11-04-2013, 04:22 PM
Monitoring and Detecting Abnormal Behavior in Mobile Cloud Infrastructure
Monitoring and Detecting.pdf (Size: 586.5 KB / Downloads: 60)
Abstract
Recently, several mobile services are changing to
cloud-based mobile services with richer communications and
higher flexibility. We present a new mobile cloud infrastructure
that combines mobile devices and cloud services. This new
infrastructure provides virtual mobile instances through cloud
computing. To commercialize new services with this
infrastructure, service providers should be aware of security
issues. In this paper, we first define new mobile cloud services
through mobile cloud infrastructure and discuss possible security
threats through the use of several service scenarios. Then, we
propose a methodology and architecture for detecting abnormal
behavior through the monitoring of both host and network data.
To validate our methodology, we injected malicious programs
into our mobile cloud test bed and used a machine learning
algorithm to detect the abnormal behavior that arose from these
programs.
INTRODUCTION
In line with the numerous electronics manufacturers
producing new mobile devices such as smart phones and smart
tablets, various mobile services are being provided as
applications for these devices. According to [1], there are more
than 200,000 Android and 300,000 iPhone applications
available as of March 2011 and these numbers are increasing
rapidly. One recent trend for mobile services is their change to
cloud-based mobile services. Cloud-based mobile services
benefit users by richer communications and higher flexibility.
Richer communications mean advanced techniques supporting
such as enhanced phonebooks, messaging with push
notification, and enriched call with multi-media content sharing.
Massive computational processing is performed through cloud
computing infrastructure instead of low-speed mobile devices.
The data stored in cloud infrastructure can be accessed at any
time and from anywhere through mobile devices. As a result,
richer communications and higher flexibility can be provided
to mobile device users through cloud computing.
RELATED WORK
A. Monitoring Abnormal Behavior in Mobile Devices
Some previous studies have focused on the detection of
malware by monitoring behavior in mobile devices. Shabtai et
al. [6] implemented a behavioral framework to detect malware
for Android mobile devices. They extracted the features of
CPU, memory, and network usages, monitored these using
their mobile application, and then detected malware using
several machine learning algorithms. Damopoulos et al. [7]
focused on malware that are related to spamming, but their
method cannot detect more general malware. They defined the
behavior of mobile devices as web browsing, SMS, phone calls,
and were able to detect abnormal behavior using machine
learning algorithms available in Weka [15] with high accuracy.
There are other studies that also focus on abnormal
behavior in mobile devices, but those studies defined the
behavior of mobile devices differently. Enck et al. [8] related
abnormal behavior of mobile devices to privacy information on
mobile devices. Their framework monitors the privacy data by
observing event lists in Android devices, and detected that
several mobile applications can misuse users’ private
information. Burguera et al. [9] correlated behavior with the
number of each system call counter, and focused on some
important system calls that are related to normal applications
and malware such as access(), chmod(), and chown(). However,
their framework requires root permission in Android devices in
order to monitor the number of system calls in mobile devices.
Abnormal Behavior in Cloud Computing Infrastructure
Several research groups have targeted intrusion detection
for cloud computing infrastructure. Roschke et al. [19]
discussed the requirements and proposed architecture that can
detect malicious behaviors in cloud infrastructure. They
identified Intrusion Detection System (IDS) management
issues in the cloud considering both Host IDS (HIDS) and
Network IDS (NIDS). However, their study does not focus on
how those malicious behaviors are defined and detected in
cloud infrastructure. Vieira et al. [20] proposed architecture for
grid and cloud computing intrusion detection. In their
architecture, they performed behavior analysis with the
collaboration of each node, and also used knowledge-based
analysis. However, their architecture does not reflect
virtualization of each node when virtual instances are provided
to users through cloud computing infrastructure. Moreover,
their analysis is performed in service nodes, which can
influence on the performance of cloud computing.
MOBILE CLOUD SERVICE AND SCENARIOS
This section defines a new mobile cloud service through the
virtualization of mobile devices in cloud infrastructure. We
describe two main service scenarios to explain how this mobile
cloud service can be used. Service scenarios are useful to
discuss security threats on mobile cloud infrastructure, because
they include users, places, mobile devices, and network types,
and user’s interesting contents.
METHODOLOGY AND ARCHITECTURE FOR ABNORMAL
BEHAVIOR DETECTION
A. Our Abnormal Behavior Detection Methodology
Behavior means the actions of not only each virtual mobile
instance in mobile cloud infrastructure itself but also mobile
applications running virtual mobile instances. For example, a
mobile application should use some virtual resources such as
CPU or memory when it executes an action in the mobile cloud
infrastructure. The application generates some network traffic
data if it needs network connectivity that is internal or external
to the mobile cloud infrastructure. These kinds of actions
change the value of some features of virtual resources in the
mobile cloud infrastructure. Thus, we assume that each mobile
application and each user has a unique behavioral pattern. In
this paper, we propose a monitoring and detecting
methodology for abnormal behavior of virtual mobile instances
and applications. If abnormal behavior is detected in one
virtual mobile instance, it means that something is wrong or
changed in this virtual mobile instance. At such a point a
detection alarm would be notify the mobile cloud infrastructure
or the actual user of this virtual mobile instance.
CONCLUSION AND FUTURE WORK
In this paper, we presented a new mobile cloud service with
the virtualization of mobile devices and discussed some
possible scenarios for individual users and office workers. To
address security issues in mobile cloud infrastructure, we
proposed abnormal behavior monitoring methodology and
architecture to detect malware. These were then tested by
deploying our mobile cloud test bed. Host and network data are
used together to detect abnormal behavior.