Knowledge-based Temporal Abstraction Host-based

Intrusion Detection System for Android

KB-IDS

Academic Advisor:

Dr. Yuval Elovici

Technical Advisor:Asaf Shabtai

Team Members: Eliya Rahamim

Elad AnkryUri Kanonov

BackgroundAn IDS is used to detect malicious behaviors that

indicates a breach in the security of a computer systemThe Knowledge-based Temporal-Abstraction (KBTA)

method in which a computational mechanism extracts meaningful conclusions from raw time-stamped data and knowledge.

Android is an operating system for mobile devices, based on the Linux kernel, developed by Google. It allows development of applications in Java, controlling the phone via Google-developed Java libraries.

Problem Domain

In the modern age Smartphones as well as the threats they are susceptible to, are a growing trend

This strengthens the need for sophisticated defense mechanisms to protect them

Threat

Current SituationMobile devices lack the computational strength needed to

support PC-like security solutions

Android, being an open source and open platform introduces new potential risks and types of attacks

Android has some inherent security mechanisms that cannot cope with all possible threats

Due to application sandboxing, conventional methods such as AntiVirus are futile. There is a need for a different solution…

Proposed Solution - HIDS

Threat

Knowledge-basedTemporal AbstractionDeveloped by Prof. Yuval Shahar, 1997

Knowledge (KBTA Security ontology)

Four inference mechanisms:- Temporal Context Forming- Contemporaneous

Abstraction- Temporal Interpolation- Temporal Pattern Matching

Higher Level Meaningful Temporal Information:

- Contexts- Abstractions- Temporal Patterns

Time-Stamped Raw Data:

- Primitive Parameters- Events

KBTA – cont.

TimeT1 T2 T3

I1

I2

TCP Packets Sent ( ) Primitives

Abstractions

PatternsWorm Pattern

Internet Connection Mode Context

Contexts

EventsT0

TCP Packets Sent State = HIGH

Events ( ) Wi-Fi Connection

HighMediumLow

Func. Requirements - Agent

Registration/LoginAbility to register with the Control Center.Ability to login to the Control Center and to receive configuration for the various installed components

MonitorEvery predefined time window, the agent samples state parameters, and counts the number of system/user events that occurred in the time-window.

Send monitored dataThe agent will send the monitored data to the analysis servers and the Control Center at the end of each predefined time window.

Receive alerts Ability to receive alerts along with any associated data from the Threat Weighting Unit.

Func. Requirements – Analysis Servers

Receive and analyze monitored data

Ability to receive and analyze the data received from the agent and output a conclusion regarding the existence of a threat

Send analysis result Ability to send the analysis result to the Threat Weighting Unit

Func. Requirements – KBTA Server

KBTA processing

Ability to incrementally process the received data according to the KBTA method supporting the following elements: - Primitive- Event- Context- State- Trend- Pattern

Configure monitored patterns

Ability to set which patterns will be computed and monitored for threat presence

Func. Requirements – Threat Weighting Unit

Weight Threat Assessments

Ability to receive threat assessments (along with any associated data) from multiple local analysis servers and weight them, outputting a single assessment.

AlertAbility to dispatch an alert (along with any associated data) to both the agent and the Control Center in case of threat detection

Non-Func. Requirements

Gathering a feature batch (maximum 40) by the agent should take less than 10 seconds.

CPU usage by the HIDS should be under 10%The HIDS should take at most 10MB on the data partition

of the deviceThe HIDS will be developed in Java using the Android SDKFor demo and testing purposes, a real device will be

supplied by DT Labs

Collect features, Analyze Data and Weight Assessments

Primary actors: AndroidDescription: After a time trigger the agent collects the monitored

feature values and sends them to all of the local analysis servers. Each of the servers analyzes the data and outputs a threat assessment. The assessments are weighted by the TWU and if a threat is found, an alert along with any associated data, is dispatched to the agent and the Control Center.

Trigger: A time trigger from AndroidPre-conditions: The agent is installed on the device and is running Post-conditions: If a threat is found, an alert along with any

associated data has been dispatched

RisksRisk: The HIDS consumes too much CPUSolution: Reducing the quantity of the features collected by

the agent and/or decreasing the collection rate

Risk: The HIDS consumes too much memorySolution: Reducing the time frame for keeping raw data in the

KBTA’s memory

Risk: The HIDS consumes too much bandwidthSolution: Lessening the amount of data transmitted to and

from the Control Center

The EndAnd so Android lived happily ever after…