Vous êtes sur la page 1sur 45

A New Model for Mobile Botnet Detection and Response Using Innate

Immune System

A PhD Proposal

Candidate:
Zubaile Bin Abdullah
Information Security Department
Faculty of Computer Science and Information Technology
Universiti Tun Hussein Onn Malaysia
Supervisor:
Dr. Madihah Binti Saudi
Information Security and Assurance
Faculty of Science and Technology
Universiti Sains Islam Malaysia
Co-Supervisor:
Dr. Nor Badrul Anuar
Department of Computer System & Technology
Faculty of Computer Science & Information Technology
University of Malaya

ABSTRACT

Nowadays mobile devices such as smartphones had widely been used and became as one of the
main target of mobile malware especially mobile botnets. Mobile botnets threat has been growing
tremendously however there are gaps in current solutions to counter that treats. Hence, a new
model for mobile botnets detection and response is proposed to improve this problem. The model
is built from an analysis of a mobile application and mobile malware datasets collected from the
Google Play Store and Android Malware Genome Project. Static Analysis and Dynamic Analysis
of mobile application is conducted to determine whether the mobile application is benign or
malware. From the analysis, new parameters for mobile botnets classification is constructed to
enable the model detect the malware accurately. The model also integrates different fields of
computer security, human immunology system and knowledge discovery techniques.

ii

PUBLICATIONS

Zubaile Abdullah, Madihah Mohd Saudi & Nor Badrul Anuar , (2013). Mobile Malware
Detection: Proof of Concept. 3rd International Conference of Software Engineering & Computer
Systems 2013 (ICSECS13), Universiti Malaysia Pahang. (To be published in Springer
Publication)

iii

TABLE OF CONTENTS

ABSTRACT......................................................................................................................................ii
PUBLICATIONS.............................................................................................................................iii
TABLE OF CONTENTS...............................................................................................................iv
LIST OF FIGURES.......................................................................................................................vi
LIST OF TABLES..........................................................................................................................vii
LIST OF ABBREVIATIONS........................................................................................................viii
CHAPTER 1 INTRODUCTION...................................................................................................1
1.1 Background..............................................................................................................................1
1.2 Problem Statement...................................................................................................................3
1.3 Research Objectives.................................................................................................................5
1.4 Scopes of Research..................................................................................................................6
1.5 Significance of Study...............................................................................................................6
1.6 Proposal Organization..............................................................................................................6
1.7 Summary..................................................................................................................................7
CHAPTER 2 LITERATURE REVIEW.......................................................................................8
2.1 Overview of Android OS Architecture....................................................................................8
2.1.1 Android User Application Basics....................................................................................10
2.2 Mobile Botnets.......................................................................................................................11
2.2.1 Definition........................................................................................................................11
2.2.2 Mobile Botnets Comparison with Others Malicious Software (Malware).....................12
2.2.3 Mobile Botnets Propagation...........................................................................................15
2.3 Mobile Malware Detection Techniques.................................................................................16
2.3.1 Static Analysis.................................................................................................................16
2.3.2 Dynamic Analysis...........................................................................................................17
2.4 Related Studies of Mobile Malware Detection and Response Techniques............................17
2.5 Knowledge Discovery Techniques KDD).............................................................................21
2.6 Innate Immune System..........................................................................................................21
2.6.1 Definition........................................................................................................................21
iv

2.7 Summary................................................................................................................................22

CHAPTER 3 RESEARCH METHODOLOGY.........................................................................23


3.1 Research Methodology..........................................................................................................24
3.2 Research Design....................................................................................................................24
3.2.1 Datasets...........................................................................................................................24
3.2.2 Testing Lab Architecture.................................................................................................26
3.3 Expected Result.....................................................................................................................28
3.4 Planning and Execution.........................................................................................................29
3.5 Preliminary Study..................................................................................................................31
3.6 Summary................................................................................................................................36
REFERENCES..............................................................................................................................33

LIST OF FIGURES

Figure 1.1: New Mobile Threat Families and Variants across Platforms

Figure 1.2: Types of Mobile Threats

Figure 2.1: Android OS Architecture

Figure 3.1: An Overview of Proposed Research Methodology

23

Figure 3.2: Mobile Botnet Detection and Response Model

26

Figure 3.3: Mobile Botnet Static Analysis

32

vi

LIST OF TABLES

Table 2.1: Comparison between Mobile Botnet with Others Malware

14

Table 2.2: Related Works of Malware Detection on Android

20

vii

LIST OF ABBREVIATIONS

AIS

Artificial Immune System

APK

Android package

HIS

Human Immunology System

IIS

Innate Immune System

viii

CHAPTER 1

INTRODUCTION

This chapter gives an explanation of this research proposal including background of mobile
botnet, current state of threats and issues in counter the threats.

1.1

Background
For the past few years, the popularity of mobile devices has risen significantly. This fact is

accompanied by the increased functionality of the mobile devices (Zhou et al., 2012; Li et al.,
2013). Nowadays, mobile devices such as smartphone are no longer limited for phone calling or
sending messages but also being used for web browsing, social networking, applications
downloading and installing and online banking transaction. To certain extend smartphone user
kept confidential information such as contacts, bank account number, username and password for
online banking, credit card number, memorable and private pictures in these devices. As a result
of their popularity, functionality and as a storage of confidential information, mobile devices are
now become main target for the malware authors or attackers.
The malware threats on mobile devices come in various form, such as viruses, trojans,
worms and mobile botnets (Eslahi et al., 2012a). Among these malware, mobile botnets are more
dangerous as they pose serious threats to mobile devices and mobile networks (Polla et al., 2012;
Zeng, et al., 2012). In their research, Polla et al. (2012) had defined mobile botnets as set of
mobile devices that are infected by a specic malware without user consent or knowledge. Once
infected by mobile botnets, the devices can be controlled by an attacker called a bot master via
command and control (C&C) mechanism such as Bluetooth, Short Messages Services, peer to
peer (P2P), the Internet or any combination of them. The bot master will utilize the infected
devices to do a cyber-crimes or cyber-attacks, such as sending spam messages, subscribing

premium text messaging services, spreading others malware, identity theft and collecting
confidential information which can be exploited further for illegal purposes.
In recent years, attacks and threats of mobile malware and mobile botnets have been on the
rise. Recent survey conducted by anti-virus company, F-Secure (F-Secure, 2013) stated that the
number of mobile malware threat families risen 26 percent from the second to the third quarter of
2013 compared with the same time period in previous year. As shown in Figure 1.1, there are 259
new threats in third quarter of year 2013 compared to third quarter of year 2012. Further the
survey also found that in every five malware threats, there is one mobile botnet threats as shown
in Figure 1.2.

Figure 1.1: New Mobile Threat Families and Variants across Platforms
(Adapted from F-Secure 2013 Report)

Figure 1.2: Types of Mobile Threats


(Adapted from F-Secure 2013 Report)
One remarkable mobile botnets attack is Zeus Botnet Eurograbber in 2012 which attacked
Android, Symbian, Windows and Blackberry smartphones. Eurograber was responsible for more
than $47 million dollar losses in fraudulent transfers from victims' bank accounts (Kalige &
Burkey, 2012) . Although mobile botnets have not yet caused major outbreaks in the mobile
world, it existence already poses serious threat. In addition, studies by Felt, et al. (2011) and
Arabo & Pranggono (2013) have predicted that in future there will be more financial oriented
mobile botnets attack to the smartphones.

1.2

Problem Statement
There are numerous solutions to detect and handle mobile botnet attacks. These include

installing and updating anti-virus software, updating latest security patches of mobile operating
system and avoid downloading and installing mobile application from third-party applications
market or from unknown links send to smartphone (Saudi et al., 2009; Arabo & Pranggono,
2013). Though these are the suggested solutions, there are still rooms of improvement to detect
mobile botnet attack more accurately and efficiently.
A paper by Botha et al. (2009) had found there is a gap in anti-virus solution which is
inefficient of anti-virus when used on mobile devices. For an example, to detect mobile botnets,
3

anti-virus software needs to install large database of known malware signatures. Searching large
database during detection will consume much processing power and memory thus might result in
rapid draining of the mobile devices battery. In addition, existing mobile anti-virus software is
found inaccurate in identifying new or mutated mobile botnets because anti-virus relies solely
upon an earlier knowledge of malware samples (Ahmed & Dharaskar, 2012)
Apart from that, there are also issues related with updating security patches. This solution is
not viable to smartphone that used Android mobile operating system (Android OS). Google as
developer of Android OS had allowed smartphone manufacturers to modify the OS to suits into
their smartphones. However, none of the manufacturers are required to provide Android security
updates or patches to their smartphone users (Teufl et al., 2012). Furthermore, due to the different
modification the Android OS, security patches provided by Google cannot rapidly be deployed to
the user, as the patches must be modified and integrated into various Android OS modifications.
As a result, many Android smartphones are not immediately update with security patches when it
been released, thus make them vulnerable to mobile botnet attacks.
Lastly, a survey by (H. Peng et al., 2012) found there is also an issue on smartphone users
security knowledge. Users tend to download malware as they usually lured by social engineering
techniques and an unaware of the threats. Hence leaving smartphones security solely to users is
not practical.
In recent years, numerous researches have been done to detect mobile malware such by
Schmidt et al., (2009), Shabtai et al. (2010), Burguera & Zurutuza (2011), Zhao & Colon Osono
(2012), Teufl et al., (2012), Jarabek et al. (2012) and Kato & Matsuura (2013). It is noticed that
most of the works focused on mobile malware detection generally and not on mobile botnet
detection specifically. In contrast, this proposal will explore more in depth of on mobile botnet
classification including new parameters construction which later will be used as the input to
develop a better model for detection and response. Furthermore, in term of response, none of the
mentioned works explain in detail the appropriate response associated with mobile botnets attack
(Eslahi et al., 2012b).
As researched by Saudi, et al., (2009), integrating response in worm detection model
improved eradicating time by 90 percent and this possibly also can be applied in mobile botnet
detection for high accuracy and efficiency result.
4

Further, based on the previous works

observation and literature studies, one most promising approach to respond on mobile botnets
attack is by using Innate Immune System (IIS), one of immune system existed in Human
Immunology System. IIS has the ability to defend the human body from an intruder such as virus
by automatically killing the intruder when they entered into human body (Medzhitov & Janeway,
2002). For a mobile botnet response perspective, IIS will detect and erase mobile botnets
automatically from being installed into smartphone without relying to user.
Based on the financial implication of mobile botnets, solution issues, current researches and
opportunities, there is a need to develop a new model for mobile botnet detection and response
which act more accurately and efficiently. The propose model is based on blended integration of
different fields which are computer security, knowledge discovery (KDD), data mining and Innate
Immune system. The propose model is to fill the gap of anti-virus issues and user security
knowledge issues through detection and response at application level.

1.3

Research Objectives
The objectives of this research are:
i.

To investigate and evaluate mobile botnet classification, detection and response

ii.

To construct new parameters for mobile botnet classification

iii.

To design a new model for botnet detection and response by integrating knowledge
discovery (KDD) and IIS technique

iv.

1.4

To evaluate the proposed model of mobile botnet detection and response

Scopes of Research

This research observes mobile botnet threats and attack through malicious application
installation. The propose model of mobile botnet detection and response is based on Android
botnet and Android OS.

1.5

Significance of the Study


The propose model enhances mobile botnet detection and offering better response to

mobile botnets attack. This new model encounter issues for anti-virus solutions and mobile botnet
installation through infected applications. The model does not require an update because this
model classify mobile botnets based on generic and inheritance features or behavior thus new
variant can easily detected.

1.6

Proposal Organization

The rest of the proposal is structured as follow:


Chapter 2 contains related studies literature and the fundamental knowledge of the subject matter
is discussed. This includes an overview of Android OS, Android application, mobile botnets
definition, comparisons with other mobile malware, mobile botnets propagation, mobile malware
detection and response techniques, related studies review, data mining, knowledge discovery and
Innate Immune System.
Chapter 3 discusses in detail the research methods used in this research. This includes the dataset
uses, phases and processes involved.

1.7

Summary

The popularity and functionality of mobile devices not only attract user but also an attacker.
Mobile devices such as smartphones can be infected by malware and turn this devices into botnet
which later being used for cyber-criminal awhile current solutions for mobile botnet threats can
still to be improved. Therefore there is an urgent need to produce more research on mobile botnet
classification, detection and response. The motivation to pursue research in this area is to provide
high accuracy and efficiency model for mobile botnet detection and response which are not
provided by current solution.

CHAPTER 2

LITERATURE REVIEW

This chapter contains the related studies literature. This includes an overview of Android OS and
applications, definition of mobile botnets, comparison with others malware, mobile botnets
propagation and mobile malware detection and response techniques. Related studies of mobile
malware detection and response are also being reviewed here in terms of methods used, strengths
and potential improvements. Further, data mining, knowledge discovery, Innate Immunology
System is also presented.

b.

Overview of Android OS Architecture


Android currently is evolving as one of the most prominent open source platform for mobile

devices like smartphones, netbooks and tablets (Yerima et al., 2013). Its not just an operating
system but a complete software stack that includes application framework, libraries and some core
applications as shown in Figure 2.1. Android architecture is made up of different components,
which are composed into different layers (Yerima et al., 2013).
The first or core layer is based on the Linux kernel which acts as a hardware abstraction
layer and provides a variety of device drivers. This Linux kernel layer is also responsible for
managing memory, power functionalities, processes management and networking.
The second layer is the native libraries layer such as SQLite, WebKit and Secure Socket
Layer (SSL) and its layered on top of the Linux kernel. These libraries provide access to lower
level system services and core functionalities and are incorporated into Android using Java
interfaces. Next layer is the Android runtime layer, composed of two major components namely
Android core libraries and Dalvik Virtual Machine (DVM). The Android core libraries contain all
of the collection of classes, input and output (I/O) and networking utilities. The core libraries also
8

contain some Android-specific libraries required for accessing different capabilities offered by
Android hardware, operating system and native libraries. The DVM on the other hand, functions
to interpret and execute an Android application represented by .dex files.
The Application Framework layer which layered on top of native libraries layer enables the
use and reuse of different low-level Android components. This layer provides all the APIs that an
Android application requires to access such as location information and running background
services of device hardware. The important components of application framework layer are the
Activity Manager component, Content Providers and Resource Manager. Activity Manager is
responsible for managing life cycle of applications, Content Providers used to enable data sharing
between applications and Resource Manager is used to provide access to non-code resources e.g.,
localized strings, graphics and layout files.
The last layer is Applications layer, composed of some built-in applications which come
pre-installed in the mobile devices as well as user applications. The user applications are
downloaded from the Google Play market or alternative marketplaces or even installed manually
from .apk files.

Figure 2.1: Android OS Architecture


(Adapted from Yerima et al, 2013)

2.1.1

Android User Application Basics


9

Android user application is distributed as a package called Android Package


(APKs). An APK is a compressed file consists of AndroidManifest.xml (manifest file),
classes.dex and other binary or XML-based resources required by the application to run.
Android user application or app is written in the Java programming language. Since the
Android Application Framework forces a component-based application model to increase
the code reusability, Android applications must be developed in terms of components. The
core components of Android application are the Activities, Service, Broadcast Receivers and
Content Providers (Zhang et al., 2013).
Activities provide user interfaces of an application and handle the application
interactions with user. Meanwhile, Services run in the background and do not interact with
the user. Downloading an application or decompressing an archive, are examples of
operations done in Services. Broadcast Receivers component handles messages from other
components, including messages from the Android system. Broadcast Receivers are
triggered by the receipt of an appropriate message and then run in the background to handle
the event. Content Providers are databases addressable by their application-defined URIs.
An application must declare its components in a manifest file located at application project
root directory. By default, applications do not have the ability to interact with sensitive parts
of the system API or privilege components such as SMS system access, internet access or
read access to the users contacts list. In order to access and interact with such privilege,
permission must be requested by an application in their manifest file and it will appear to
mobile devices users during installation. Whenever the user installs a new app, he would be
prompt to grant or reject all permissions requested by the application. If granted, that
application can interact with these privileged components.

For the purpose of this research, certain features from app manifest file and dex bytecode are
extracted through reengineering and static analysis process. These could serve as parameters of
suspicious activity, such as intending to access to sensitive information and resources or executing
malicious payload. These features mapped together with application behavior at runtime in
dynamic analysis process to form the basis of classifier, which later is used in detection and
response phase to determine whether a given Android application is benign or malicious.

10

2.2

Mobile Botnet
It is an evitable to have clear understanding of a mobile botnets in order to detect and

response to it threats accurately and efficiently. In this section, the definition, comparison of
mobile botnets with other malware and propagation are explained
2.2.1

Definition
According to Polla et al. (2012), mobile botnets are set of mobile devices that are

infected by a specic malware without user consent or knowledge. Once infected by mobile
botnets, the devices can be controlled by an attacker called a bot master via command and
control (C&C) mechanism such as Bluetooth, Short Messages Services, peer to peer (P2P),
the Internet or any combination of them. The bot master will utilize the infected devices to
do a cyber-crimes or cyber-attacks, such as sending spam messages, subscribing premium
text messaging services, spreading others malware, identity theft and collecting confidential
information which can be exploited further for illegal purposes.. One of the main
differences between botnets and other mobile malware threats is revenue generation (Fl &
Jsang, 2009). As smartphones users tend to store confidential information such username
and password for online banking, its attract an attacker to steal this information and used it
to draw victims money from bank account. Further, once infected by mobile botnets,
without user knowledge this mobile botnets can stealthy sending text message from victims
smartphone to a premium number services and later victim will be billed for subscribing
this services.
For the purpose of this research a mobile botnet is defined as a malicious program incidentally
installed to smartphone by user which then communicate with the malicious program writers
through C&C to receive attackers command. The command might be to leaks user confidential
information, subscribing to premium number services and spread malware to other smartphone.
2.2.2

Mobile Botnets Comparison with Others Malicious Software (Malware)


Lot of information about malware such as virus, trojan, worm, spyware and botnet

can be found on the Internet. At the time of this proposal writing, less information
specifically for mobile malware existed however information of computers malware can be
11

used as references. These malware had their own characteristic but the public usually term
all the malware as virus. Thus, it is critical to differentiate each malware to ensure the
detection and response techniques are suitable based on malware characteristics. A paper by
(S. Peng, Yu, & Yang, 2013) had comprehensively defined and categorized these malware.
The differences of mobile botnets and others malware are summarized in Table 2.1.
Virus: A type of malware that enters a mobile devices system via software without the users
knowledge by attached itself to an application file or host file. The virus then duplicates
itself and commits malicious tasks it programmed to do. The damages brought by the virus
include data or software damage, application and system malfunction and denial-of-service
(DoS) attacks.
Worm: A type of malware that enters into mobile devices system without the owners
permission and operates without the owners knowledge. Difference from viruses, worms,
can spread automatically to mobile devices without user intervention. Worms can replicate
themselves and attached the replicas into users email to spread the infection to the wild.
Trojan: A type of malware that is malicious but appears legitimate and benign to mobile
devices user. Users are typically tricked using social engineering techniques to install and
execute it on mobile devices systems. After activated, it attacks mobile devices including
stealing data and spreading other malware. Trojan can also create backdoors to provide
malicious users access to the mobile devices. It is usually need user-intervention and does
not replicate. For example, Fakeplayer.A is a trojan that infects Android smartphones which
sends SMS messages stealthy to specific numbers resulting users being charged for the
transactions. Another Android Trojan, BaseBridge.B on the other hand, steals sensitive data,
sends it to a remote server and terminates other Android applications.
Spyware: A type of malware that collects information for advertising purposes usually for a
third party advertiser. Spyware monitor a users activity such as web browsing histories and
keystrokes and send to advertiser. It also can obtain phone numbers, email addresses, credit
card numbers and password. Sometimes spyware comes together with add-on advertisement
tools thus an advertiser can send related advertisement to mobile devices owner. Spyware
usually infects into mobile devices as programs bundled with downloaded application or
through web browsing.
12

Table 2.1: Comparison between Mobile Botnet with Others Malware


Type

Virus

Worm

Trojan

Spyware

Botnet

Existing Form

Non-self-

Self-replicating

Non-self-

Non-self-replicating

Non-self-

replicating

Independent

replicating

Bundled with other

replicating

software

Need host file as

Human

Need host file as

Masquerade

carrier

legitimate

Yes

If exploits system

Intervention

as
and

carrier

benign software
Yes

Yes

Yes

Very Fast

Slow

Very Fast

vulnerabilities: No
Others: Yes

Spreading

Fast

Very Fast

Speed
Attacker

Cannot

control

Control

smartphone

smartphone

smartphone

smartphone

smartphone

remotely

remotely

remotely

remotely

remotely

Intention to steal

Intention to monitor

attacker
Profit oriented,

the

confidential

smartphone

user

such as to make

of

information

behavior

as

smartphone user

is to

Cannot

Attacker

Intention

Intention

malfunction the

slower

smartphone

performance

or

application

Intention

control

is

to

Cannot

control

smartphone

Cannot

control

such

Control

sites visits, interest

subscribe

and personalization

premium

by

text

number
Stealing banking
credential

of

smartphone user
such

Major Risk

System

and

System paralyzed

application

Information
leakage

damage

2.2.3

Information leakage

as

TAC,

username

and

password
Information
leakage
System damage

Mobile Botnets Propagation


13

Mobile botnets can come in different sizes or structures (Eslahi et al., 2012b) but,
in general, they go through the same propagation methods. The propagation of a mobile
botnet begins with the infection process where the bot masters use different methods and
techniques. Papers by Zhou & Jiang (2012) and Jin & Wang (2013) had pointed out that
mobile botnets propagate through three social engineering based techniques which are
repackaging, update attack and drive-by download attack techniques.
1.

Repackaging Technique
Repackaging is the technique malware writers use to inserting or known as

piggybacks malicious payload into mobile applications. In order to do this action,


malware authors downloaded popular mobile applications for an example angry
birds game or candy crush game. Further they disassemble the applications, then
inserting malicious payload into the applications and lastly submit the infected
applications to applications market such as Google Play for Android, Apple
Applications Store (iOS), Nokia Store (Symbian), Blackberry World (Blackberry)
or other third-party applications market. Users on the other hand, without their
knowledge downloaded and installed these infected applications into their
smartphones as they look like legitimate applications.
2.

Update Attack Technique


Although this technique is still consider as repackaging technique, the

different is, update attack technique only includes an update component in its
repacking package. This update component is able to fetch the malicious payload
after being installed on the devices. Whenever an Internet connection is available
that update component will download and install the actual malicious payload.
Compared to repackaging techniques which typically piggybacks the entire
malicious payloads into host applications and could potentially expose their
presence, malicious payload in update attack technique is much more difficult to
detect because the malicious payload is in the updated applications and not
presence in the host application.
3.

Drive-by Download Attack Technique


In drive-by-download technique, users may inadvertently download

malware by visiting a compromised website, viewing a malicious e-mail or


14

clicking a misleading link. Attackers or malware authors usually enticing users to


download interesting or feature-rich applications without user knows the
applications is actually a malware.

2.3

Mobile Malware Detection Techniques


The main purpose of a mobile malware detection and response technique is to detect the

presence of mobile malware in application which, if found could be cleaned, quarantined, blocked
or deleted. Several approaches to mobile malware detection techniques have been attempted by
Schmidt et al., (2009), Enck et al., (2009), Shabtai et al., (2010), Blasing et al., (2010), Burguera
& Zurutuza (2011) and Zhou et al., (2012). In those papers, some of the common techniques used
for mobile malware detection can be categorized into static analysis and dynamic analysis.
2.3.1

Static Analysis
In static analysis, an application is analyzed without executing it. Static analysis

can directly be employed either on the source code of the application or the corresponding
binary file and use reverse engineering techniques to extract certain features or methods
might be invoked from the source code. In Android application, features and methods also
can be analyzed from manifest file. Extracted features or methods not only can be used to
detect malicious payload but also to profile and weigh malware threats (Yerima et al.,
2013). A paper by (Wu et al., (2012) had listed features and methods that usually extracted
from application source code which are: Requested Permission, Imported Package, API
Calls, Instructions or Operation Code (Opcode), Data Flow and Control Flow. Details of
researchers that have used these features and methods will be discussed in Section 2.4.
Static analysis is simple and efficient in providing fast detection and classification
for known mobile malware however it drawback is unable to detects unknown or mutated
mobile malware because of obfuscation and encryption techniques employed by mobile
malware writers. To overcome this limitation, dynamic analysis is used to detect mobile
malware.
2.3.2

Dynamic Analysis
15

In contrast to static analysis, dynamic analysis does not inspect the source code but
the application sample is analyzed while it is executed within controlled environment. In
current studies, the behavior of the application can be monitored through Logged Behavior
Sequence, System Calls and Dynamic Tainting, Data Flow and Control Flow (Wu et al.,
2012). By monitoring and logging every relevant operation of the execution, a report is
generated for detection analysis.

2.4

Related Studies of Mobile Malware Detection and Response Techniques


Malware has been a threat for computers for many years and continues to cause damage to

infected systems. The first attempts to identify and analyze malware on mobile devices such as
smartphones started by adapting existing PC security solutions and applying them to smartphones.
This was not a feasible solution in light of the high demand placed on resources by anti-virus
techniques and the power and memory constraints of mobile devices. Since mobile malware
detection and response have already been the subject of massive research, this proposal on the
other hand, review the mobile malware detection and response techniques studies which are form
this research foundation. Further, it is to be noted that this proposal only consider mobile malware
detection and response for the Android platforms.
Schmidt et al., (2009) is the first researchers who studied and proposed malware detection
on mobile devices specifically on Android smartphones (Damopoulos et al., 2012). Their system
extract function calls from binaries of applications, and apply their clustering mechanism, called
Centroid, for detecting unknown malware. This is done by performed static analysis of Linux ELF
(Executable and Linking Format) object files in Android environment using the command readelf.
Those files hold information such as function calls and modified files. The function calls then
compared with malwares executable for classifying them with Decision Tree Learner (DTL),
Nearest Neighbor (NN) algorithm and Rule Inducer (RI). The authors claimed that their technique
shows 96% detection-accuracy with 10% false positives. The main drawback of their system is
they used small collection of malware samples. These malware samples are coded by themself
and not represent as real mobile malware in Android market. In addition, at that time there were
still no real Android devices available, so they could not test their system properly.
16

In same year, Enck et al., (2009), proposed another static analysis which scans the
application for matching malicious patterns namely Kirin. They define various of potential
dangerous permission combinations as rules to block the installation of potential unsafe
applications. However, Kirin is more on vulnerability assessment of application instead of mobile
malware detection.
Wu et al., (2012) also used static analysis and proposed Android malware detection tool
named DroidMat. DroidMat detects malwares through the manifest file and traces of API calls.
They demonstrated that this tool capable of finding more Android malware than other Android
detection tool, the AndroGuard (Wu et al., 2012). However, with a single sample android
malware, DroidMat cannot predict and learn behaviour of new malware. Moreover, there are two
families of malwares (BaseBridge and DroidKungFu) which used update attack technique that not
detected by DroidMat (Wu et al., 2012).
In 2010, Shabtai et al. proposed a malware detection that monitors various features and
events obtained from the mobile devices while execute the application. Then they applied
machine learning anomaly detectors to classify the collected data as normal for benign or
abnormal for malicious. The features they consider including cpu consumption, number of sent
packets through the WiFi, number of running processes, keyboard or touch-screen pressing and
application start-up. To validate their models, they selected features using three selection methods,
Information Gain, Fisher Score and Chi-Square. Their approach achieved 92% of accuracy
however two drawbacks of their system are not using real malware sample and the use of an
application that simulates user interaction known as ADB Monkey, which is not a real user.
Burguera & Zurutuza, (2011), in their work presented another approach for dynamically
analyzing the behavior of Android applications. They used a crowd-sourcing system named
CrowDroid to obtain traces of applications behavior such as system call. CrowDroid collected all
the system calls used from a set of users during the runtime. It adopted the K-means clustering
algorithm to classify the collected data into two groups, the benign group and the malicious
group, which can be used to identify the specied user who is running the malicious repackaged
application. CrowDroid needs a set of users to execute the same original application and the same
corresponding malicious applications. Although their experiment result indicated a 100%
accuracy of detection rate, the drawback is they used small scale of malicious dataset as training
17

set. Furthermore, evaluation was also carried out using a self-implemented set of malware
samples instead of malware from the wild.
While above studies, choose to analysis the application either statically or dinamically,
Blasing et al., (2010) proposed a hybrid method called AAsandbox. AAsandbox used of static and
dynamic analyses approach. The static analysis runs by decompresses the apk file, converts their
class files into java source code, searches for suspicious patterns and marks them as benign or
malicious. During the application execution in Android Emulator, AAsandbox counted the
number of all system calls to detect malicious behaviours. However, the data obtained by
AASandbox is very diverse, causing low detection accuracy (Lin et al., 2013). In addition they
also used ADB Monkey in dynamic analysis simulation.
Zhou et al., (2012) proposed another hybrid solution named DroidRanger. DroidRanger uses
both static and dynamic analysis techniques to develop behavior profiles for scalable mobile
malware detection which scanning large numbers of third-party Android applications for
malicious behavior. DroidRanger implements a combination of permission-based behavioral
footprinting to detect samples of already known malware families and a heuristic-based filtering
scheme to detect unknown malicious families. Within their dynamic part they use a kernel module
to log only system calls used by known Android exploits or malware however these authors only
monitor those system calls used by existing root exploits with root privilege, and hence new
malwares which avoid calling such system calls with root permissions may avoid being detected.
On the other hand, the detection heuristics used by authors present a high false negative rate,
ranging from 5.04% to 23.52% (Suarez-Tangil, et al., 2013).
Each of these works have their own strenghts and gaps that can be further improved. It
noticed that most works are focused on general mobile malware detection. Although mobile
botnet is most dangerous mobile malware (Polla et al., 2012; Zeng, et al., 2012), at the time of
this proposal writing, there is no yet studies on mobile botnets detection on application level. This
is one of the motivation why this research is proposed. Another point is, a research by Zhou &
Jiang, (2012) had revealed that from 1260 mobile malware samples they analyzed, 93% exhibit
mobile botnets behaviour thus make the studies on mobile botnet detection is a must.
This reseach conceptually has some similarities with Wu et al., (2012) which used static
analysis of the manifest file and tracing of API calls. The extension is, this research also employ
18

dynamic analysis to counter obfuscated and encrypted application source code. Since the means
for collection and run-time analysis of mobile botnets by itself is not sufficient to lessen a threat
posed by novel mobile botnets, this research also adopt knowledge discovery technique (KDD)
and data mining. In term on response perspective which is not applied by previous researchers,
this research adopts Innate Immune System. Summary and comparisons of this reseach with
related studies is presented in Table 2.2.
Table 2.2: Related Works of Malware Detection on Android
Related Work
Schmidt et al.,
(2009)

Type of Analysis

Key Feature

Detecting Target

Static

Function Calls

Mobile Malware
Mobile Malware,

Enck et al., (2009)

Static

Data Flow

Vulnerability
Assessment

Shabtai et al.,
(2010)
Burguera &
Zurutuza (2011)

Wu et al., (2012)

Blasing et al.,
(2010)

Dynamic
Dynamic

Static

Static and Dynamic

Zhou et al., (2012)

Static and Dynamic

Proposed Model

Static and Dynamic

2.5

Abnormal Behaviour
Amount of System
Calls
Permission and
System Calls
Number of System
Calls
Permission And
System Logs
Permission, System
Calls, System Logs

Mobile Malware
Mobile Malware

Mobile Malware

Mobile Malware
Mobile Malware

Main Drawbacks
Small Sample

General Malware
Detection
Generates Many
False Positives
Generates Many
False Positives
Cannot Detect
Update Attack
Technique
Small Sample
Low Detection
Accuracy
Generates Many
False Negatives

Mobile Botnet

Knowledge Discovery Techniques (KDD)


The KDD term was first mentioned in a KDD workshop in 1989 (Piatetsky-Shapiro, 1991)

and it is defined as the process of discovering useful knowledge from a collection of data (Fayyad
et al, 1996). This process includes data preparation and selection, data cleansing, incorporating
prior knowledge on data and interpreting accurate solutions from the observed results (Mhamdi &
Elloumi, 2008).

19

Many studies that integrate KDD have been conducted over the past few years for example
in Health, Geology, Marketing, Finance and Molecular Biology (Mhamdi & Elloumi, 2008).
KDD also being adopted in computer and cyber security for example virus detection (Deng,
2003), worms detection (Saudi et al., 2011) and botnets detection (Shahrestani et, al., 2009).
For this research, the KDD is used as a technique to identify the mobile botnets patterns in
the datasets. This includes datasets preparation, data cleansing, features extraction, clustering,
classification and interpretation. Data mining which is part of KDD is used to extract features of
Android application.
2.6

Innate Immune System (IIS)


In this section, IIS is defined and comparison between IIS and mobile botnets is conducted.

Apart from this, previous work that is related to this research is also presented.

2.6.1

Definition
Humans live in an environment where their bodies are constantly being attacked by

intruders such as viruses, bacteria and other organisms, yet the majority of humans survived
these attacks for many decades (Saudi, 2011). Human do not need to download any security
patches since the bodies have adapted to living in such a harsh environment with the help
Human Immunology System (HIS). Various approaches have been proposed in the
literatures that aim to develop Artificial Immune System (AIS) which mimic the behaviour
of HIS. Somayaji, et. al., (1997) provided various possible architectures of AIS for
computer security. Dasgupta, et al., (2011) on the other hand provide a good review of the
AIS eld.
Based on those literature reviewed, Innate Immune System (IIS) is seen as one of
the specialisms in human immunology that can be further explored and integrated into this
research, particularly in detection and response to mobile botnets infection. According to
(Marhusin,et al., 2008), the term innate immune system refers to the fast-acting non-specific
immunological actions of human that recognize an infection and attempt to clear it from the
20

human. The innate immune system can be thought of human front line of defense against
pathogens.

2.7

Summary

This chapter presented the related studies for this research. These literatures are foundation of
knowledge in doing this research. It includes an overview of Android OS and applications,
definition of mobile botnets, comparison with others malware, mobile botnets propagation and
mobile malware detection and response techniques. Related studies of mobile malware detection
and response are also being reviewed here in terms of methods used, strengths and potential
improvements. Further, knowledge discovery and Innate Immunology System is also presented.

CHAPTER 3

RESEARCH METHODOLOGY

This chapter explains on how this research is conducted including method used in data collection
and analysis, explanation of research tools and environment, overview of proposed model and
research schedule including preliminary work that have been done.
21

3.1

Research Methodology

This research proposes high accuracy and efficiency model for mobile botnet detection and
response. All the processes involved in forming this model are illustrated in Figure 3.1. There are
two phases for this proposes model which are mobile botnet detection and mobile botnet
response.

Figure 3.1: An Overview of Proposed Research Methodology


Thirteen processes involve in developing these two phases which started by outlining the research
background. These processes are simplified in Figure 3.2. Prior formation of this proposes model,
the aims and objectives are well defined and focused to ensure the contribution of this research
has significant value. Details of these can be found in Chapter 1.
Once the first process is completed, it is followed by reviewing the existing works and
literatures. The proposed model covers the gaps identified in studies conducted by previous
researchers. Analysis and comparison of previous related works had been addressed in Chapter 2

22

Figure 3.2: Mobile Botnet Detection and Response Model

3.2

Research Design
In this section, all the techniques and applied for analysis and testing are clearly explained.

This includes sources and reasons of using datasets from Android Malware Genome Project and
Google Play.
3.2.1 Datasets
There are two datasets for this research; training dataset and testing dataset.
Training dataset is use to build up a detection and response model, while a testing dataset is
to validate the model. The training dataset is a benign application downloaded from Google
Play, an official market that host Android application. Android emulator is used to download
the applications.
The testing dataset for this research is taken from Android Malware Genome
Project initiated and collected by (Zhou & Jiang, 2012). The dataset consist of 1260
Android malware samples in 49 different malware families. These malware samples cover
the majority of existing Android malware which appear from Aug 2010 to October 2011.
There are four reasons why this research chooses to use data from Android Malware
Genome Project.
23

Firstly, many studied have used this data for their testing for example researches
conducted by (Wu et al., 2012), (Yerima, et al., 2013), (Zhang et al., 2013) (Amos, et al.,
2013) and (Demme et al., 2013). Secondly, this dataset contains Android malware samples
that within the scope of this research, which focuses on Android OS mobile botnet. Thirdly,
this dataset also being downloaded and used by well-known anti-virus companies such as
Lookout, AVG, NQ Mobile, and McAfee. The dataset also being downloaded by more than
308 entities including higher learning institution, research companies and government
sectors (Zhou & Jiang, 2012). Lastly, it is one of largest mobile malware database freely
available from the Internet.

24

3.2.2

Testing Lab Architecture


The lab architecture in this research is illustrated in Figure 3.2. It is a controlled lab

environment with the software used for the testing is open source software which freely
available on the Internet. No outgoing connection allows in this architecture so no harm of
mobile malware threats will exposed to public. Tools and software installed used for this
research is summarized in Table 3.1.

Figure 3.2: Mobile Botnet Controlled Lab Architecture

25

Table 3.1. : Software Installed in Testing Lab Computers


Function
Virtual PC

Software / Tools
VMWare Work Station

Purpose of Action(s)
To allow multiple operating systems to
run on single computer
To provide operating system for
installation of tools or software for the

Smartphone Emulator

mobile malware detection


To provide smartphone emulator for

AndroidSDK

installations of applications (benign


and malicious applications)
To crawl Google Play and download
Scan Tools

Kaspersky Internet Security for

and datasets used in this research

Android

applications
To scan and detect Android application

avast! Free Mobile Security

F-Secure Mobile Security


Andrubis (Online)
Unpack Tool

View or Modify apk Code

Winzip

To decompress and unpack Android

ApkTool

application package

JD-GUI

apk files
To displays Java source codes of
.class files in apk
To modify the code of an apk by

Dex2jar

translate the code from dex to jar,


modify .class files in the jar, translate
jar back to dex and compile and sign
into apk

Apk-view-tracer

To provides apk automated testing


interface.
To provides a event trigger tool for apk

Registry Monitoring

Dalvik Debug Monitor Server (DDMS)

dynamic analysis.
To provides port-forwarding services,

File Monotoring

screen capture on the device, thread

Process Monitoring

and heap information on the device,

Port Monitoring

logcat, process, and radio state


information, incoming call and SMS

Software for data testing and simulation

spoofing, location data spoofing


To perform data mining analysis and

Java (WEKA)

testing

3.3

Expected Result
26

This proposal present high accuracy and efficiency model for mobile botnets detection and
response. The proposed model realizes a static and dynamic analysis that monitors various
features and events obtained from the android applications and mobile devices, and then applies
KDD methods to classify the collected data as normal (benign) or abnormal (malicious).
Successful classification is expected to provide the ability of proposed model to accurately
detect the mobile botnets. Further, with adaptation of IIS it is expected that malicious application
is deleted immediately once try to infect the mobile devices.

27

3.4

Planning and Execution

Activities

M A

2013
J A

M A

2014
J
J

2015
S O

2016
J
F

Study on various malious


codes, botnet and mobile
botnet
Propose a mobile botnet
detection and response
system
Conference paper writing
Proposal defend

Publish first journal article , research in progress / preliminary work (present in conference)

Develop phase 1
Phase 1 simulation
Conference / Journal paper
writing

Publish second journal article (present in conference)

Develop phase 2
Phase 2 simulation
Conference / Journal paper
writing

Publish third journal article (present in


conference)

Phase 1 & Phase 2


combined and simulation
and finding
Analysis and evaluation
Conference / Journal paper
writing

Publish fourth
journal article (present in conference)

Thesis writing

February 2013 April 2013 (3 months)

: Study on various mobile botnet types, mobile botnet detection and innate immunology system.

May 2013 August 2013 (4 months)

: Propose a new model for mobile botnet detection and response.

August 2013 May 2014 (10 months)

: Proposal defends and develop phase 1.

January 2014 June 2014 (6 months)

: Phase 1 simulation,

: Conference / Journal paper writing.


January 2014 October 2013 (10 months)

: Develop phase 2.

May 2014 December 2014 (8 months)

: Phase 2 simulation.
: Conference / Journal paper writing.

November 2014 June 2015 (8months)

: Phase 1 and phase 2 combined final simulation.

February 2015 July 2015 (8 months)

: Analysis and evaluation of complete model of mobile botnet detection and response
: Conference / Journal paper writing.

March 2015 February 2016 (11 months)

: Thesis writing.

29

3.5

Preliminary Study

Prior to this research a research paper titled Mobile Malware Detection: A Proof Of Concept had
been presented in to the 3rd International Conference of Software Engineering & Computer
Systems 2013 (ICSECS13), Universiti Malaysia Pahang on 20 - 22 August 2013.
A case study using a sample from Android Malware Genome Project shows the proof of concept
how the mobile malware works. The architecture used for the testing was conducted in a
controlled lab environment as same as in Figure 3.2. Static and dynamic analyses were conducted
to analyse the code. ApkTool, Dex2Jar and JD-GUI are used for static analysis, while
AndroidSDK is used for dynamic analysis.
The testing results showed, one of the payloads for this code is to send and to forward messages
received from infected phone to the code author phone number: +46769436094 as shown in Fig.
3.3. This phone number is located in German. It is similar like mobile text bot, where in Malaysia
it is called as Transactional Authorization Codes (TAC). This TAC is needed as an authentication
method for any online money transaction. Any other persons who would like to steal the TAC
number, can simply changing the phone number inside these codes. The payload of the sample is
seen as profit-based and also can lead to identity theft and loss of money for the victim.

Figure 3.3: Mobile Botnet Static Analysis


3.6

Summary

In this chapter, the research processes use for this study is discussed. Research design, datasets,
data mining, testing lab architecture, proposed model and expected result are clearly defined and
presented. At the time planning and execution act as a guideline on how research will be
conducted with proper activities carried out.

31

REFERENCES

Ahmed, R., & Dharaskar, R. 2012. Study of mobile botnets: An analysis from the perspective of
efficient generalized forensics framework for mobile devices. IJCA Proceedings on National
Conference on Innovative Paradigms in Engineering & Technology (NCIPET-2012), (Im),
58. Retrieved from http://core.kmi.open.ac.uk/download/pdf/2680596.pdf
Amos, B., Turner, H., & White, J. 2013. Applying machine learning classifiers to dynamic
Android malware detection at scale. In 2013 9th International Wireless Communications and
Mobile Computing Conference (IWCMC) (pp. 16661671). IEEE.
doi:10.1109/IWCMC.2013.6583806
Arabo, A., & Pranggono, B. 2013. Mobile Malware and Smart Device Security: Trends,
Challenges and Solutions. In 2013 19th International Conference on Control Systems and
Computer Science (pp. 526531). IEEE. doi:10.1109/CSCS.2013.27
Blasing, T., Batyuk, L., Schmidt, A., Camtepe, S. A., & Albayrak, S. 2010. An Android
Application Sandbox system for suspicious software detection. In 2010 5th International
Conference on Malicious and Unwanted Software (pp. 5562). IEEE.
doi:10.1109/MALWARE.2010.5665792
Botha, R. a., Furnell, S. M., & Clarke, N. L. 2009. From desktop to mobile: Examining the
security experience. Computers & Security, 28(3-4), 130137.
doi:10.1016/j.cose.2008.11.001
Burguera, I., & Zurutuza, U. 2011. Crowdroid: Behavior-Based Malware Detection System for
Android. Proceedings of the 1st ACM workshop on Security and privacy in smartphones and
mobile devices (SPSM 11).
Damopoulos, D., Kambourakis, G., Gritzalis, S., & Park, S. O. 2012. Exposing mobile malware
from the inside (or what is your mobile app really doing?). Peer-to-Peer Networking and
Applications. doi:10.1007/s12083-012-0179-x
32

Dasgupta, D., Yu, S., & Nino, F. 2011. Recent Advances in Artificial Immune Systems: Models
and Applications. Applied Soft Computing, 11(2), 15741587.
doi:10.1016/j.asoc.2010.08.024
Demme, J., Maycock, M., Schmitz, J., Tang, A., Waksman, A., Sethumadhavan, S., & Stolfo, S.
2013. On the feasibility of online malware detection with performance counters. ACM
SIGARCH Computer Architecture News, 41(3), 559. doi:10.1145/2508148.2485970
Deng, P. S. 200. Virus detection using data mining techinques. IEEE 37th Annual 2003
International Carnahan Conference onSecurity Technology, 2003. Proceedings., 7176.
doi:10.1109/CCST.2003.1297538
Enck, W., Ongtang, M., & McDaniel, P. 2009. On lightweight mobile phone application
certification. In Proceedings of the 16th ACM conference on Computer and communications
security - CCS 09 (p. 235). New York, New York, USA: ACM Press.
doi:10.1145/1653662.1653691
Eslahi, M., Salleh, R., & Anuar, N. B. 2012a. MoBots: A new generation of botnets on mobile
devices and networks. 2012 International Symposium on Computer Applications and
Industrial Electronics (ISCAIE), (Iscaie), 262266. doi:10.1109/ISCAIE.2012.6482109
Eslahi, M., Salleh, R., & Anuar, N. B. 2012b. Bots and botnets: An overview of characteristics,
detection and challenges. 2012 IEEE International Conference on Control System,
Computing and Engineering, 349354. doi:10.1109/ICCSCE.2012.6487169
Fayyad, U., Piatetsky-Shapiro, G., & Smyth, P. 1996. The KDD process for extracting useful
knowledge from volumes of data. Communications of the ACM, 39(11), 2734.
doi:10.1145/240455.240464
Felt, A. P., Finifter, M., Chin, E., Hanna, S., & Wagner, D. 2011. A survey of mobile malware in
the wild. Proceedings of the 1st ACM workshop on Security and privacy in smartphones and
mobile devices - SPSM 11, 3. doi:10.1145/2046614.2046618

33

Fl, A. R., & Jsang, A. 2009. Consequences of Botnets Spreading to Mobile. Short-Paper
Proceedings of the 14th Nordic Conference on Secure IT Systems (NordSec 2009), (October),
3743.
F-Secure. 2013. F-Secure Mobile Threat Report July - September 2013, (September). Retrieved
from http://www.fsecure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q3_2013.pdf
Jarabek, C., Barrera, D., & Aycock, J. 2012. ThinAV: Truly Lightweight Mobile Cloud-based. In
Proceedings of the 28th Annual Computer Security Applications Conference on - ACSAC
12 (p. 209). New York, New York, USA: ACM Press. doi:10.1145/2420950.2420983
Jin, R., & Wang, B. 2013. Malware Detection for Mobile Devices Using Software-Defined
Networking. 2013 Second GENI Research and Educational Experiment Workshop, 8188.
doi:10.1109/GREE.2013.24
Kalige, E., & Burkey, D. 2012. A Case Study of Eurograbber: How 36 Million Euros was Stolen
via Malware, (December). Retrieved from
https://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pd
f
Kato, M., & Matsuura, S. 2013. A Dynamic Countermeasure Method to Android Malware by
User Approval. 2013 IEEE 37th Annual Computer Software and Applications Conference,
730731. doi:10.1109/COMPSAC.2013.121
Li, H., Ma, D., Saxena, N., Shrestha, B., & Zhu, Y. 2013. Tap-wave-rub: Lightweight malware
prevention for smartphones using intuitive human gestures. Proceedings of the sixth ACM
conference on Security and privacy in wireless and mobile networks, 2530. Retrieved from
http://dl.acm.org/citation.cfm?id=2462101
Lin, Y.-D., Lai, Y.-C., Chen, C.-H., & Tsai, H.-C. 2013. Identifying android malicious repackaged
applications by thread-grained system call sequences. Computers & Security, 39, 340350.
doi:10.1016/j.cose.2013.08.010

34

Marhusin, M. F., Cornforth, D., & Larkin, H. 2008. Malicious Code Detection Architecture
Inspired by Human Immune System. 2008 Ninth ACIS International Conference on Software
Engineering, Artificial Intelligence, Networking, and Parallel/Distributed Computing, 312
317. doi:10.1109/SNPD.2008.160
Medzhitov, R., & Janeway, C. a. 2002. Decoding the patterns of self and nonself by the innate
immune system. Science (New York, N.Y.), 296(5566), 298300.
doi:10.1126/science.1068883
Mhamdi, F., & Elloumi, M. 2008. A new survey on knowledge discovery and data mining. 2008
Second International Conference on Research Challenges in Information Science, 427432.
doi:10.1109/RCIS.2008.4632134
Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., Molloy, I. 2012. Using probabilistic
generative models for ranking risks of Android apps. Proceedings of the 2012 ACM
conference on Computer and communications security - CCS 12, 241.
doi:10.1145/2382196.2382224
Peng, S., Yu, S., & Yang, A. 2013. Smartphone Malware and Its Propagation Modeling: A Survey.
IEEE Communications Surveys & Tutorials, (4), 117.
doi:10.1109/SURV.2013.070813.00214
Piatetsky-Shapiro, G. 1991. Knowledge Discovery in Real Databases: A Report on the IJCAI-89
Workshop. AI Magazine, 11(5), 6870.
Polla, M. La, Martinelli, F., & Sgandurra, D. 2012. A survey on security for mobile devices. IEEE
Communications Surveys & Tutorials, 15(1), 446471.
doi:10.1109/SURV.2012.013012.00028
Saudi, M. M. 2011. A New Model for Worm Detection and Response. (Phd Thesis). University of
Bradford.
Saudi, M. M., Cullen, A. J., & Woodward, M. E. 2011. Efficient STAKCERT KDD Processes in
Worm Detection. World Academy of Science, Engineering and Technology, 55, 376380.

35

Saudi, M. M., Cullen, A. J., Woodward, M. E., Hamid, H. A., & Abhalim, A. H. 2009. An
overview of STAKCERT framework in confronting worms attack. In 2009 2nd IEEE
International Conference on Computer Science and Information Technology (pp. 104108).
IEEE. doi:10.1109/ICCSIT.2009.5234764
Schmidt, A., Bye, R., Schmidt, H., Clausen, J., Kiraz, O., Yuksel, K., Albayrak, S. 2009. Static
analysis of executables for collaborative malware detection on android. IEEE International
Conference on Communications 2009 (ICC09), 04. Retrieved from
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=5199486
Shabtai, A., Fledel, Y., & Elovici, Y. 2010. Automated Static Code Analysis for Classifying
Android Applications Using Machine Learning. 2010 International Conference on
Computational Intelligence and Security, 329333. doi:10.1109/CIS.2010.77
Shahrestani, A., Feily, M., Ahmad, R., & Ramadass, S. 2009. Architecture for Applying Data
Mining and Visualization on Network Flow for Botnet Traffic Detection. 2009 International
Conference on Computer Technology and Development, 3337. doi:10.1109/ICCTD.2009.82
Somayaji, A., Hofmeyr, S., & Forrest, S. 1997. Principles of a computer immune system. In
Proceedings of the 1997 workshop on New security paradigms - NSPW 97 (pp. 7582).
New York, New York, USA: ACM Press. doi:10.1145/283699.283742
Suarez-Tangil, G., Tapiador, J. E., Peris-Lopez, P., & Ribagorda, A. 2013. Evolution, Detection
and Analysis of Malware for Smart Devices. IEEE Communications Surveys & Tutorials, 1
27. doi:10.1109/SURV.2013.101613.00077
Teufl, P., Ferk, M., Fitzek, A., Hein, D., Kraxberger, S., & Orthacker, C. 2012. Malware Detection
by Applying Knowledge Discovery Processes to Application Metadata on the Android
Market ( Google Play ). Security and Communication Networks. doi:10.1002/sec
Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., & Wu, K.-P. 2012. DroidMat: Android Malware
Detection through Manifest and API Calls Tracing. 2012 Seventh Asia Joint Conference on
Information Security, 6269. doi:10.1109/AsiaJCIS.2012.18

36

Yerima, S. Y., Sezer, S., McWilliams, G., & Muttik, I. 2013. A New Android Malware Detection
Approach Using Bayesian Classification. 2013 IEEE 27th International Conference on
Advanced Information Networking and Applications (AINA), 121128.
doi:10.1109/AINA.2013.88
Zeng, Y., Shin, K., & Hu, X. 2012. Design of SMS commanded-and-controlled and P2Pstructured mobile botnets. WISEC 12: Proceedings of the fifth ACM conference on Security
and Privacy in Wireless and Mobile Networks, (February). Retrieved from
http://dl.acm.org/citation.cfm?id=2185467
Zhang, Y., Yang, M., Xu, B., Yang, Z., Gu, G., Ning, P., Zang, B. 2013. Vetting undesirable
behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM
SIGSAC conference on Computer & communications security - CCS 13 (pp. 611622).
New York, New York, USA: ACM Press. doi:10.1145/2508859.2516689
Zhao, Z., & Colon Osono, F. C. 2012. TrustDroidTM: Preventing the use of SmartPhones for
information leaking in corporate networks through the used of static analysis taint tracking.
In 2012 7th International Conference on Malicious and Unwanted Software (pp. 135143).
IEEE. doi:10.1109/MALWARE.2012.6461017
Zhou, Y., & Jiang, X. 2012. Dissecting Android Malware: Characterization and Evolution. 2012
IEEE Symposium on Security and Privacy, (4), 95109. doi:10.1109/SP.2012.16
Zhou, Y., Wang, Z., Zhou, W., & Jiang, X. 2012. Hey, You, Get Off of My Market: Detecting
Malicious Apps in Official and Alternative Android Markets. In Proceedings of the 16th
Network and Distributed System Security Symposium, NDSS. Retrieved from
http://www.csd.uoc.gr/~hy558/papers/mal_apps.pdf

37