In program anomaly detection, we recognize the normal code and behavioral properties of programs with program analysis and machine learning techniques. and use these patterns to detection execution deviations. These runtime deviations from expected program patterns usually are caused by exploits and attacks.
Low false alarm rate and high scalability are two research challenges for virtually all program anomaly detection work.
You may want to read about our work on
In causality-based program anomaly detection (aka storytelling security), we refer to a runtime program-monitoring methodology that provides context, structure, and semantics to interpret events and their causal relations for enforcing normal patterns on a program, a host or a network.
Core Android functionalities heavily rely on the encapsulation of component structures and their Intent-based communication mechanisms. Poorly written or malicious applications expose sensitive user and device data and abuse system resources through inter-component communication (ICC). In this project, we systematically investigate ICC and file-sharing based malware collusions. In malware collusion scenarios, two or more malicious Android apps work together to achieve their attack goals. The malware apps may be written by the same malicious developer. Each of the apps may appear benign, successfully passing stand-alone malware screenings.
Malware collusion is a new threat against Android application security that has not been systematically studied. Most current ICC-based program analyses are for detecting vulnerable-yet-benign apps (e.g., due to inexperienced developers). Thus, they are not suitable for detecting malware collusion.
Our specific aim is to systematically characterize, analyze, and classify risky ICC paths and file sharing across two or multiple apps that lead to the leak of sensitive data, the abusing of system resources, and spoofing. We detect malware collusions via the static analysis on inter-app communications, in order to identify risky dependence paths that are across multiple applications. Risky dependence paths are those that may leak sensitive data and access system resources to perform sensitive and privileged operations. The use of static program analysis is advantageous, because of its ability to summarize all possible execution behaviors of a program.
User-intention based anomaly detection prompts us to address the problem of how to ensure the trustworthiness of a host and its system data?
The data is collected for anomaly analysis. Thus it should be authentic, free of tampering and forgery.
For example, in CPV (standing for cryptographic provenance verification), we define data-provenance integrity as the security property stating that the source where a piece of data is generated cannot be spoofed or tampered with. CPV ensures system properties and system-data integrity in kernel, e.g., keystroke events and network activities. The work appeared in ACNS '10 and the journal version in IEEE TDSC '12.
Another work is on process authentication. Process authorization is well studied. However, research on process authentication (i.e., a process proves its identity to OS) is fragmented. Our work is the first to point out this gap. Our technical contribution is the system design and development of an A2 framework (standing for authenticated application). See our IEEE TDSC '14 version and ACM CODASPY '12 conference version.
While studying user keystrokes, we also formalized a new type of attacks against biometrics synthetic forgery attack and experimentally showed the robustness of keystroke dynamic authentication against it. This work won the Best Paper Award in CollaborateCom 2010 and the journal version appeared in Computers & Security 2012.
The project was partly funded by National Science Foundation.