MobSafe: Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining

Jianlin Xu; Yifan Yu; Zhen Chen; Bin Cao; Wenyu Dong; Yu Guo; Junwei Cao

doi:10.1109/TST.2013.6574680

Tsinghua Science and Technology 2013, 18(4): 418-427 https://doi.org/10.1109/TST.2013.6574680

Open Access | Issue | Published: 05 August 2013

MobSafe: Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining

Show Author's Information Hide Author's Information Jianlin Xu, Yifan Yu, Zhen Chen(

), Bin Cao, Wenyu Dong, Yu Guo, Junwei Cao

Department of Computer Science and Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Department of Electronic Engineering and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Department of Computer Science and Technology, Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Keywords:

big data, machine learning, cloud computing, data mining, Android platform, mobile malware detection, forensic analysis, redis key-value store, hadoop distributed file system

Cite this article:

Xu J, Yu Y, Chen Z, et al. MobSafe: Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining. Tsinghua Science and Technology, 2013, 18(4): 418-427. https://doi.org/10.1109/TST.2013.6574680

Download citation

EndNote(RIS)

BibTeX

424

Views

Downloads

Citations

Crossref

N/A

WoS

Scopus

CSCD

Abstract Full text About this article

Abstract

With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app’s virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.

Full text

Abstract

Full text

Outline

About this article

MobSafe: Cloud Computing Based Forensic Analysis for Massive Mobile Applications Using Data Mining

Show Author's information Hide Author's Information Jianlin Xu, Yifan Yu, Zhen Chen(

), Bin Cao, Wenyu Dong, Yu Guo, Junwei Cao

Department of Computer Science and Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Department of Electronic Engineering and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Research Institute of Information Technology and Tsinghua National Laboratory for Information Science and Technology (TNList), Tsinghua University, Beijing 100084, China

Abstract

Keywords: big data, machine learning, cloud computing, data mining, Android platform, mobile malware detection, forensic analysis, redis key-value store, hadoop distributed file system

References(34)

[1]

R. Lawler, Mary Meeker’s 2013 Internet Trends report, http://techcrunch.com/2013/05/29/mary-meeker-2013-internet-trends/, May 29, 2013.

[2]

J. Wu, On Top of Tides (Chinese Edition), Beijing: China Publishing House of Electronics Industry, January 8, 2011.

[3]

S. Q. Feng, Android software security and reversing engineering analysis (Chinese Edition), Beijing: Posts and Telecom Press, Feb. 2013.

[4]

Gartner, http://www.gartner.com/it/page.jsp?id=2153215, September 11, 2012.

[5]

List of mobile software distribution platforms, http://en.wikipedia.org/wiki/List_of_digital_distribution_platforms_for_mobile_devices, July 19 2013.

[6]

D. Barrera, H. G. Kayacik, P. C. van Oorschot, and A. Somayaji, A methodology for empirical analysis of permission-based security models and its application to Android, in Proc. 17th ACM Conference on Computer and Communications Security, Chicago, USA, 2010, pp. 73-84.

DOI

[7]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, A study of android application security, in USENIX Security Symposium, San Francisco, USA, 2011.

[8]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, Android permissions demystified, in Proc. 18th ACM Conference on Computer and Communications Security, Chicago, USA, 2011, pp. 627-638.

DOI

[9]

K. O. Elish, D. Yao, and B. G. Ryder, User-centric dependence analysis for identifying malicious mobile apps, in Workshop on Mobile Security Technologies (MoST), San Francisco, USA, 2012.

[10]

I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, Crowdroid: Behavior-based malware detection system for Android, in Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, Chicago, USA, 2011, pp. 15-26.

DOI

[11]

J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth, Slicing droids: Program slicing for smali code, in Proc. 28th Annual ACM Symposium on Applied Computing, Coimbra, Portugal, 2013, pp. 1844-1851.

DOI

[12]

Y. Nadji, J. Giffin, and P. Traynor, Automated remote repair for mobile malware, in Proc. 27th Annual ACM Computer Security Applications Conference, Orlando, USA, 2011, pp. 413-422.

DOI

[13]

G. Portokalidis, P. Homburg, K. Anagnostakis, and H. Bos, Paranoid Android: Versatile protection for smartphones, in Proc. 26th Annual ACM Computer Security Applications Conference, Austin, USA, 2010, pp. 347-356.

DOI

[14]

Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, Hey, you, get off of my market: Detecting malicious apps in official and alternative Android markets, in Proc. 19th Annual Network and Distributed System Security Symposium, San Diego, USA, 2012.

[15]

A. D. Schmidt, R. Bye, H. G. Schmidt, J. Clausen, O. Kiraz, K. A. Yuksel, S. A. Camtepe, and S. Albayrak, Static analysis of executables for collaborative malware detection on Android, in Communications, ICC’09, IEEE International Conference on, Dresden, Germany, 2009.

DOI

[16]

M. Frank, B. Dong, A. P. Felt, and D. Song, Mining permission request patterns from Android and facebook applications, in Proc. 12th IEEE International Conference on Data Mining, Brussels, Belgium, 2012, pp. 870-875.

DOI

[17]

A. Shabtai, Y. Fledel, and Y. Elovici, Automated static code analysis for classifying Android applications using machine learning, in Proc. 6th IEEE International Conference on Computational Intelligence and Security (CIS), Nanning, China, December, 2010, pp. 329-333.

DOI

[18]

B. Sanz, I. Santos, C. Laorden, X. Ugarte-Pedrero, and P. G. Bringas, On the automatic categorisation of Android applications, in Proc. 9th IEEE Consumer Communications and Networking Conference (CCNC), Las Vegas, Nevada, USA, January, 2012, pp. 149-153.

DOI

[19]

W. Zhou, Y. Zhou, Y. Jiang, and P. Ning, Detecting repackaged smartphone applications in third-party Android marketplaces, in Proc. 2nd ACM conference on Data and Application Security and Privacy, San Antonio, TX, USA, February, 2012, pp. 317-326.

DOI

[20]

Z. Chen, F. Y. Han, J. W. Cao, X. Jiang, and S. Chen, Cloud computing-based forensic analysis for collaborative network security management system, Tsinghua Science and Technology, vol. 18, no. 1, pp. 40-50, 2013.

DOI Google Scholar

[21]

T. Li, F. Han, S. Ding, and Z. Chen, LARX: Large-scale Anti-phishing by Retrospective Data-Exploring Based on a Cloud Computing Platform, in Proc. 20th International Conference on. IEEE. Computer Communications and Networks (ICCCN), Maui, Hawaii, USA, 2011, pp. 1-5.

DOI

[22]

IPSAN storage, Openindianna + napit, http:// openindiana.org/ and http://www.napp-it.org, June, 2013.

[23]

Cloudstack project, http://cloudstack.apache.org, June, 2013.

[24]

ASEF project, https://code.google.com/p/asef/, June 2013.

[25]

Google Safe Browsing API v2, http://code.google.com/apis/safebrowsing/, June, 2013.

[26]

SAAF project, https://code.google.com/p/saaf/, June, 2013.

[27]

Readelf, http://sourceware.org/binutils/docs/binutils/readelf. html, June, 2013.

[28]

Ded, http://siis.cse.psu.edu/ded/, June, 2013.

[29]

Apktool, https://code.google.com/p/Android-apktool/, June, 2013.

[30]

Androguard, https://code.google.com/p/androguard/, June, 2013.

[31]

Soot, http://www.sable.mcgill.ca/soot/, June, 2013.

[32]

Strace, https://zh.wikipedia.org/wiki/Strace, June, 2013.

[33]

Randoop, https://code.google.com/p/randoop/, June, 2013.

[34]

J. Wu, Beauty of mathematics (Chinese Edition), Beijing: Posts and Telecom Press, January 6, 2012.

About this article

Publication history

Acknowledgements

Rights and permissions

Publication history

Received: 19 July 2013

Accepted: 19 July 2013

Published: 05 August 2013

Issue date: August 2013

Copyright

Acknowledgements

The authors would like to thank Prof. Jun Li of NSLAB from RIIT for his guidance. This work was supported by the National Key Basic Research and Development (973) Program of China (Nos. 2012CB315801 and 2011CB302805) and the National Natural Science Foundation of China (Nos. 61161140320 and 61233016). This work was also supported by Intel Research Council with the title of Security Vulnerability Analysis based on Cloud Platform with Intel IA Architecture.