Machine Learning-Based Mobile Threat Monitoring and Detection

Machine Learning-Based Mobile Threat Monitoring and Detection

A. Smart Mobile SecurityThe near-universal adoption of smart mobile devices, in-cluding smartphones, tablets, and laptops, has yielded sig-nificant convenience and versatility in computing, and hasincreased the welfare of consumers measurably, broadeningaccess and reducing the cost of service [1]. However, the vastmajority of smartphones remain woefully insecure, and variedand diverse pathways exist for intrusion and theft. Malwarecan transmit messages without the user’s knowledge, can berepackaged into “clone” applications that exist in third-partyapp stores, and can be polymorphic in nature. Furthermore,mobile devices are increasingly used for mobile banking, andmobile payments, storing personal and financial data that canbe stolen via application, network, and opportunity-based at-tacks [2]. Though the majority of attacks are small in scale andfocus on personal identity and financial data, large breachesare increasingly frequent. Considering the significant differ-ence between the security constraints designed into personalversus business devices, the result is increased vulnerability inauthenticity and confidentiality in the enterprise environment

From basic human behavioral use, allowing for theft throughopportunity, to digital threats incurred through subverting theadopted technologies, data theft and property loss are onlyincreasing. Malware that interacts with, and undermines, thesecurity of the operating systems is already in the wild. It isconcerning, then, that tablets and smartphones are already inuse in various critical infrastructure systems. In their researchconcerning the Android operating system, Armandoet al.in[4] investigated the cross-layer interaction of the java stackwith the Linux kernel. This cross-layer management can becircumvented, enabling malicious applications to communicatedirectly with the kernel. An additional study, by Maieret al.in[5] demonstrated the potential for Split-Personality malware todemonstrate different characteristics in distinct environments.Prior research has demonstrated the ability for malware topass static inspection, and to be loaded to the Google PlayStore, circumventing the Android Bouncer detection system.After fingerprinting various Android sandboxes, they usedpackaging schemes and dynamic code execution (present inboth benign and malicious applications) to provide avenuesfor circumventing sandbox detection environments [5].The recent history of malware detection in Android devices,demonstrates an explosion of interest and need. A variety oftechniques have been developed and implemented to detectmalware from as many aspects as possible. Static analysisfocuses on the extraction of particular features from Androidapplication package (APK) files, often examining Permissions,Intent message passing, and Application Programming Inter-face (API) calls of benign and malicious datasets [6], [7], [8].These features can then be used to train machine learning andother detection algorithms to identify new malware based onthe dataset classified.As a detection tool, static analysis is low-resource in nature,and can be implemented minimally and on-device. Dynamicanalysis is the detection of malicious application activity fromrun-time events, requiring significant processing and time toevaluate the unknown aspects of the application. Dynamicanalysis is generally enacted upon system calls, installation,event triggering, etc., which have been recorded through someadditional real-time utility such as Strace on a device, or viaa virtual Android Sanbox [6], [8], [9], [10]. Dynamic analysisin theory provides a better analysis of malicious featuresbecause anything that is hidden must reveal itself at run-timeto implement the malicious intent. These detected featuresare likewise utilized and classified for algorithm detectionsystems. Unlike static analysis, where features are extractedfrom a finite volume of code, dynamic analysis requires real-time implementation of the malicious and benign applicationsto extract features, often running for a fixed duration for eachapplication and collection environment [5].At the most basic level, addressing the concerns of mobilesecurity relies on overcoming the physical limitations ofthe devices. Though processing power in mobile devices isincreasing with each new generation of products, battery lifehas lagged. The tradeoff between on-device security analysisand the consequent running life of the smartphone preventsthe development of a traditional security detection system.The emergence of the cloud computing infrastructure hasfortuitously provided a pathway for application optimizationthrough selected computational offloading [11].

B. Cloud ComputingGenerally speaking, the cloud can be viewed as a dynam-ically provisioned distributed system of virtualized machines,unified and obscured as singular or multiple services. Cloudcomputing is the amplification of processing through disper-sion into the cloud. Cloud computing requires a commitmentbetween vendor and client through a Service Level Agreement(SLA).In Mobile Cloud Computing (MCC), the resource povertyof the relatively small mobile device is significantly miti-gated by the transfer of resource-heavy processes to offsitemachines. Heterogeneity between mobile devices, networks,and cloud computing platforms impedes the swift adaptationoptimization of MCC systems [12]. Still, cloud computing hasthe potential to revolutionize the application space of mobiledevices through effective offloading of intensive processing,and distributed storage of Big Data. Still a nascent technology,there are many hurdles to fully realize implementation acrossbusiness and public spaces. Beyond heterogeneity and securitychallenges, optimization has not, by any means, been settled.In the MCC system, for example, the method of execution,such as dynamic decision making versus historical data an-alytics, can have a dramatic impact on the efficacy of theoptimization [11].In the cloud, cloud computing, and MCC, the investiga-tion of new methods to unify system operations and securedistributed resources is ongoing. Software Defined Systems(SDSys) have the potential to alleviate the heterogeneity andresulting constraints of traditional cloud systems. The SoftwareDefined Cloud (SDCloud) obfuscates the underlying hardwareand implementation with software components to provideflexibility through a central decision maker. Through softwarelayers and virtualization, diverse hardware can be dynamicallyaggregated, and control can be separated from data workflow.The SDCloud system integrates Software Defined Network,Storage, Computation, and Security resources [13]. For in-stance, the Cloud Computing Adoption Framework (CCAF)is a cloud security framework for enterprise systems capableof securing the business cloud [14].At the interface of cloud service and mobile computing,MCC must grapple with the security concerns of offloadingdata and processing. Novel security schemes must overcomelimitations in on-device processing and cloud service providersecurity. Various encryption algorithms have been introduced,utilizing keyword-searchable encrypted indexes and filesstored in the cloud [15]. These encryption/retrieval/decryptionmechanisms (based on two-round searchable encryption, prob-abilistic public key encryption, etc.) optimize the overhead inprocessing and reduce the search complexity [15]. In addition,mobile device security could rely on cloud computing fordetection and analysis, due to processing limitations.

MCC security utilizes the offsite processing of transmitted mobiledata to perform static and dynamic analysis [16].