• No results found

Virtualized In-Cloud Security Services for Mobile Devices

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Virtualized In-Cloud Security Services for Mobile Devices"

Copied!
19
0
0

Loading.... (view fulltext now)

Download now ( 19 Page )

Full text

(1)

Virtualized In-Cloud Security

Services for Mobile Devices

Jon Oberheide, Kaushik Veeraraghavan,

Evan Cooke, Jason Flinn, Farnam Jahanian

University of Michigan

June 17, 2008

(2)

Roadmap

Motivation

• Malware detection: high security, low resources

Architecture

• Antivirus as an off-device network service

Implementation and Evaluation

• Resource requirements • Power consumption

• Detection capabilities

(3)

Motivation

Mobile device capabilities increasing

• Approaching functionality of standard PCs • Rich application development/delivery

• iPhone, Android, Maemo, Symbian, WM, etc

Enticing target for malware authors

• Mobile banking transactions

• Spying on business/enterprise users

(4)

Current Approach

Adapt host-based antivirus to mobile devices

• Numerous vendors have mobile products

Problems with on-device AV model

• Detection capabilities vs. resource constraints • Scalability protection for future threats

• Software complexity, platform diversity, AV vulnerabilities

Goal: maintain/increase detection capabilities

while reducing resource requirements

(5)

New Approach

Offload detection functionality

• Instead of analyzing a file locally on-device, send it

to a network service for analysis

Moves complexity and resource usage

to off-device service

• Frees us of resource constraints of mobile device

Trade-off network bandwidth/radio power to

(6)

CloudAV Architecture

Host Agent

Network Service

Host/mobile agent runs on desktops, laptops, and mobile devices.

• Acts similar to host-based AV; interposes on file access

• Queries network service instead of analyzing locally

Network service hosts the backend AV detection engines and fields

file analysis requests from the host agent.

Separating acquisition from analysis

(7)

Architecture Components

Lightweight Mobile Agent

• Low resource requirements • Easy to port to new platforms

• Simple code base → reduced vuln footprint

Network Service

• Can employ multiple detection engine in parallel • Central management of AV signature updates • More resource intensive and complex detection

(8)

Advantages of Virtualization

Network service backend

• Hosts detection engines in virtualized environments

Scalability

• Dynamically spin up/down instances

Isolation/Recovery

• AV engine vulnerabilities

(9)

Caching, Caching, Caching

Reducing network activity is desirable

• Transferring candidate file to network service for analysis

on every access is infeasible

Remote cache

• Shared between all users of network service • Eliminate duplicate file transfer and analysis:

• Alice runs App1, App1 analyzed; Bob runs App1,

remote cache hit!

Local cache

• Stored on mobile device

• Eliminate unnecessary remote cache queries

• Bob runs App1, remote cache hit; Bob runs App1 again,

(10)

Implementation – CloudAV

Host Agent

• Numerous platforms: Win32, BSD, Milter frontends

Network Service:

• 10 antivirus engines:

• Avast, AVG, BitDefender, ClamAV, F-Prot, F-Secure,

Kaspersky, McAfee, Symantec, and Trend Micro

• 2 behavioral engines

(11)

Implementation – Mobile Extensions

Nokia Maemo platform

• N770, N800, N810 devices

• Python, < 300 LOC, Dazuko syscall hooking

Mobile-specific behavioral engine

• Runtime behavioral analysis of suspected malware • Virtualized Maemo environment

• Monitors syscalls and D-Bus IPC to detect:

• Modification/destruction of personal user data

• Network communications to untrusted parties

(12)

Evaluation

Resource macro-benchmark

• Nokia N800

• ClamAV vs. Mobile Agent (MA)

• Resource consumption (CPU/memory)

Power consumption micro-benchmark

• Nokia N95

• Kaspersky Mobile vs. Mobile Agent (MA) • Power consumption of radios (WiFi/EDGE)

Mobile agent cache states

(13)

Computational Resources

Simulated real-world usage benchmark

• 5 common applications: web browser, IM client,

VoIP client, media player, and PDF viewer

Agent Startup Time Avg/Peak Memory User/Total Jiffies

57 sec 25967 KB / 39556 KB 13349 / 15684 MA-CL+CR 0.2 sec 1502 KB / 2154 KB 1502 / 2185 MA-CL+WR 0.2 sec 1486 KB / 2124 KB 1486 / 1854 MA-WL+WR 0.2 sec 1189 KB / 1812 KB 1189 / 1714

ClamAV

Order of magnitude decrease in CPU and memory

resources in all mobile agent cache states.

(14)

Power Consumption

Local Kaspersky vs. Mobile Agent

• Simple scan of ~25M of third-party apps and games

Agent Avg Energy Peak Energy Total Energy

None (Baseline) 0.36 W 0.63 W 43.2 W 0.86 W 1.27 W 89.4W MA-CL+CR (EDGE) 1.51 W 2.31 W 250.6 W 1.31 W 2.44 W 165.1 W MA-CL+WR (EDGE) 1.22 W 2.13 W 126.9 W 0.92 W 1.83 W 74.5 W MA-WL+WR 0.82 W 1.20 W 59.5 W Kaspersky MA-CL+CR (WiFi) MA-CL+WR (WiFi)

Decrease in power consumption in

common mobile agent cache states.

(15)

Slide #15 Jon Oberheide - MobiVirt - June, 2008

Scalability of Detection Capabilities

Current state of mobile device malware

• Presently not a large number of threats to protect against

Host-based AV model

• Resource/power consumption of on-device software

scales with complexity/number of threats

CloudAV model

• Resource/power consumption stays static and

independent of increase in threats

Detection Engine Signature Database Size

27 signatures 284 signatures 262,289 signatures Cloud AV / Mobile Agent

Symantec Mobile Kaspersky Mobile

ClamAV

(16)

Detection Coverage

N-Version Protection

• The use of multiple detection engines in parallel

from independent vendors

Desktop malware results

• Subset of malware from Arbor Malware Library

Transparent engine extensibility

Engine Combination Detected Coverage

CM 229/469 48.82% CM, SM 290/469 61.83% CM, SM, MA 358/469 76.33% CM, SM, MA, BD 417/469 88.91% CM, SM, MA, BD, FS 430/469 91.68% CM: ClamAV SM: Symantec MA: McAfee BD: BitDefender FS: F-Secure

(17)

Management Capabilities

Web interface:  Forensics Drilldown  Policy Enforcement  Flexible Alerting  Report Generation VM Monitoring:

 Real-time System Status  Xen VM Management  Visualization Eye-Candy!

(18)

Limitations

Disconnected operation

• Local caching mechanisms

• Limited app/content acquisition while disconnected • Security policy decision

Privacy concerns

• Tunable collection/display built into architecture • User awareness of operation

(19)

Question and Answer

Contact information

Jon Oberheide

University of Michigan

[email protected]

http://www.eecs.umich.edu/fjgroup/

Questions?

http://www.eecs.umich.edu/fjgroup/

References

Download now ( PDF - 19 Page - 605.56 KB )

Related documents

THE RELATIONSHIP BETWEEN DRIVING PERFORMANCE AND THE JOHNS DROWSINESS SCALE AS MEASURED BY THE OPTALERT SYSTEM

Additionally, standard statistical tests were used to determine if driving performance, in terms of variability of lateral lane position, the rate (per minute) of lane excursions, the

A RESEARCH AGENDA FOR SCHOOLS IN WESTERN PENNSYLVANIA: A POLICY AND PRACTICE WHITE PAPER Update 6/30/2011

The School Based Research and Practice Network (SBRPN), founded July 1, 2008, as a partnership between the Clinical and Translational Science Institute (CTSI) at the University

Regulatory solvency prediction in property-liability insurance: risk-based capital, audit ratios, and cash flow simulation

The estimation strategy in the logistic regression analysis is to start with separate models that include risk-based capital variables, the overall FAST score, FAST factors

An Overview of the Canadian Agriculture and Agri-Food System

Statistics Canada, CANSIM, Table 379-0023 - Gross Domestic Product (GDP) at basic price in current dollars, system of national accounts benchmark values by North American

Geoarchaeology at the Red Tail site : paleoenvironmental reconstruction of climate change during the Holocene

2) To determine if stable isotope analysis and phytolith analysis of soils and sediments are feasible and successful methods for paleoenvironmental reconstruction at the Red Tail site

Why are the Effects of Recent Oil Price Shocks so Small?

While significant negative reactions of global economic activity and consumption plus positive responses of the price level and the nominal interest rate can be measured for

Substantive Public Policy Concept in Enforcement of Foreign Arbitral Awards in Russia

218 In 2005 Information Letter, the SCC formulated the most detailed definition of Russian Federation public policy: “The international arbitral award can be deemed to

Trade name BMW part number Container size

Shell Helix Plus Extra SAE 5W-40 Shell International Petroleum Company. Shell Helix Plus S SAE 5W-40 Shell International