+ S( A(+ * Albayra.+ S( 1232( An Android
Application Sandbo@ system for suspicious software detection( In 2010 -t' International
Conference on +alicious an# .nwante# Software 0pp( 99Q;15( I777(
doi!32(332 KMA6 AR7(1232(9;;9= 1
Botha+ R( a(+ #urnell+ S( M(+ * lar.e+ N( 6( 122 ( #rom des.top to mobile! 7@amining the
security e@perience( Computers & Security +2/ 04):5+ 342Q34=(
doi!32(323;K-(cose(122>(33(223
Burguera+ I(+ * "urutu
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
41/45
Dasgupta+ D(+ u+ S(+ * Nino+ #( 1233( Recent Ad%ances in Artificial Immune Systems! Models
and Applications( !pplie# Soft Computing +11015+ 39=:Q39>=(
doi!32(323;K-(asoc(1232(2>(21:
Demme+ H(+ Maycoc.+ M(+ Schmit3:>(1:>9 =2
Deng+ P( S( 122( 8irus detection using data mining techin/ues( IEEE 35t' !nnual 2003
International Carna'an Conference onSecurity ec'nology, 20036 "rocee#ings6 + =3Q=;(
doi!32(332 K S$(1224(31 =94>
7nc.+ (+ 'ngtang+ M(+ * McDaniel+ P( 122 ( 'n lightweight mobile phone application
certification( In "rocee#ings of t'e 17t' !C+ conference on Computer an# communications
security CCS 0 0p( 1495( New or.+ New or.+ USA! A M Press(
doi!32(33:9K3;94;;1(3;94; 3
7slahi+ M(+ Salleh+ R(+ * Anuar+ N( B( 1231a( MoBots! A new generation of botnets on mobile
de%ices and networ.s( 2012 International Symposium on Computer !pplications an#
In#ustrial Electronics (ISC!IE) + 0Iscaie5+ 1;1Q1;;( doi!32(332 KIS AI7(1231(;:>132
7slahi+ M(+ Salleh+ R(+ * Anuar+ N( B( 1231b( Bots and botnets! An o%er%iew of characteristics+
detection and challenges( 2012 IEEE International Conference on Control System,
Computing an# Engineering + 4: Q49:( doi!32(332 KI S 7(1231(;:>=3;
#ayyad+ U(+ Piatets.y)Shapiro+ ,(+ * Smyth+ P( 3 ;( $he ?DD process for e@tracting useful
.nowledge from %olumes of data( Communications of t'e !C+ +3 0335+ 1=Q4:(
doi!32(33:9K1:2:99(1:2:;:
#elt+ A( P(+ #inifter+ M(+ hin+ 7(+ &anna+ S(+ * agner+ D( 1233( A sur%ey of mobile malware in
the wild( "rocee#ings of t'e 1st !C+ wor s'op on Security an# pri%acy in smartp'ones an#
mo ile #e%ices S"S+ 11 + 4( doi!32(33:9K12:;;3:(12:;;3>
44
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
42/45
#l + A( R(+ * H sang+ A( 122 ( onse/uences of Botnets Spreading to Mobile( S'ort "aper
"rocee#ings of t'e 14t' $or#ic Conference on Secure I Systems ($or#Sec 200 ) + 0'ctober5+
4=Q:4(
#)Secure( 1234( #)Secure Mobile $hreat Report Huly ) September 1234+ 0September5( Retrie%ed
from http!KKwww(f)
secure(comKstaticKdocKlabsVglobalKResearchKMobileV$hreatVReportVJ4V1234(pdf
Harabe.+ (+ Barrera+ D(+ * Aycoc.+ H( 1231( $hinA8! $ruly 6ightweight Mobile loud)based( In
"rocee#ings of t'e 2/t' !nnual Computer Security !pplications Conference on !CS!C
12 0p( 12 5( New or.+ New or.+ USA! A M Press( doi!32(33:9K1:12 92(1:12 >4
Hin+ R(+ * ang+ B( 1234( Malware Detection for Mobile De%ices Using Software)Defined
Networ.ing( 2013 Secon# E$I esearc' an# E#ucational E8periment *or s'op + >3Q>>(
doi!32(332 K,R77(1234(1:
?alige+ 7(+ * Bur.ey+ D( 1231( A ase Study of 7urograbber ! &ow 4; Million 7uros was Stolen
%ia Malware+ 0December5( Retrie%ed from
https!KKwww(chec.point(comKproductsKdownloadsKwhitepapersK7urograbberV hiteVPaper(pd
f
?ato+ M(+ * Matsuura+ S( 1234( A Dynamic ountermeasure Method to Android Malware by
User Appro%al( 2013 IEEE 35t' !nnual Computer Software an# !pplications Conference +
=42Q=43( doi!32(332 K 'MPSA (1234(313
6i+ &(+ Ma+ D(+ Sa@ena+ N(+ Shrestha+ B(+ * "hu+ ( 1234( $ap)wa%e)rub! 6ightweight malware
pre%ention for smartphones using intuiti%e human gestures( "rocee#ings of t'e si8t' !C+
conference on Security an# pri%acy in wireless an# mo ile networ s + 19Q42( Retrie%ed from
http!KKdl(acm(orgKcitation(cfm idW1:;1323
6in+ ()D(+ 6ai+ () (+ hen+ ()&(+ * $sai+ &() ( 1234( Identifying android malicious repac.aged
applications by thread)grained system call se/uences( Computers & Security +3 + 4:2Q492(
doi!32(323;K-(cose(1234(2>(232
4:
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
43/45
Marhusin+ M( #(+ ornforth+ D(+ * 6ar.in+ &( 122>( Malicious ode Detection Architecture
Inspired by &uman Immune System( 200/ $int' !CIS International Conference on Software
Engineering, !rtificial Intelligence, $etwor ing, an# "arallel9:istri ute# Computing + 431Q
43=( doi!32(332 KSNPD(122>(3;2
MedQ422(
doi!32(331;Kscience(32;>>>4
Mhamdi+ #(+ * 7lloumi+ M( 122>( A new sur%ey on .nowledge disco%ery and data mining( 200/
Secon# International Conference on esearc' C'allenges in Information Science + :1=Q:41(
doi!32(332 KR IS(122>(:;4134:
Peng+ &(+ ,ates+ (+ Sarma+ B(+ 6i+ N(+ Ji+ (+ Pothara-u+ R(+ Molloy+ I( 1231( Using probabilistic
generati%e models for ran.ing ris.s of Android apps( "rocee#ings of t'e 2012 !C+
conference on Computer an# communications security CCS 12 + 1:3(
doi!32(33:9K14>13 ;(14>111:
Peng+ S(+ u+ S(+ * ang+ A( 1234( Smartphone Malware and Its Propagation Modeling! A Sur%ey(
IEEE Communications Sur%eys & utorials + 0:5+ 3Q3=(
doi!32(332 KSUR8(1234(2=2>34(2213:
Piatets.y)Shapiro+ ,( 3 3( ?nowledge Disco%ery in Real Databases ! A Report on the IH AI)>
or.shop( !I +agaQ=2(
Polla+ M( 6a+ Martinelli+ #(+ * Sgandurra+ D( 1231( A sur%ey on security for mobile de%ices( IEEE
Communications Sur%eys & utorials +1- 035+ ::;Q:=3(
doi!32(332 KSUR8(1231(234231(2221>
Saudi+ M( M( 1233( ! $ew +o#el for *orm :etection an# esponse ( 0Phd $hesis5( Uni%ersity of
Bradford(
Saudi+ M( M(+ ullen+ A( H(+ * oodward+ M( 7( 1233( 7fficient S$A? 7R$ ?DD Processes in
orm Detection( *orl# !ca#emy of Science, Engineering an# ec'nology +-- + 4=;Q4>2(
49
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
44/45
Saudi+ M( M(+ ullen+ A( H(+ oodward+ M( 7(+ &amid+ &( A(+ * Abhalim+ A( &( 122 ( An
o%er%iew of S$A? 7R$ framewor. in confronting worms attac.( In 200 2n# IEEE
International Conference on Computer Science an# Information ec'nology 0pp( 32:Q32>5(
I777( doi!32(332 KI SI$(122 (914:=;:
Schmidt+ A(+ Bye+ R(+ Schmidt+ &(+ lausen+ H(+ ?ira1
Somaya-i+ A(+ &ofmeyr+ S(+ * #orrest+ S( 3 =( Principles of a computer immune system( In
"rocee#ings of t'e 1 5 wor s'op on $ew security para#igms $S"* 5 0pp( =9Q>15(
New or.+ New or.+ USA! A M Press( doi!32(33:9K1>4; (1>4=:1
Suare
4;
8/10/2019 A New Model for Mobile Botnet Detection and Response Using Innate Immune System (Proposal)
45/45
erima+ S( (+ Se>9 (193;;>
"hao+ "(+ * olon 'sono+ #( ( 1231( $rustDroid $M ! Pre%enting the use of SmartPhones for
information lea.ing in corporate networ.s through the used of static analysis taint trac.ing(
In 2012 5t' International Conference on +alicious an# .nwante# Software 0pp( 349Q3:45(
I777( doi!32(332 KMA6 AR7(1231(;:;323=
"hou+ (+ * Hiang+ L( 1231( Dissecting Android Malware! haracteri