ISSN: 2277 9043

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE) Volume 2, Issue 11, November 2013

Defending Mobile Phones from Proximity Malware Based on Clustering Approach

Nadia Al-Rousan, Hazem Al-Najjar
AbstractIn this paper, a new approach to protect the mobile phones from the proximity attacks in the small environment (university campus) is proposed, where the environment is divided into clusters, in each cluster there is one access point; to collect the information from the phones. Moreover, to apply the proposed system each phone in the environment should contain two tables, which are: signature table and blacklist table. The signature table is used to store the signature of the malware, where the blacklist table is used to store the attacker phones ID in the environment. These tables will be updated from the access point after creating a trust between two sides in the same cluster. However, to evaluate and to validate the proposed approach, an evaluation program written in the Microsoft C#.net is used. The evaluation tests show that the proposed approach can stop the attacker from propagating the malware in the mobile phone network and can stop the signature pool problem.

Index TermsMalware, proximity attacks, blacklist table, signature table.

I. INTRODUCTION Highlight Malware is an acronym and means malicious software which defines as software designed to damage or to do any unwanted action on a computer or any computerize devices such as phones, video games, tablets...etc [1]. This damage will infiltrate the devices without the users consent to threats the user devices and safety such as viruses, spyware, worms and trojans. Spreading of the mobile phone malware in the last few years obligates the researchers and the phone factories to focus on these attacks. The malware can be spread mainly in two methods, which are: proximity spreading and remotely spreading. In the proximity spreading, the attackers used nearby communication media such as Bluetooth, infrared, wireless connection between two devices. Where, in the remotely spreading the attacker used the communication media such as SMS, E-mailetc. Many new malware are increasingly attacking the mobile phones, for example over 200 malware variants discovered by early 2007 were used to attack the mobile phones network [2]. In mobile networks, the malware may propagate using the multimedia devices such as Bluetooth, infrared, messages etc. This propagation should be
Manuscript received Oct 24, 2013. Nadia al-rousan, Department of computer science and information , Taibah University/ Badr College Madina, Kingdom of Suadi Arabia. Hazem Al-Najjar , Department of computer science and information , Taibah University/ Badr College Madina, Kingdom of Suadi Arabia.

controlled to protect other phones in the network, so some researchers try to solve this problem by converting the problem into a small environment such as university campus. Zyba et al [2] proposed three approaches, which are: local detection, proximity signature dissemination, and broadcast signature dissemination. The authors used signature table to block the propagation and to stop the attackers and the infected devices from infecting other phones in the network. Polla [3] summarized the state of the art on threats, vulnerabilities and security solutions over the period 2004-2011, by focusing on high-level attacks, where others focused on other types of malware which belong to the proximity malware category such as Commwarrior, Cabir, and Lasco [4]. Barbera et. al. [5] proposed a new mechanism that can be computed quickly by the P2P network of clones and that outperform the state of the art on worm containment for mobile cellular networks, to stop the worms on the mobile network of smartphones, and to stop a worm spreading on the p2p network by introducing simple mechanisms. Chiang and Tsaur [6] proposed an ontology-based behavioral analysis for mobile malware, to help the end users in using their mobile phones securely and proposed a new ontology-based behavioral analysis to develop a detection method for smartphone malware. Al-duwairi et. al. [7] proposed a white list to differentiate between the legitimate traffic and the attacked traffic on the internet. Moreover, if the attacker owns a pool of signatures that can be used to infect every phone in the small environment then the attacker will infect all the phones without been detecting in the environment. The previous approaches [1,2] avoid the malware signatures pool and only focused on how to detect and to avoid propagating malware signature in the environment without considering the privacy between the phones. Defending the malware is very complex task, so in this paper the new approach to build an efficient defending system is proposed. In which, to apply the proposed approach in the real environment, each phone should contain two tables, which are: signature table and blacklist table. Where, to protect privacy between the phones each phone will be updated from the centralized point instead from other phones. Our contributions, in this paper are as follow: 1. Minimize the phones privacy violation. 2. Stop the attacking from the same phone (malwares pool). The rest of this paper is organized as follows. In Section II, assumption and challenge are explained. Where, in Section III, the clustering anti-malware approach is discussed and analyzed. Section IV, discussion and limitation are discussed. 709

All Rights Reserved 2013 IJARCSEE

ISSN: 2277 9043

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE) Volume 2, Issue 11, November 2013 System evaluation and analysis are shown in section V. Finally, our conclusions are drawn in section VI. II. ASSUMPTION AND CHALLENGE The main challenges in building the proposed approach and some assumptions will be discussed in this section; to limit the scope of the proposed approach. The challenges are as follow: Challenge 1: How to protect the privacy between the phones to achieve high protection, we dont like to allow the phones to exchange the data between each other. Challenge 2: if the malware signature is changing frequently and the attackers have a pool of signatures that is enough to infect every device in the network. How the system can detect this attacker and disallow him to infect more devices in the network. In the first challenge, if the phone caught the attacker in the network, how can the phone contacts the neighbor phones to inform them about this attacker. This can be done using the clusters in the network. So, each cluster can send this information to its candidates. Where, in the second challenge the attacker will be blocked in the network by taking the attacker phone ID and propagate it. The proposed approach is limited and could be applied in the real environment under some assumptions, which are: 1. Environment: the environment of the system is limited to a small area or region such as university campus. Attacks: the proposed approach handle the attacks which come from the Bluetooth communication channel only not from SMS or other communication channels. In addition, the proposed approach can be increased to handle other communication channels by checking the signature of the SMS with the signature table but this is out of our work. Attacker Detection: the phone will receive the information through the Bluetooth or infrared. So, if the receiver phone dedicates the malware signature transmitted from x phone; the receiver phone will notify the system about x phone and the signature of the malware, to update the signature table of the system. A. Basic Components The system environment contains three main components, which are: access point, legitimate phone and attacker phone: 1. Access Point (AP): the environment is divided into clusters, in each cluster there is one AP. Each AP contains two tables, blacklist table and signature table, to store the attacker ID and the malware signature, respectively. All APs tables in the environment are in the consistence state by updating the information from other APs in the system. In addition, each AP tries to update the phones tables in each cluster, so the phones are fully updated and the attacker in cluster A cant infect other phones in cluster B. Legitimate Phone: each client in the system that connected to the AP. The legitimate phone contains two tables, blacklist table and signature table. Moreover, the information which will be sent to the legitimate phone will be checked using two filters. The first filter will check the blacklist table and the second filter will check the signature table as shown in Figure.1. The phones tables will be updated using the AP in each cluster by sending the request from the APs to the phones. Attacker Phone: the phone that has a pool of signatures to infect every phone in the network and/or tries to connect to the APs to send fake information to the AP.

2.

3.

Figure 1: Legitimate phone internal mechanism

2.

B. Anti-malware Approach

3.

III. CLUSTERING ANTI-MALWARE APPROACH The proposed approach is divided into two parts: defender and tracker. In the defender part, the system will block the injected attacks from the attackers phone by blocking the phone and by updating the tables in each phone. Where, in the tracker part, the system will track the attacker in the environment. Before discussing the proposed approach, the basic components of the system will be discussed first and then the main part of the proposed approach.

a) Anti-malware Requirements The proposed approach is divided into three main requirements to protect the phones in the network, which are: access point, blacklist table, signature table. Each phone in the cluster can contact the AP directly and then the AP will send an update tables which contain the signature and attacker ID to the phone periodically, after applying the authentication token in [8]. In addition, in the case of the new phone, the system can register the phone either automatically or manually by the administrator. In the two cases, the AP will monitor the behavior of the connected phones, if it infected or not. So, if the transmission to AP is normal no any action will be taken, but if the transmission to AP is not normal the AP will block the connection and will inform other APs about this attacker. This can be done, depending on the threshold values and the connection rules of the AP.

710
All Rights Reserved 2013 IJARCSEE

ISSN: 2277 9043

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE) Volume 2, Issue 11, November 2013 C. Attacker Tracking The system can track the attacker on the environment using the information in the blacklist table in APs. This done, by extracting the information about the attacker phone ID from the AP and then sort them depending on the detected time, which gives the administrator a good knowledge about the attackers behavior. For example, assume the following topology contains the following: seven mobile phones, four APs, two attackers and one round (used in the simulation), then after one round the blacklist table will be as shown in Table.1. So, after extracting the information from any blacklist table in AP (since all the blacklist tables are consistent with each other), the tracking for the attacker 3 will be 4,1,2,1.
Phone ID 3 5 4 Table.1: Blacklist table for Cluster one Cluster No. Detected Time 4,1,2,1 6,29,30,31 3,2 6,30 3,4 14,31 Exist 0,1,0,1 0,0 0,0

Figure.2: Proposed approach overview

The proposed approach overview is shown in Figure.2, in which all the phones can contact and update the AP in each cluster. If any phone is infected from the attacker, the infected phone will inform the AP about the attacker information such as phone ID, attacked time, malware signature etc. This information will be propagated to every AP in the environment; to upgrade their tables, so the attacker cant attack using the same signature and/or different signature and/ or the same phone. Therefore, if the attacker tries to connect to another phone in the same environment, the phones will reject the connection and will inform the AP. b) Malware Defender The defending system is divided into clusters, in each cluster there is one AP, which contains signature table and blacklist table as shown in Figure.3. In the blacklist table, the attackers IDs were stored where in the signature table malware signatures were stored. So, when any phone in the environment is contacted, the phone will check the phone ID and then the message signature as shown in Figure.1. If the phone ID exists in the blacklist table, the phone will inform the AP to update the information of the attacker ID or to create new information by sending the attacking information to the AP. To send the information to the AP, first the AP will validate the connection with the phone using authentication token in [8] and then the AP will update the tables depending on the received information. Where, if the phone sends many requests to the AP to fake the AP, the AP will check the phones behavior, if the behavior is not validate the connection will be blocked and the APs will be notified. In addition, the blacklist table in the AP contains four columns, which are: phone ID column to store the attacker phone ID, detected time column to store the attacker phone detected time on the environment, cluster column to store the attack cluster and exist column to validate if the attacker phone is in the current cluster or not by assigning a one or zero value, respectively. Moreover, to update the phones tables in each cluster two cases were discussed depending on the phone position, single cluster when the phone belongs to one AP and multi-cluster when the phone belongs to more than one cluster. To update the phones tables using a single cluster only a simple intersection operation between the blacklist tables in the two sides is used (equation.1 and 2). Where, to update the tables in multi-cluster equation 2 will be used to update the signature table in the phone and equation.3 will be used to update the blacklist table as shown in Figure.3. The malware defending algorithm is shown in algorithm.1. = = =
=1

Algorithm.1: Malware defending algorithm Receive Msg from mobile phone after applying authentication token ID=Msg.ID Sig=Msg.Sig if phone ID behavior is valid if Blacklist(ID) is not found Backlist.Add(ID) else Blacklist.Update(ID) if Sigtable(Sig) is not found Sigtable.Add(Sig) else Sigtable.Update(Sig) else { Block the connection Backlist.Add(ID) } Notify all APs about the ID and the Malware behavior

IV. DISCUSSION AND LIMITATION The proposed defending malware approach has mainly three limitations that shown as questions, which are: 1- How the mobile phone can inform the AP about the attack using a secure connection? 2- How to determine the injected attacks that send a huge fake data to the AP? 3- How to decrease the size of the blacklist table in the mobile phones? Therefore, to create a secure connection between the mobile phone and the AP an authentication token is proposed [8]. To determine the injected attacks some connection rules are suggested where to control in the size of the blacklist table a compression approach is used as discussed in the following.

(1) (2) (3)

711
All Rights Reserved 2013 IJARCSEE

ISSN: 2277 9043

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE) Volume 2, Issue 11, November 2013
Legend
Legend Subtitle Symbol Count 25 4 Description Phone APs

Cluster 1

Cluster 4

My ID is 5

te ec Inf Sig d

Sig Table 20 30

My ID is 4

A tta c ke rI D
Blacklist Table Cluster No Time Cluster NO Time 3 10 3 10 3 10 3 10 Exists Exists 1 1 1 1 The phone is in this cluster

Cluster 3 Cluster 2
ID ID 5 5 4 4

Figure.3: Defending malware approach

a) Authentication Token: to send any information to the AP each phone needs to send a request to AP. The AP either accepts this request or rejects it. If the AP accepts the request, the AP will send a token [8] to the phone to create a trust and a secure connection between two sides. This procedure is like installing the java applet in the client side. If the token checks any unexpected behavior in the phone, the connection will be blocked and marked as attacker phone. b) Connection Rules: to stop the huge injected data in the AP, attack threshold is used. Where the AP will receive the information from the mobile phone until specific period of time, for example assume the threshold is 6 IDs / hour, if the attacker mobile sends 100 invalid mobile phone ID to AP in 10 minutes, then the AP will block this connection. On another hand, if the attacker tries to fake the user by sending five IDs every hour, the AP will check the connection rules and will block the connection with the phone and rollback the information that is received from the attacker phone. The rolling process is easy because the AP will store the sender ID of the current data for specific period of time before storing the final data in the tables. c) Blacklist table size: the blacklist table will grow quickly, if there are a huge number of attackers in the environment. So, to solve this problem many solutions can be suggested such as: compressing the information of the blacklist, flushing the old IDs in the table or storing the attacker IDs in AP of each cluster. V. SYSTEM EVALUATION To compare between the new approach and the old approach an evaluation program written in Microsoft C#..net 2005 is used and three metrics are used, which are: number of infected devices per time unit, number of infected device per round and communication rate. Time unit is the time to infect one phone, round is the time taken to communicate all the phones in the environment by the

attacker in the same cluster and finally a communication rate is the time taken to inform the AP about the attacker in the environment. A. Number of infected devices/time unit In this test, the number of infected devices per time unit is proposed as shown in Figure.4. The number of phones is equal to 1000 and three cases were considered depending on the number of attackers in the environment, 10 attackers, 20 attackers and 40 attackers. The number of infected devices in the new approach is controllable compared with the old one which increases dramatically. The proposed approach will become constant after detecting the attacker devices, since the phones blacklist will store the information of the attacker IDs.
Number of infected device per Time unit Vs No. of Attackers 1000 900 800
Number of infected Device

700 600 500 400 300 200 100

40 20 10

No.Attackers=10 Old No.Attackers=20 Old No.Attackers=40 Old No.Attackers=10 New No.Attackers=20 New No.Attackers=40 New

40 20 0 50 100 150 10 200 250 300 Time Unit 350 400 450 500

Figure.4: Number of infected devices per time unit

B. Number of infected device per round The simulation is divided into rounds, where each round is defined as a time that the attacker needs to communicate with all the phones in the same cluster. In 712

All Rights Reserved 2013 IJARCSEE

ISSN: 2277 9043

International Journal of Advanced Research in Computer Science and Electronics Engineering (IJARCSEE) Volume 2, Issue 11, November 2013 this test, the simulation parameters are: 1000 phones, 10 attackers, number of rounds is 10. In the old approach, all the phones will be infected in the first round, where in the new approach the phones need ten rounds to be infected as shown in Figure.5.
Number of infected device Vs the Number of rounds 1400 Old Approach New Approach

1200

Number of infected Device

1000

tables: signature table and blacklist table, to store the malware signature and to store the attackers phone ID, respectively. Two tables will be updated using the incoming information from the access point. However, to evaluate and to validate the proposed approach, an evaluation program written in the Microsoft C#.net is used. The evaluation tests show that the proposed approach can stop the attacker from propagating the malware in the mobile phone network, can stop the signature pool problem, can protect the privacy between the phones and will increase the security level in the network. REFERENCES

800

600

[1]
400

[2]

200

[3]
0 0 1 2 3 4 5 6 Number of Round 7 8 9 10

[4] [5]

Figure.5: Number of rounds Vs number of attackers

C. Communication rate The communication rate is defined as the time taken to inform the AP about the attacker in the environment. To test the approach, the simulation parameters are: the number of phones is equal to 1000 and three cases were considered depending on the number of attackers in the environment, 10 attackers, 20 attackers and 40 attackers as shown in Figure.6. Depending on the test when the number of phones increases the time to detect the attackers will increase too.
Number of Communication overhead per communication Time Vs No. of Attackers 100 No.Attacker=10 90 No.Attacker=20 No.Attacker=40 80 40 70 60 50 40 30 20 10 0 10 20

[6]

[7]

[8]

M. Chandramohan and H. Tan Detection of Mobile Malware in the Wild Published by the IEEE Computer Society, 20 12. G. Zyba ,G. M.Voelker ,M. Liljenstam, A. Mehes ,P. Johansson, Defending Mobile Phones from Proximity Malware, IEEE INFOCOM2009. M. Polla, F. Martinelli, and D. Sgandurra , A Survey on Security for Mobile Devices, IEEE communications surveys & tut orials, vol. 15, no. 1, 2013. Mobile security threats. http://www.f-secure.com, 2009. M.Barbera, S. Kosta, J. Stefa, P. Hui, and A. Mei, CloudShield: Efficient Anti-Malware Smartphone Patching with a P2P Network on the Cloud, IEEE P2P 2012 proceedings. H. Chiang and W. Tsaur Identifying Smartphone Malware Using Data Mining Technology, 20th International Conference on Computer Communications and Networks (ICCCN),2011. B. Al-Duwairi, G. Manimaran JUST -Google: A Search Engine-based Defense Against Botnet-based DDoS Attacks, IEEE International Conference on Communications, 2009. ICC '09. C. Dixon, T. Anderson, A. Krishnamurthy Phalanx: Withstanding Multimillion-Node Botnets, 5th USENIX Symposium on Networked Systems Design and Implementation.

Biography
Nadia AL-Rousan was born in Jordan in 1986. She received the M. Sc. degree in computer engineering from Jordan University of Science and Technology (JUST), Irbid, Jordan, in 2011 and the B. Sc. degree in communication and software engineering from Balqa applied university, Irbid, Jordan, 2008. She worked as teacher assistance in computer engineering department from 2009 to 2011. Since, February 2012, she has been with the Department of information and computer science, Taibah University, Madina, KSA. Her current research interest is in renewable energy with emphasis on sun solar system, network coding, wireless networks, wireless sensors network, image and data encryption and mobile payment systems. Hazem Al-Najjar was born in Jordan in 1986. He received the M. Sc. degree in computer engineering from Jordan University of Science and Technology (JUST), Irbid, Jordan, in 2011 and the B. Sc. degree in computer engineering from Yarmouk University, Irbid, Jordan, in 2008. Since, February 2012, he has been with the Department of information and computer science, Taibah University, Madina,KSA. His current research interest is in wireless networks with emphasis on security models, image and data encryption, grid computing and network coding

Number of Communication overhead

50

100

150

200

250 300 Time Unit

350

400

450

500

Figure.6: Communication overhead Vs the time unit

VI. CONCLUSION In this paper, a new approach to protect the mobile phones from the proximity attacks in the small environment (university campus) that divided into clusters is proposed. Each mobile phone contains two

713
All Rights Reserved 2013 IJARCSEE