Machine Learning-Based Mobile Threat Monitoring

Mobile device security must keep up with theincreasing demand of mobile users. Smartphones are every daybecoming connected to more devices and services, interactingwith the growing Internet of things. Every new service, andconnection, creates a new pathway for intrusion and data theft.Each intrusion can yield further opportunities for breaches ofcorporate and enterprise infrastructure, and significant cost.In our study, we propose a mobile security platform thatcombines our developed security web server, analysis module,and Android OS application, with the Google Cloud Messagingservice for queued and targeted device messaging. In the cloud,the developed LAMP (Linux, Apache, MySQL, PHP) serversends, receives, and stores data from a connected device viathe corresponding Android OS application. The data consists ofsystem information for device identification, and application datato be distributed to the analysis module for malicious contentto be extracted and identified. The analysis module, utilizingthe Weka software, performs both static and dynamic analysesto detect Android malware, simultaneously providing rapid andintuitive security with predictive capabilities. The server addi-tionally provides device status visualization and manual securityoperations.

Mobile computing is now dispersed and ubiquitous through-out our society, providing new avenues for communication,productivity, and commerce. Mobile networks are availableand free to access throughout public spaces, laptops haveprovided a platform for on-the-go business management, andsmartphones and tablets extend our access to information tothe moment when we wake up in the morning. Yet, as we haveseen with the adoption of each new piece of technology, endusers are often at significant risk. Malicious intentions andknowledge of the underlying technology provide the meansfor cyber attacks that compromise personal and business data.The need for dynamic defense systems to analyze and preventmalicious intrusion is then self-apparent.To address the pertinent issue of security in mobile tech-nology, in this paper we propose a security system to detectmalicious activities in Android OS devices. Our proposedsystem is designed to operate in a cloud environment, incurslow overhead to the Android device, and facilitates multiplesmartphones simultaneously. The system centers around fourprimary components, the Android App, the Security Server,Google Cloud Messaging (GCM) service, and the Analy-sis Module. Facilitating message delivery, the GCM serviceprocesses requests from the security server to the Androidapp. Transmitting from the mobile app, data is collectedand stored from multiple devices to the security server forpreprocessing. In the analysis module, static and dynamicanalysis are performed simultaneously, allowing for rapidinspection of common attributes in Android malware, whilecomplex algorithms are applied in extended examination. Once the analysis is completed, a report can be sent to the device,and a security administrator overseeing the system can viewthe status of the various devices in the web visualization toimprove security awareness and act on security risks.

In this paper, we have implemented the security frameworkto deal with mobile malware in the form of the securityserver, GCM cloud messaging service, Android mobile appli-cation, and analysis module. The server, running a PHP webapplication, messages the mobile device through the GCM.The smartphone then returns the requested information tothe server to be stored in the database for processing in theanalysis module and visualization. From the machine learningmethods that were run (ZeroR, OneR, Naïve Bayes, and J48),the best classifier was found to be able to achieve a 100 %accuracy with a false positive count of 0 for analyzing thepermission data, and for the system call data, a detectionrate of 94.59 % with a false positive count of 4. This levelof accuracy in correctly classifying malicious applications ispromising for further efforts in relative tests and training.The more training data that can be collected, the clearerthe understanding of the anatomy of this type of data forthe testing scenarios. Additional data should continue to becollected in order to refine the analysis and predictions thatcan be made on fresh unclassified application data. Download Link