Anomaly-based Exploratory Analysis and Detection of Exploits in Android Mediaserver

Guillermo Suárez-Tangil; Santanu Kumar Dash; Pedro Garcia-Teodoro; Jose Camacho; Lorenzo Cavallaro

doi:10.1049/iet-ifs.2017.0460

Anomaly-based Exploratory Analysis and Detection of Exploits in Android Mediaserver

Guillermo Suárez-Tangil, Santanu Kumar Dash, Pedro Garcia-Teodoro, Jose Camacho, Lorenzo Cavallaro

Research output: Contribution to journal › Article › peer-review

8 Citations (Scopus)

517 Downloads (Pure)

Abstract

Smartphone platforms are becoming increasingly complex, which gives way to software vulnerabilities difficult to identify and that might allow malware developers to gain unauthorized privileges through technical exploitation. However, we maintain that these type of attacks indirectly renders a number of unexpected behaviors in the system that can be profiled. In this work we present CoME, an anomaly- based methodology aiming at detecting software exploitation in Android systems. CoME models the normal behavior of a given software component or service and it is capable of identifying any unanticipated behavior. To this end, we first monitor the normal operation of a given exploitable component through lightweight virtual introspection. Then, we use a multivariate analysis approach to estimate the normality model and detect anomalies. We evaluate our system against one of the most critical vulnerable and widely exploited services in Android, i.e., the mediaserver. Results show that our approach can not only provide a meaningful explanatory of discriminant features for illegitimate activities, but can also be used to accurately detect malicious software exploitations at runtime.

Original language	English
Journal	IET Information Security
Early online date	4 Apr 2018
DOIs	https://doi.org/10.1049/iet-ifs.2017.0460
Publication status	E-pub ahead of print - 4 Apr 2018

Access to Document

10.1049/iet-ifs.2017.0460

Anomaly-based Exploratory Analysis _SUAREZ-TANGIL_Accepted2March2018_GREEN AAM
This paper is a postprint of a paper submitted to and accepted for publication in 'IET Information Security', and is subject to Institution of Engineering and Technology Copyright. The copy of record is available at the IET Digital Library.
Accepted author manuscript, 464 KBLicence: Other

Cite this

@article{10f28f01d9714d21bdb40ebf0bcd5749,

title = "Anomaly-based Exploratory Analysis and Detection of Exploits in Android Mediaserver",

abstract = "Smartphone platforms are becoming increasingly complex, which gives way to software vulnerabilities difficult to identify and that might allow malware developers to gain unauthorized privileges through technical exploitation. However, we maintain that these type of attacks indirectly renders a number of unexpected behaviors in the system that can be profiled. In this work we present CoME, an anomaly- based methodology aiming at detecting software exploitation in Android systems. CoME models the normal behavior of a given software component or service and it is capable of identifying any unanticipated behavior. To this end, we first monitor the normal operation of a given exploitable component through lightweight virtual introspection. Then, we use a multivariate analysis approach to estimate the normality model and detect anomalies. We evaluate our system against one of the most critical vulnerable and widely exploited services in Android, i.e., the mediaserver. Results show that our approach can not only provide a meaningful explanatory of discriminant features for illegitimate activities, but can also be used to accurately detect malicious software exploitations at runtime.",

author = "Guillermo Su{\'a}rez-Tangil and Dash, {Santanu Kumar} and Pedro Garcia-Teodoro and Jose Camacho and Lorenzo Cavallaro",

year = "2018",

month = apr,

day = "4",

doi = "10.1049/iet-ifs.2017.0460",

language = "English",

journal = "IET Information Security",

}

TY - JOUR

T1 - Anomaly-based Exploratory Analysis and Detection of Exploits in Android Mediaserver

AU - Suárez-Tangil, Guillermo

AU - Dash, Santanu Kumar

AU - Garcia-Teodoro, Pedro

AU - Camacho, Jose

AU - Cavallaro, Lorenzo

PY - 2018/4/4

Y1 - 2018/4/4

N2 - Smartphone platforms are becoming increasingly complex, which gives way to software vulnerabilities difficult to identify and that might allow malware developers to gain unauthorized privileges through technical exploitation. However, we maintain that these type of attacks indirectly renders a number of unexpected behaviors in the system that can be profiled. In this work we present CoME, an anomaly- based methodology aiming at detecting software exploitation in Android systems. CoME models the normal behavior of a given software component or service and it is capable of identifying any unanticipated behavior. To this end, we first monitor the normal operation of a given exploitable component through lightweight virtual introspection. Then, we use a multivariate analysis approach to estimate the normality model and detect anomalies. We evaluate our system against one of the most critical vulnerable and widely exploited services in Android, i.e., the mediaserver. Results show that our approach can not only provide a meaningful explanatory of discriminant features for illegitimate activities, but can also be used to accurately detect malicious software exploitations at runtime.

AB - Smartphone platforms are becoming increasingly complex, which gives way to software vulnerabilities difficult to identify and that might allow malware developers to gain unauthorized privileges through technical exploitation. However, we maintain that these type of attacks indirectly renders a number of unexpected behaviors in the system that can be profiled. In this work we present CoME, an anomaly- based methodology aiming at detecting software exploitation in Android systems. CoME models the normal behavior of a given software component or service and it is capable of identifying any unanticipated behavior. To this end, we first monitor the normal operation of a given exploitable component through lightweight virtual introspection. Then, we use a multivariate analysis approach to estimate the normality model and detect anomalies. We evaluate our system against one of the most critical vulnerable and widely exploited services in Android, i.e., the mediaserver. Results show that our approach can not only provide a meaningful explanatory of discriminant features for illegitimate activities, but can also be used to accurately detect malicious software exploitations at runtime.

U2 - 10.1049/iet-ifs.2017.0460

DO - 10.1049/iet-ifs.2017.0460

M3 - Article

JO - IET Information Security

JF - IET Information Security

ER -

Anomaly-based Exploratory Analysis and Detection of Exploits in Android Mediaserver

Abstract

Access to Document

Fingerprint

Cite this