05-09-2014, 03:32 PM
Monitoring and Detecting Abnormal Behavior in Mobile
Cloud Infrastructure
Monitoring and Detecting.pdf (Size: 593.54 KB / Downloads: 32)
Abstract
—Recently, several mobile services are changing to
cloud-based mobile services with richer communications and
higher flexibility. We present a new mobile cloud infrastructure
that combines mobile devices and cloud services. This new
infrastructure provides virtual mobile instances through cloud
computing. To commercialize new services with this
infrastructure, service providers should be aware of security
issues. In this paper, we first define new mobile cloud services
through mobile cloud infrastructure and discuss possible security
threats through the use of several service scenarios. Then, we
propose a methodology and architecture for detecting abnormal
behavior through the monitoring of both host and network data.
To validate our methodology, we injected malicious programs
into our mobile cloud test bed and used a machine learning
algorithm to detect the abnormal behavior that arose from these
programs.
INTRODUCTION
In line with the numerous electronics manufacturers
producing new mobile devices such as smart phones and smart
tablets, various mobile services are being provided as
applications for these devices. According to [1], there are more
than 200,000 Android and 300,000 iPhone applications
available as of March 2011 and these numbers are increasing
rapidly. One recent trend for mobile services is their change to
cloud-based mobile services. Cloud-based mobile services
benefit users by richer communications and higher flexibility.
Richer communications mean advanced techniques supporting
such as enhanced phonebooks, messaging with push
notification, and enriched call with multi-media content sharing.
Massive computational processing is performed through cloud
computing infrastructure instead of low-speed mobile devices.
The data stored in cloud infrastructure can be accessed at any
time and from anywhere through mobile devices. As a result,
richer communications and higher flexibility can be provided
to mobile device users through cloud computing.
Monitoring Abnormal Behavior in Mobile Devices
Some previous studies have focused on the detection of
malware by monitoring behavior in mobile devices. Shabtai et
al. [6] implemented a behavioral framework to detect malware
for Android mobile devices. They extracted the features of
CPU, memory, and network usages, monitored these using
their mobile application, and then detected malware using
several machine learning algorithms. Damopoulos et al. [7]
focused on malware that are related to spamming, but their
method cannot detect more general malware. They defined the
behavior of mobile devices as web browsing, SMS, phone calls,
and were able to detect abnormal behavior using machine
learning algorithms available in Weka [15] with high accuracy.
There are other studies that also focus on abnormal
behavior in mobile devices, but those studies defined the
behavior of mobile devices differently. Enck et al. [8] related
abnormal behavior of mobile devices to privacy information on
mobile devices. Their framework monitors the privacy data by
observing event lists in Android devices, and detected that
several mobile applications can misuse users’ private
information. Burguera et al. [9] correlated behavior with the
number of each system call counter, and focused on some
important system calls that are related to normal applications
and malware such as access(), chmod(), and chown(). However,
their framework requires root permission in Android devices in
order to monitor the number of system calls in mobile devices.
Network traffic data is mirrored to the VM for NetMon.
Then, the flow generator in the VM for NetMon generates
flows using the Tshark tool every minute. The feature extractor
also extracts network behavior information every minute from
the flows that are generated just one minute before. This
network behavior information is then sent to the analyzer, also
every minute. Fig. 5 shows an example of TCP and UDP flow
traffic analysis using Tshark. Tshark is a terminal version of
the Wireshark [18] tool. In Tshark, network traffic is displayed
by host and counted for incoming, outgoing, and total frames
and bytes.
CONCLUSION AND FUTURE WORK
In this paper, we presented a new mobile cloud service with
the virtualization of mobile devices and discussed some
possible scenarios for individual users and office workers. To
address security issues in mobile cloud infrastructure, we
proposed abnormal behavior monitoring methodology and
architecture to detect malware. These were then tested by
deploying our mobile cloud test bed. Host and network data are
used together to detect abnormal behavior. Our abnormal
behavior detection using the RF machine learning algorith
shows that our proposed methodology and architecture
successfully detect abnormal behavior.
For future work, we will investigate on the service
feasibility of this new mobile cloud service. In addition to the
monitoring of mobile cloud infrastructure focusing on security
issues, other monitoring metrics should be considered for the
provisioning and configuration, of services, and for the
charging of users. We will also measure the performance of our
proposed monitoring architecture. To deal with security aspects
on this service, we will gather various additional types of
sample malware for training in order to improve the accuracy
of using various machine learning algorithms. Further, we will
consider other monitoring features to improve the accuracy of
detecting abnormal behavior. But there is an overhead issue
such as time complexity and battery consumption if we gather
lots of features. So we should also consider this aspect togethe