Detecting System Intrusions
- INTRODUCTION Over the past two decades, computer systems users have increased. These users bring their own new preferences for how they want to interact with information and each other. These new users are teenagers who want to do things on their phones and tablets, professionals who want to plan or share their experience in their field with others, or people from different levels who want to employ phones in their daily lives. This increase was a reflection to the change in the requirements and needs of our daily life. People are using mobile phones for communication, planning and organizing their private lives, learning, documenting, navigating maps, online banking, and many other purposes. In addition, new mobile devices are characterized by their ease of use, which makes new ways of computing possible. All of this is increasing the number of mobile devices connected to the Internet over time. The latest sales reports indicate that throughout the world, mobile phones sales totaled 446 million units during the second quarter of 2015 and sales increased by 3.9% in the first quarter of 2016 [9]. Moreover, end users look for ways to communicate, obtain and share information, play games, be entertained, and so on. As a result, some providers (big companies) have found ways to provide services either directly for money or for market and attention share. Providers found that it is a good way to increase profit by providing computing systems resources for users for affordable or relatively low costs. Those providers put required computer systems resources on demand for users using virtual machines (VMs). This technology, which is based on virtualization and multi- tenancy, is called cloud computing. Virtualization is an essential technology for minimizing operating costs and
increasing elasticity for use [43]. Virtualization technology offers the ability to share hardware resources to run isolated guest operating systems (OSs) [37]. Multitenancy is another major characteristic of cloud computing that enables multi- ple users to store their data using applications provided by the cloud system [38]. Cloud computing is a technique to maximize computing capability by increasing capacity or appending capabilities efficiently without affording extra expenses of new infrastructure new staff or obtaining licenses for new software [38]. The cost-effectiveness and capabilities offered by cloud computing are in fact the major encouraging factors that attract the attention of many organizations and academic entities [11]. In addition, although mobile phones and tablets are increasing in capabilities, they will never be as computationally powerful or as well-networked as servers will be. Therefore, some services must reside in the cloud, running on servers, but stay accessible to mobile devices. Consequently, that will simultaneously increase the use of mobile devices and cloud computing. The usefulness of the cloud lies in its ability to store a lot of information and to make it accessible to mobile devices upon demand. Therefore, there is continuous information transmission between mobile devices and the cloud envi- ronment. Thisinformation isvaluable; therefore ithasdrawn the interest of attackers who want to gain access or disrupt access to that value from legitimate users. In general, there are three main targets in attacking a computing system [7]: - Data: Target systems may be used to store personal/ important data; they may be a good source for informa- tion to attackers, such as credit card numbers, private in- formation (driver’s license number or birth date), or any
other important piece of information (pictures). There- fore, attackers usually try to access this information to remove it, alter it, or gain monetary benefit, blackmail, or any other malicious purpose. 2. Identity: Target systems can contain authentication in- formation associated with its owner. Such information can compromise the identity of the owner or organiza- tion. An attacker may impersonate the owner or organi- zation to commit some other misbehavior. 3. Availability: Attackers may limit access to the system and prevent its legitimate users from obtaining services from it, causing denial of service (DoS). Although these two technologies, mobile devices and cloud computing, have provided great services to users from different categories (companies, governments, orga- nizations, and individuals), they are also subject to many kinds of attacks that threaten their security. Providing se- curity protection for the two technologies is a subject that attracts researchers from around the world to save the in- terests of people who use the services offered by those technologies. However, these two technologies overlap in many as- pects. Mobile devices obtain most of their services from the cloud because the devices are limited by power, memory, computation, and connectivity. Therefore, people are wit- nessing the mobile cloud services era (Fig. 6.1) and it is becoming part of their daily lives. Consequently, any attack that affects the cloud may affect the mobile devices con- nected to that cloud. Conversely, an infected mobile device with malware can affect the cloud from which it obtains its

service. From the user’s perspective, the user might not differentiate whether the cloud system has been compro- mised or his or her mobile device has been attacked with malware. The user may only discover that his or her cre- dentials have been revealed, pictures have been published, or data have been stolen. In this chapter we explore intrusion detection systems (IDSs) for this contemporary environment encompassing mobile devices and cloud computing systems. The chapter is organized as follows: Section 2 discusses mobile OSs and briefly explains the most well-known mobile OSs. Section 3 describes malware risks to mobile devices. Section 4 talks about cloud computing models. Attack risks to mobile computing are discussed in Section 5. We talk about the source of attacks on mobile devices in Section 6. Conversely, we discuss the origins of attacks on cloud computing in Section 7. Section 8 is dedicated to classes of mobile malware, whereas Section 9 specifies types of cloud computing attacks. In Section 10, we discuss malware techniques in Android (as a case study). Next, we investi- gate cloud computing intrusion techniques in Section 11. We provide different examples of smartphone malware in Section 12 and give some examples of cloud attacks in Section 13. Sections 14 and 15 discuss IDSs for mobile devices and cloud computing, respectively. Section 16 is devoted to explaining IDS performance metrics for both mobile device IDSs and cloud computing systems. Finally, in Section 17 we provide a summary of the whole chapter.
- MOBILE OPERATING SYSTEMS An OS is a software interface that is responsible for man- aging and operating hardware units and assisting the user to use those units. For mobile phones, OSs have been devel- oped to enable users to use phones in much the same way as personal computers were used 1 or 2 decades ago. The most well-known mobile OSs are Android, iOS, Windows phone OS, and Symbian. The market share ratios of those OSs are Android 47.51%, iOS 41.97%, Symbian 3.31%, and Windows phone OS 2.57%. There are some other mobile OSs that are less used (BlackBerry, Samsung, etc.) [46]. In the next section, we will briefly explain each of these OSs.
Android Operating System Android is an open-source mobile OS developed by Google and launched in 2008 [8]. Android is a Linux-based OS that uses Linux 2.6 to provide core services such as security, memory management, process management, network stack, and a driver model. It offers a wide range of libraries that enable the app developers to build different applications. AndroidapplicationsareusuallywritteninJavaprogramming language [46].
Apple iOS Apple iOS is a closed-source code mobile phone OS developed by Apple in 2007; it is used by Apple-only products (iPhone, iPod, and iPad). The iOS architecture is based on three layers incorporated with each other. Cocoa touch is a layer that provides some basic infrastructure used by applications. The second layer is the media layer, which provides audio services, animation video, image formats, and documents in addition to providing two-dimensional (2D) and 3D drawings and audio and video support. The third layer is the core OS, which provides core services such as low-level data types, start-up services, network connection, and access [46].
Symbian Operating System Symbian OS is an open-source mobile OS written in Cþþ programming language developed by Symbian Ltd. in 1977; it is mostly used by Nokia phones. Symbian OS consists of multiple layers such as OS libraries, application engines, MKV, servers, Base-kernel, and hardware inter- face layer. Symbian was the most prevalent mobile device OS until 2010, when it was taken over by Android [46].
Windows Phone Operating System Windows phone OS is a closed-source code mobile OS developed by Microsoft Corporation and used by multiple smart devices (personal digital assistants, smartphones, and touch devices). Windows phone OS is based on a compact version of .Net framework, which gives it an advantage in developing .Net-oriented mobile applications [46]. We choose to talk about only the two most dominant phone OSs here: Android and iOS. Unlike Android OS, Apple iOS is more immune against malware owing to its closed-source platform and the restricted procedures that Apple follows in apps marketing. Android has become the most susceptible OS to malware because of its open-source platform, the readiness of Android devices to download and install applications from untrusted/unsecured stores.
- MOBILE DEVICE MALWARE RISKS Smartphones and tablets have become prevalent in the past few years. In terms of numbers, at the end of 2014 there were around 7 billion active devices worldwide. Because of their enormous distribution, the wide variety of services they offer, and the sensitive information that they store, mobile devices have become a major target of cyber at- tacks. Smartphones have the great feature of a wide range of connectivity options such as GSM, CDMA, Wi-Fi, global positioning system (GPS), Bluetooth, and NFC. Smartphones also contain personal information such as
contacts, messages, social network access, Internet browsing history, and sometimes banking credentials. All of this has attracted the attention of attack developers to- ward mobile devices. The main enemy of mobile devices is malicious software (malware). Malware is harmful apps that target mobile devices and threaten their security. They are usually disguised as normal and useful apps that users can download and use, but in fact they hide stealthy scripts that carry out different activities in the background that intimidate the user’s security. Different risks may threaten a user’s security as a result of malware, such as: l Compromising a user’s privacy by stealing sensitive user information such as the user’s credit, login history, or password l Threatening the integrity of the device l Extracting monetary benefits l Creating botnets, which are a network of computers that have already been compromised by a robot or bot that executes a wide range of malicious actions for the developer of the botnet l Mounting aggressive ad campaigns l Launching DoS The attackers usually exploit vulnerabilities associated with the mobile devices to launch their attacks. The three main factors of security of any computing system are: confidentiality, integrity, and availability, which are also the main factors for mobile device security. Confidentiality requires ensuring appropriate protection for confidential or sensitive information stored or processed in the computing system [33]. In other words, sensitive information cannot be accessed by an unauthorized party. Integrity requires ensuring the authenticity of data stored in a computing system [33]. The data cannot be modified/altered, removed, or added to by an unauthorized party. Availability of data in a computing system’s storage imposes provision of the data to the authorized party at any time upon demand [33]. After infecting the mobile device, the attacker can inflict multiple damage by violating different security goals: l An infected smartphone can record all of the conversa- tions between the user and others, steal images and videos, and send this information to the attack devel- oper without the user’s consent. This kind of attack can compromise the user’s privacy and compromise confidentiality [7]. l A user’s identity is also one of the attacker’s targets that can be stolen from a compromised smartphone. The identity can be stolen from the user’s sim card or from the phone itself. That can lead to the owner being impersonated to place orders or view bank accounts, or for use of the smartphone as an identity card (where applicable). This action also compromises the user’s privacy and confidentiality [7].
l Another action that can compromise the user’s privacy is when the attacker removes personal information from the compromised phone (pictures, videos, music, etc.) or removes professional data (contacts, calendars, or per- sonalnotes).Thisactioncompromisesconfidentiality[7]. l The integrity of the device is another target of mal- ware, when the attacker can force the compromised phone to make phone calls. For example, malware can use an application program interface (API) func- tion provided by Microsoft called (PhoneMakeCall) only for the Windows phone OS. This function can search for phone numbers from any online source and then call them. This can result in charges to the owner if the call is made to paid services, or it may be more serious if the call is directed to emergency services that disturbs these services. The action com- promises integrity [7]. l The attacker can convert the smartphone to a zombie machine, which is a machine that can be controlled by the attacker to send spam messages via short mes- sage service (SMS) or email. This kind of attack also threatens the integrity of the device. This action com- promises integrity [7]. l The attacker can make the smartphone unusable by pre- venting its normal operations or preventing its startup. Moreover, the attacker can damage the OS of the phone by deleting the boot scripts, make it unusable by modi- fying some important files, or run a small code to deplete the battery. This kind of attack also threatens device’s availability [7]. l The attacker can steal sensitive information such as the credentials of the smartphone’s owner to transfer money to his bank account. This action compromises confiden- tiality [8]. l Someadcampaignsmayattractuserstodownloadpoten- tially unwanted apps or malware apps. These apps have hidden malware behavior that can perform multiple damaging actions on the device, such as controlling the device remotely or scanning the device for any vulnera- bility. This action compromises confidentiality [8]. l Some malware can cause DoS of mobile devices by over- whelming the device’s limited central processing unit (CPU), memory, and bandwidth, which results in depriving the legitimate user from using the device’s normalfunctions.Thisactioncompromisesavailability[8]. As we notice from this list of damaging actions that can happen to mobile devices, attackers strive to cause different types damage to mobile devices. This damage also has different levels of severity. In all cases, damage must be identified so that an effective countermeasure can be found.
- CLOUD COMPUTING MODELS Cloud computing environments have been constructed in different ways according to the service offered by that environment. In general, there are three different cloud computing models: 1. Software-as-a-Service (SaaS): The cloud service pro- vider (CSP) provides software for the user, which is running and deployed on cloud infrastructure. In this case, the user(consumer)isnot responsible for managing or maintaining the cloud infrastructure, including network, servers, OSs, or any other application-related issues. The consumer just uses the software as a service on demand. Google Maps is an example of SaaS [15,41]. 2. Platform-as-a-Service (PaaS): The CSP provides a platform to the consumer to deploy consumer-created applications written in any programming language sup- ported by the CSP. The consumer is not responsible for managing or maintaining the underlying infrastructure, such as the network, servers, OSs, or storage. However, the consumer controls the deployed applications and the hosting environment configurations. Google App En- gine and Microsoft Azure are examples of PaaS [15,41]. 3. Infrastructure-as-a-Service (IaaS): The CSP provides the consumer with the processing, storage, networks, and other essential computing resources to enable the consumer to run his or her software, which can be OSs and applications. This model involves managing the physical cloud infrastructure by the provider. Amazon Web Service (AWS), Eucalyptus, and Open- Nebula are examples of IaaS [15,41].
- CLOUD COMPUTING ATTACK RISKS Cloud computing security can be defined as set of tech- niques, protocols, and controls deployed in the cloud to provide protection to the applications, data, and infra- structure of the cloud computing environment. Cloud data centers have become widely used for a range of always-on services in private, public, and commercial domains. Because of the wide prevalence of cloud computing, it has become a target for many attacks. As mentioned, the three main factors of security are confidentiality, integrity, and availability, which are also the main goals for cloud computing security. Therefore, any action that compro- mises one or more of these goals is considered a threat. Vulnerability is a weakness in the system that can be exploited by threats. Putting users’ information in the cloud may expose them to many risks, such as: l Compromise of users’ privacy l Theft of sensitive information
l Malicious insiders l DoS l Insecure APIs l Data loss or leakage Some of these risks can overlap and can compromise different security goals, depending on the nature of the risks and the target. In this section we will explain the risks behind launching attacks on cloud computing. Users are really concerned about personal data and are against anything that might lead to an invasion of their privacy. When putting their information on the cloud, users do not want this information to be accessed without their consent, which is against one of the security goals (confidentiality): (1) compromising the user’s privacy, and (2) stealing sensitive information, which can fall into the same risk category. Those risks can result from ac- count or service hijacking, which in turn result from phishing, fraud, and software vulnerabilities. Attackers can steal a user’s credentials and acquire access to the sensitive domain of deployed cloud computing services. That would result in compromising confidentiality, integrity, and availability of these services. Malicious insider risks can be damaging to the cloud computing environment. By taking advantage of having an insider level of access, they use it to penetrate organizations and assets and commit brand damage, financial losses, and productivity losses. According to the Cloud Security Alliance, a malicious insider was one of the top risks to cloud computing in 2016 [40]. A malicious insider can compromise the goal of confidentiality security. DoS at- tacks refer to sending a massive number of synchronized connection requests by the attacker to a network for the sake of slowing down servers or creating a barrier for legitimate users willing to access the cloud. According to the Cloud Security Alliance, DoS attacks were among the top risks to cloud computing in 2016 [40]. DoS attacks compromise the availability security goal. Moreover, an insecure API refers to an infirm set of API functions, which are used to connect to the cloud [16,39]. According to the Cloud Security Alliance, an insecure API is also one of the top risks to cloud computing in 2016 [40]. An insecure API compromises all of the security goals: confidentiality, availability, and integrity. Data loss or leakage can also have a negative impact on the business. The CSP can completely lose its brand or reputation in addition to losing the customer’s trust owing to this risk. Loss or leakage of data can happen as a result of insuf- ficient authentication, authorization, and audit controls; disposal challenges, data center reliability, and disaster recovery; and inconsistent use of encryption and software keys. Data loss or leakage compromises the security goal of integrity.
- SOURCE OF ATTACKS ON MOBILE DEVICES Because of their wide prevalence and the range of services they offer, attacks on mobile devices originate from different sources. In this section we discuss the most common sources of attacks on mobile devices: l Professionals: These could be commercial or military professionals who aim to attack the three targets mentioned previously. Sensitive data from the general public is stolen by these professionals. In addition, they may use the stolen identity to launch other attacks. l Thieves: These use stolen data or identities to obtain an income. Thieves will increase the scope of the attack to increase their prospective income. l Black hat hackers: These particularly target availabil- ity. They aim to develop viruses and damaging devices, or steal data from devices. l Gray hat hackers: These particularly reveal vulnerabil- ities. They aim to disclose the vulnerabilities of the de- vice. However, they do not want to damage or steal data from the device.
- SOURCE OR ORIGIN OF INTRUSIONS IN CLOUD COMPUTING Cloud computing systems are also susceptible to many kinds of intrusions that come from different sources. In this section we will explore the different sources of intrusions in cloud computing systems. Intrusions in cloud computing may originate from a VM, a virtual network, a malicious hypervisor, or an outside attack: l Attacks from a VM: In Bahram et al. [2], the authors were able to simulate an attack to subvert VM intro- spection. They called their attack direct kernel structure manipulation (DKSM) and showed how it can smash existing VM introspection solutions by changing the syntax and semantics of kernel data structures in a running guest. l Attacks from a virtual network: Attackers may exploit vulnerabilities and compromise the VMs to launch a large-scale distributed DoS (DDoS) attack. The attackers start with preliminary actions such as multistep exploitation, low-frequency vulnerability scanning, and converting vulnerable VMs to zombies, and then launch DDoS attacks via these compromised zombies [6]. DDoS attacks usually target the availability of cloud services. l Attacks from a malicious hypervisor: A hypervisor or VM monitor is piece of software responsible for manag- ing the sharing of a hardware platform among different
guest systems. Hypervisors do not have that relatively huge code and have limited communication with the external world. They are supposed to be well- protected and secure. However, it has been observed that hypervisors are not completely secure. For example, Xen, which is a common hypervisor used in Amazon Elastic Compute Cloud (EC2), showed a defi- ciency as some attacks were able to modify Xen’s code and data at runtime and allowed backdoor activity [1]. Compromised hypervisors can lead to catastrophic dam- age to cloud computing systems if they are not detected and stopped. l Attacks from outside the cloud environment: An attacker may send a huge number of requests to access VMs, disabling the availability of VMs to legitimate users, which is called a DoS attack.
- CLASSES OF MOBILE MALWARE Malware that attacks mobile devices is of different types and categories. It is also different in its severity and the damage that it causes. In this section we discuss the most well-known classes of malware that threaten mobile devices [35]: l Botnet: This kind of malware attacks the device by a remote user or a bot-master using a set of commands to make a bot control the device remotely. The con- structed network of such devices is called a botnet. The resulting damage is on a different level compared with sending private information to a remote server, launching DoS attacks, or downloading malicious payloads [8]. l Backdoor: A backdoor opens on the compromised de- vice, causing it to wait for commands to arrive from an external server or an SMS message. This malware can exploit the root to obtain superuser privileges and avoid antimalware scanners [8]. l Rootkit: This malware creates buffer overflow to obtain superuser (root) privileges on the device [35]. l Worms: A worm is malware that has the ability to make copies of itself and spread these copies through a network and removable media [8]. l SMS Trojan: This malware causes serious damage to the user by: (1) sending stealthy SMS messages without the user’s knowledge, making the user subscribe to some premium services; (2) sending spam messages to all of the user’s contacts; or (3) obtaining an authen- tication mechanism for some banking institutions by sending SMS messages to permit unfavorable transac- tions or banking Trojans [8,35]. l Spyware: This kind of malware starts by pretending to be a benign or useful app, but it has an internal
malicious activity [8]. It is characterized by revealing sensitive information from the phone and sending it to an external server. This sensitive information could be the International Mobile Equipment Identity or Interna- tional Mobile Subscriber Identity, contacts, messages, location, or social network credentials [35]. l Installer: This kind of malware installs apps using new authorizations to boost damage to the phone [35]. l Ransomware: A kind of malware that blocks the user from accessing the phone by continuously displaying a Web page requesting the user to pay a certain amount of money (ransom) to remove the malware from the de- vice. Another example of this malware is encryption of whole personal data on the phone and the request for a ransom to retrieve the decryption key [35]. l Trojan: This kind of malware could be any malware that has behavior different from the previous classes. This kind could modify or remove data from the phone without the owner’s consent or it could infect any com- puter when the phone is connected via a universal serial bus [35]. - TYPES OF CLOUD COMPUTING ATTACKS Cloud computing experiences different kinds of attacks that threaten its activity and services. With the increasing use of cloud computing, attacks on cloud computing are also increasing, which raises an issue that needs to be addressed. These attacks target different elements of the cloud such as networks, information, and underlying structure. In general, cloud computing attacks can be categorized into the following classes: l Address Resolution Protocol (ARP) spoofing: ARP is a standard protocol that is responsible for converting the addresses of the network layer to the addresses of the data link layer. This attack involves sending an adjusted ARP reply message to the victim to record the media ac- cess control address as if it is of a certain host. This attack leads to a disturbance of regular communication between hosts [13]. l DoS and DDoS attacks: DoS and DDoS flooding at- tacks are major attacks that devastate the availability of cloud computing systems. These two attacks aim to prevent intended users from accessing a machine or network resources. DDoS attacks are launched by two or more computers, whereas DoS attacks are launched by one person or computer [21]. Both attacks (Dos and DDoS) usually depend on a recruited device (compromised computer) by a malware named a bot [42]. A DDoS attack is shown in Fig. 6.2.

l Internet Protocol spoofing: This attack is a major attri- bute of DDoS attacks to hide the identity of the attacker. As indicated before, DDoS attacks aim to bring down cloud resources and make them unavailable for both cloud providers and cloud users. Hiding the identity of the machine involved in the attack helps the attacker (1) from being easily traced and (2) deceive the cloud provider, to benefit from a service offered only to a trusted host [28]. l Port scanning: This attack involves looking into avail- able network protocols or services, to exploit commu- nication channels to launch a subsequent attack. Transmission Control Protocol (TCP) connect scan- ning is a form of port scanning composed of establish- ing a TCP connection. The attack involves exchanging multiple packets between the source and the destina- tion. Once the attacker establishes a TCP connection, it still must be determined whether the port is open or not [25]. l Man-in-the-cloud: One popular attack experienced in 2015 was the man-in-the-cloud, aimed at storage/ synchronization applications such as Dropbox and Google Drive. This attack is based on exploiting syn- chronization protocols and end-user authentication token of applications. The attack involves accessing
a targeted victim account by using the authentication credentials of the victim without the need to crack the password [11]. l Insider attacks: An authorized user (on the client or provider side) may try to gain privileges to perform a malicious activity [14].
- MALWARE TECHNIQUES IN ANDROID In this section, we will discuss the techniques malware follows in spreading to users’ devices, in addition to stealth techniques employed by Android malware as case studies.
Repackaging Common Apps Malware developers can use a repackaging technique to make new malware targeting mobile devices. Repackaging involves disassembling or decompiling a common benign app (free or paid) from a trusted app store, inserting and appending the malware code, reassembling the Trojan app, and distributing it through a less common or monitored app store. Malware developers use current reverse-engineering tools to repackage an app (see checklist, “An Agenda For Action For Repackaging An Application”).

malware. Usually, these techniques cannot be detected us- ing static analysis methods [8].
Stealth Malware Techniques Because Android OS is developed for limited resources (CPU, RAM, battery, etc.), antimalware apps are restricted by these limitations to perform deep in- spections on smartphones, unlike their PC counterparts. This limitation is exploited by malware developers to fog malicious payloads into evading commercial anti- malware. Stealth techniques include encryption, key permutations, dynamic loading, and reflection code and native code execution; all of these are interesting issues facing signature-based malware detection appli- cations [8].
Colluding Apps Colluding apps are set of apps that signed with same cer- tificate and share the unique ID. They collude with each other to finalize the intended attack. Together, these apps are malware; however; individually they are benign. For example, malware with READ_SMS permission can read SMS messages and request the colluding assistant with INTERNET permission to send the sensitive information to a remote server. This action compromises the security goal of confidentiality [8].
Privilege Escalation A mobile device can experience a privilege escalation, when the attack exploits known kernel vulnerabilities to gain root access to the device. In Android, Android- exported components can be exploited to gain root access to critical permissions. This action compromises the confidentiality security goal [8]. Table 6.1 summarizes mobile malware techniques in addition to the security goals compromised and their employed functionality.
- CLOUD COMPUTING INTRUSIONS TECHNIQUES Intrusions into cloud computing systems employ different techniques to achieve different goals. In this section we discuss the most well-known techniques used by cloud computing intrusions. These techniques are classified into different categories. We will discuss each category individually.
Reconnaissance Techniques Reconnaissance involves collecting the maximum possible information about the victim before starting the attack. Usually, this technique is associated with hacking. In the following, we list some reconnaissance techniques [21]: l Social engineering: This technique involves looking for reasoning to gain sensitive information or text by stimulating an individual mind or sense of social norms. l Dumpster diving: This technique involves obtaining sensitive information from trash locations. l Usenet tools: This technique depends on gathering data from company websites, gathering information from employees’ social networks, or collecting some useful information from business partners. l Domain name system (DNS) reconnaissanceezone transfer: A DNS server can be a good place for hackers to harvest important information such as an address of a mail server, an address of a web server, operation sys- tem information, and even comments.
Denial of Service This technique is easy to implement but it is difficult to defend against. It is based on targeting the availability goal of the cloud security. The technique involves consuming the system resources (CPU, network bandwidth, RAM, or disk space) by sending a huge number of illegitimate
TABLE 6.1 Mobile Malware Techniques, Security Goal Compromised, and Employed Functionality
Malware Technique Security Goal Compromised Functionality
Repackaging common apps
Confidentialityþintegrity þavailability
Insert malicious code into benign application
Drive-by download Confidentiality Use social engineering to download malware
Dynamic payload Confidentiality Convince user to install embedded apk by posing as update
Stealth malware techniques
Confidentialityþavailability Exploit mobile limitation in evading commercial antimalware applications
Colliding apps Confidentiality Apps collide with each other to launch attack
Privilege escalation Confidentiality Exploiting kernel vulnerabilities to gain root access
requests over the limit the system can handle. That causes legitimate users to become unable to access or use the system. The most common type of DoS attack is DDoS. DDoS depends on using many computers (it can be thou- sands) to launch the attack instead of one computer (as in the case of DoS) [21].
Account Cracking An attacker can use some tools to perform password cracking. The attacker can use those tools to crack a hashed password file. Brutus, Web cracker, Obiwan, burp intruder, and burp repeater are some examples of password cracking tools. Different techniques are used by a hacker for pass- word cracking [21]: l Dictionary attack: involves using a dictionary of words against the victim’s account l Brute force attack: involves trying every possible combination of characters until the password is cracked l Hybrid attack: basically combines the two attacks (dic- tionary and brute force)
Structured Query Language Injection The attacker may concatenate Structured Query Language (SQL) query strings with variables targeting SQL servers that run vulnerable database applications. These vulnera- bilities can be exploited by hackers to inject malicious scripts, evade login, and obtain unauthorized access to back-end databases. The rate of SQL injection attacks increased 69% in the second quarter of 2012 compared with the first quarter [5].
Cross-Site Scripting Cross-site scripting is considered one of the most dangerous categories of attack. It involves injecting
malicious scripts such as JavaScript, VBScript, ActiveX, HTML, or flash into a vulnerable active Web page to run the scripts on the victim’s Web browser. Some researchers in Germany explained how a cross-site scripting attack can attack the Amazon AWS cloud computing platform. The researchers discovered a vulnerability in Amazon’s store that allows hackers to hijack an AWS session and gain access to customers’ data [5].
Malware Injection This attack uses metainformation exchange in cloud computing systems. Usually, metadata exchange is carried out between a Web server and a Web browser, because in cloud systems the client’s request depends on authentica- tion and authorization. The attack involves intruding into these procedures and injecting a malicious code to perform a malicious service. As a result, the cloud service will experience eavesdropping and deadlocks, which in turn increases the waiting time for legitimate users to be served [21]. Table 6.2 lists brief information about the techniques employed by cloud computing attacks, including the name of the technique, the security goal they compromise, and the functionality employed by each technique.
- EXAMPLES OF SMARTPHONE MALWARE In this section, we explore some examples of malware that attack mobile devices: l Cabir: This is a computer worm that has the ability to infect smartphones that run the Symbian OS. It is also known as Caribe, SybmOS/Cabir, Symbian/Cabir, and EPOC.cabir. This malware was developed in 2004 [7]. The malware writes the word “Cabire” on the screen of the infected device and uses the Bluetooth connection to propagate to other devices [46].
TABLE 6.2 Techniques Employed by Cloud Computing Attacks, Security Goals Compromised, and Their Functionality
Intrusion Technique
Security Goal Compromised Functionality
Reconnaissance Confidentiality Collecting information about target
Denial of service Availability Consuming system’s resources to prevent them from access by legitimate users
Account cracking Confidentiality Cracking user’s passwords
Structured Query Language injection
Confidentiality Obtaining unauthorized access to database
Cross-site scripting Confidentiality Injecting malicious scripts in vulnerable Web pages Malware injection Confidentialityþavailability Intruding metainformation exchange into injected malicious code
l DroidDream: This is a different generation of malware for Android devices that appeared in 2011.It was able to infect more than 50 apps in the Google Play market. The malware has a sophisticated functionality such as data theft, root exploits, and botnet functionality. The main objective of this malware was to recruit a botnet [30]. l Commwarrior: This worm appeared in 2005; it had the ability to infect the Symbian platform OS from multi- media messaging service (MMS). The worm is sent to the victim’s device as an archive file named Commwar- rior.zip and this file contains another file named Comm- warrior.sis. Upon executing this file, Commwarrior starts scanning for nearby devices by Bluetooth or infrared using a random name. Next, it sends an MMS message to the contacts in the compromised phone using different header messages for each contact. The recipient of this MMS will often open it, causing the phone to become infected with this worm [7]. l Phage: Thisis one of the earliest viruses thatinfected the Palm OS of mobile phones. The virus can be transmitted to the Palm OS via synchronization when it is connected to a PC. After it is transferred to the phone, it starts infecting all of the applications that are on the phone and planting its own code to function without being noticed by the user or being detected by the system [7]. l Pjapps: This is a Trojan embedded in an application that contains internal, conventional botnet functionality. This Trojan targets Android devices and is attached with apps from an app market other than Google Play. The main objective of this Trojan is to open a backdoor on the infected device, to make it controllable remotely from a remote server [30]. l RedBrowser: This is a Java-based Trojan that can masquerade as a program named “RedBrowser”; it en- ables the user to visit Wireless Application Protocol (WAP) sites without the need for a WAP connection. It can infect any Java-based mobile phone. Throughout the installation process, the application asks the user for permission to send messages. Upon acceptance, Red- Browser starts sending SMS to paid call centers. In addition, RedBrowser uses the Smartphone’s connec- tion to social networks (Facebook, Twitter, etc.) to obtain contact information for the user’s friends (based on permission that was given in the beginning) to send them messages without the user’s consent [7]. l WinCE.PmCryptic.A: This is malware that infects Windows mobile phones. The main objective of the malware developers is to obtain money. It infects mem- ory cards that are inserted in smartphones for better prevalence and to launch a DoS attack [7]. l CardTrap: This is a virus that can infect various types of smartphones. The main objective of this virus is to deactivate the system and third-party applications. The virus’s malicious activity is to replace the files used to
start the smartphone and their applications, which pre- vents them from execution. There are different versions of this virus, such as Cardtrap.A, which infects Symbian OS phones. It can also infect the memory card with mal- ware that can infect Windows OS [7]. l Flexispy: This is a Trojan that masquerades as an appli- cationforSymbianOS phones.The malicious activity of this Trojan is represented in its sending all of the infor- mation that is sent and received from the smartphone to a Flexispy server. It was originally developed to protect children and to eavesdrop on unfaithful spouses [7]. l FakePlayer: This is an SMS Trojan for the Android platform. It presents as a legal movie player app with a fake Windows Media Player icon. The Trojan sends SMS messages to saved contacts without the user’s consent [30]. l GPS spy: This is more malware for the Android platform that masquerades as a classic snake game, but it has the ability to collect and send the GPS loca- tion of the phone to a remote server without the user’s consent [30]. l Geinimi: Thi is a Trojan that infects Android mobile phones. The Trojan collects personal information and sends it to a remote server. A new version of this Trojan has the ability to infect legal applications [30]. l ZitMo: This is malware that infects Android mobile phones. This Trojan malware has the ability to intercept and forward all SMS messages to a remote server. It also has the ability to infect legitimate applications and works cooperatively with the Zeus banking Trojan to steal banking information [30]. l NickiBot: This is Android malware that is controlled remotely by SMS messages from a remote server. This malware has the ability to monitor location, record voice calls, and collect all logs. This malware was discovered in unofficial Android markets [30]. l RootSmart: This is Android malware that was noted to interact with a botnet called Android.Bmaster. The malware gains root access on Android-based devices. The malware was discovered in unofficial Android markets [30]. Table 6.3 lists some brief information about this mobile device malware, including names, platforms, and the security goals it compromises.
- EXAMPLES OF CLOUD ATTACKS In this section we explore some well-known attacks on cloud computing systems: l DKSM: This attack has the effective ability to destroy and confuse existing VM internal diagnosing. The attack overcomes exiting introspection techniques by manipulating the kernel data structures of the guest


one of the main system processes in which to inject it- self; it then disrupts antivirus and security applications. That keeps the malware from being undetected by any detection system within the OS. One of the malware variants is named Trojan.Zbot-18 [41]. Table 6.4 shows some brief information about cloud computing attacks, including their names and platforms, and the security goals they compromise.
- TYPES OF INTRUSION DETECTION SYSTEMS FOR MOBILE DEVICES Because of continuous increases in malware attacks on mobile devices [35], it has become a necessity to design and implement effective countermeasures. IDSs are the main defense mechanism against any threat that aims to compromise one or more mobile device security goals (confidentiality, integrity, and availability). There are four major types of IDSs for mobile devices: signature-based, anomaly-based, cloud-based [22], and manual analysis, as shown in Fig. 6.4. A description of each type is provided in this section.
Signature-Based Intrusion Detection System A signature-based ID is based on extracting signatures from behavioral patterns that are derived from known
malware misbehaviors. These signatures will be compared with the signature of new applications. The Multilevel Anomaly Detector for Android Malware (MADAM) is a signature-based IDSs for smartphones [35]. This IDS, which is designed for Android devices, aims to detect malicious behavioral patterns extracted from several categories of malware. The goal of MADAM was achieved by monitoring five groups of Android features: system calls, SMS, critical API, user activity, and application metadata. In fact, these groups belong to four different levels of abstraction: kernel, application, user, and package. The extracted features are used to detect unusual user and device behavioral patterns. After detecting particular behavioral patterns, it intercepts and blocks malware by applying all of the prespecified hazard procedures for the user and the device. MADAM is designed to assess any newly installed app by inspecting the requested permissions and reputation metadata, such as user scores and download count, and include the app in a suspicious list if it is assessed as risky. In Shen et al. [36], the authors built a topology graph for every kind of malware family; this graph represents its malicious behavior. The topology graph was constructed for Android applications, which are divided into a number of classes including Android-specific components. Using the application classes, the graph is constructed by making the classes the nodes of the graph; the relationships between components and other classes can be the edges, such as startActivity, startService, and method invocation.

Because two different applications may share part of the program structure, it is not enough to detect malware using the topology graph. Therefore, malware detection can extract API sets in every class to be attributes of nodes of the topology graph. The wisdom behind using API information is that API calls report the implemented function in the classes and may reveal certain malicious behaviors. In this way, malware detectors can distinguish between benign apps and malware.
Anomaly-Based Intrusion Detection System In contrast to signature-based IDS, anomaly-based IDS in malware detection does not require signatures to detect intrusion. In addition, an anomaly-based IDS can identify unknown attacks depending on the similar behavior of other intrusions. The approach of anomaly-based detection is based on modeling normality to identify occurrences of malware. Consequently, any deviation from this model is considered anomalous. This technique is effective in detecting unknown malware. The anomaly-based model presented in Sanz et al. [34] involved extracting several features from the Manifest file of Android applications, which are uses-permission and uses-features, to build the model. These features were used to build the normal model of several legitimate applications to detect malicious ap- plications. Other efforts, such as the model proposed in Ghaffari and Abadi [10], used entropy-based anomaly detection to detect clear deviations in the network behavior of Android applications. They used two common entropy measures, sample entropy and modified sample entropy, in detecting Android malware. Anomaly-based malware detection has attracted researchers in computing systems and network traffic. Different approaches have been used in mobile malware detection, such as statistical-based approaches, data mining based methods, and machine learning techniques. The model presented in Cheng et al. [3] was based on a statis- tical approach by collecting communication activity infor- mation from the smartphone, then conducting joint analysis to detect single-device and system-wide malicious behavior. Machine learning algorithms can also be used in anomaly- based malware detection, such as the model proposed in Peiravian and Zhu [29]. The authors combined permissions and API calls in a machine learning approach to malware. The permission is extracted from each app’s profile infor- mation, whereas the APIs are extracted from the packed app file by using libraries to represent API calls. By combining permissions and API calls and employing them as features to describe each app, a classifier can be trained to distin- guish between benign apps and malware. Deep learning is a new machine learning technique that has proven effective in many applications. Deep learning was used in malware detection in Yuan et al. [47] after the researchers conducted
static and dynamic analysis to extract features from each app. Static analysis extracts features such as required permissions and sensitive APIs, whereas dynamic analysis uses the installation file (the apk file) of each app. Deep belief networks architecture and convolutional neural net- works were used to construct the online-learning model and characterize Android apps. The learning model consisted of two phases: unsupervised pretraining and supervised back- propagation phases. Their system, DroidDetector, has been kept online for user testing and can be used to detect whether a submitted app is malware or benign.
Cloud-Based Intrusion Detection System Because mobile IDSs consume more CPU and memory in performing their task, and smartphones and other mobile devices have limited energy and computational resources, implementing IDS for smartphones is a challenging task. As a resolution for these problems, a cloud-based IDS has been proposed to detect suspicious behavior or malicious activity on smartphones. The main objectives of such a solution are that it should not be consume resources and should be practical and suitable for implementation. One solutions [13] requires users to install a lightweight agent on their smartphones and register on an online cloud ser- vice. This registry involves specifying some information, such as the smartphones’ OS, the application installed on the phone, and other relevant information about the device. The next step is to emulate the smartphone in a VM on the cloud using a proxy, which in turn duplicates incoming traffic to the device, and then forwards traffic to the emulation platform (the location of detection). Because the system is developed in the cloud, all registered users can use the system at the same time. The lightweight agent that is installed on the user’s registered device will inspect all of the file activity of the system. Whenever the user performs any data transfer activity, the agent will forward the traffic to the cloud through the proxy server. This procedure al- lows the execution of multiple detection engines in parallel by hosting them on an emulated device. The advantage of using virtualization to run multiple detection engines is that it increases the coverage of malware detection. This approach involves a proactive defense mechanism because it alerts the smartphone user that the file is infected before it is downloaded. Another cloud-based botnet malware approach, pro- posed in Jadhav et al. [12], consists of two stages: malware analysis and data clustering. The malware analysis stage is specified for accepting applications from the user and performing malware analysis and data collection. In the clustering stage, the system conducts multilayer clustering depending on data collected in the first stage. The system is characterized by its ability to handle multiple clients at the same time, and by its resource flexibility.
Manual Analysis A professional auditor can perform manual analysis to detect mobile malware on the server that provides malware service. However, this method is considered to be time- consuming; also, it is not accurate, which may lead to high false negatives. Contemporary malware follows so- phisticated techniques and obfuscation methods to avoid detection strategies. It requires considerable time to build the required expertise to accomplish this kind of job.
- TYPES OF INTRUSION DETECTION SYSTEMS FOR CLOUD COMPUTING As a countermeasure to the increasing number of attacks on cloud computing systems, IDS has been used to detect malicious activity that may compromise cloud computing security. IDS in a cloud computing environment can be divided into five categories (types): network-based, host-based, hybrid-based, hypervisor, and distributed, as shown in Fig. 6.5.
Network-Based Intrusion Detection System Network-based IDSs for cloud computing systems are based on capturing network traffic and analyzing it to detect any potential intrusion, such as DoS attacks, port scanning, and botnets. Internally, a network-based IDS can use a
signature-based approach and compare the collected information with a signature database to look for a match with an intrusion, or it can work as anomaly-based system and compare current behavior with normal behavior to decide whether there is an attack. The model proposed in Chou and Wang [4] consists of three parts: preprocessing, ananalyzer, and a detector. The preprocessor is responsible for converting audited data from raw packets to connection records with the required features. The connection records are fed to the analyzer as input and then get labeled with tags as normal or as an anomaly using an unsupervised learning algorithm. The resulting labeled records are then saved in a database. This database is used by the analyzer to train a prediction model and update the existing model to adapt to the environment. The last part is the detector, which loads the resulting prediction model from the analyzer to inspect the records from the preprocessor output. The architecture of the proposed system is depicted in Fig. 6.6. The cloud computing system uses virtualization tech- nologies to provide different services through VMs. In the proposed cloud platform, a server-agent scheme is used to achieve network intrusion detection. A lightweight agent is placed in each client VM and executed in the background. This agent is responsible for inspecting in real time and transferring data to a server VM. The server VM receives the input connection records and outputs an updated tree

file to all client VMs to keep the detection ability of all VMs up to date. It is preferable (for security reasons) to isolate communication between agents and the server VM and make it inaccessible for users accessing services offered by client VMs. Therefore, an open vSwitch is added to administer different networks in the hypervisor, as shown in Fig. 6.6. However, the implemented system in Chou and Wang [4] has some limitations, such as that it is not able to detect attacks that make many connections, such as DoS and probing attacks; instead, it is restricted to detect only rare attacks. Other work has used network-based IDS to handle a large flow of network traffic; analyze this traffic; and then, generate organized reports by incorporating the results of behavior analysis to identify and detect intrusions on the cloud at an earlier stage. The architecture of the proposed IDS consisted of four major components: traffic capturing, traffic identifier, analyzer, and malicious activity detector. Traffic capturing is responsible for forwarding captured traffic of the network being monitored in the raw format to the next component, which is the traffic identifier. The role of the traffic identifier is to minimize thesize of the captured network traffic by extracting a set of features from the raw data. The output of the traffic identifier will be used as input to the analyzer (detection engine). The detection engine used an artificial neural network to look for malicious activity. Once malicious activity is detected, a report will be sent to the administrator to inform about the attack [18].
Host-Based Intrusion Detection System Host-based intrusion detection (HIDS) is based on gath- ering information from connected hosts and analyzing them to detect malicious activities. The gathered information can be a system log file, OS data structures, running processes, file access and modification, system and application configuration, or system calls [15]. This kind of IDS is used to protect the integrity of a cloud computing system [31]. However, conventional HIDS cannot be used for intrusion detection in cloud computing. That is because of the in- ternal procedure employed by conventional HIDS; it ana- lyzes the behavior of users in their local contexts. Cloud users are different in terms of the freedom they have in using multiple resources from different domains at the same time or one after the other. The intrusion detection is accomplished from the cloud perspective as an integrated system. Therefore, different approaches are used to over- come this problem. IDS log cloud analysis system is a proposed IDS analysis system for cloud inter-VM and different platforms [43]. The internal architecture is based on Hadoop’s MapReduce log file analysis for a cloud computing system. The main characteristics of this design are its scalability and reliability. Hypervisor-Based Intrusion Detection System Another type of IDS for cloud computing can be at the hypervisor level. A hypervisor is a software component that serves as the main pillar of virtualization in the cloud computing system. It is responsible for sharing resources to VMs and providing a level for interaction among VMs [17]. The existence of any vulnerability in VMs can be exploited by attackers to initiate various advanced attacks such as a stealthy rootkit, Trojan, and regular DoS and DDoS against those VMs. The attacks launched at the hypervisor level can throw the normal operation of cloud infrastructure into disorder. Therefore, it has become a must to look for an effective strategy to defend against attacks at the hypervisor level to protect the virtualized resources of the guest OS. The hypervisor and VM-Dependent Intrusion Detection and Prevention System (VMIDPS) for a virtualized cloud environment [17] is one of the proposed hypervisor-based IDSs for virtual environments aimed to provide a robust state of the VM by detecting and then eliminating rootkits. The architecture is composed of four collaborated compo- nents to achieve the goal: a management unit,aVMIDPS server, anIDPS core, and a hypervisor, as shown in Fig. 6.7. The first component is the management unit (which is one of the hypervisor’s components) and the hypervisor and Intrusion Detection and Prevention System (IDPS) core stay in it. The second component is the VMIDPS-server, which is the complementary part of the IDPS core; it runs on the hypervisor.

The management unit is informed by the hypervisor to deploy an IDPS agent onto every launched new VM. Therefore, every IDPS running on a VM is called the VMIDPS. The VMIDPS is responsible for scanning the whole VM to confirm that the system is a safe and in an uninfected state. VMs can give permission to execute a function only if it is confirmed as a safe (robust) system function; otherwise VMIDPS will trigger an alarm to take a suitable action to bring the VM back to a normal state. The VMIDPS integrates different intrusion techniques such as file integrity verification, signature-based intrusion detection, and anomaly-based intrusion detection. These techniques are used to detect multiple types of intrusions (rootkits, viruses, worms, port scans, file alterations, and others). The VMIDPS sends the whole state of the VM to the VMIDPS-server on a regular basis to detect intrusions able to avoid the VM level. A cross-view analysis-based intrusion detection technique is employed to detect intrusions. Other hypervisor-based IDSs used some performance metrics collected from hypervisors, such as network data transmitted/received, block device read/write requests, and CPU use to detect suspicious activity within the VM and without detailed knowledge of the OS running on that VM. Inaddition,the proposedhypervisor-basedIDSmethoddoes not require additional software to be installed on VMs. The framework consists of three major components: a controller node, anend point node, and anotification service. The controller node takes charge of analyzing close to real-time performance data in all of the VMs in the cloud computing environment [27]. The end point nodes are responsible for collecting data on every VM running in the cloud environment from the hypervisor and directs the data to the controller node. The last component is the notification service, which is responsible for signaling a notification when an attack signature is detected. The framework structure is illustrated in Fig. 6.8.
Distributed Intrusion Detection System A distributed IDS for cloud computing systems is based on deploying IDSs over the network to inspect the traffic for intrusive behavior. Each of these IDSs consists of two components: a detection component and a correlation manager. The detection component is responsible for inspecting the system’s behavior and sending the collected data after representing them in a standard format to the correlation manager. The correlation manager, in turn, gathers data from various IDSs and produces high-level alerts that stimulate a reaction to the attack. The analysis phase can use anomaly-based and signature-based detection techniques to respond to known and unknown attacks. Modi [24] proposed a distributed IDS for cloud computing. The framework was based on installing network IDSs on each host machine of the cloud to monitor virtual network traffic with the goal of detecting intrusions. The proposed framework consisted of six components: packet capture, signature detection, network traffic profile generation, anomaly detection, severity calculation, and an alert system. Packet capture is responsible for capturing network traffic and for communication between VMs and between VMs and the host machine for intrusion inspection. The signature detection is used to detect known attacks from real-time captured network traffic data and filter out any intrusive connection. The third component, network traffic profile generation, makes network profiles by extracting some useful network features. It also extracts the virtual local area network (VLAN) ID to identify the VLAN number from where the attacking VM is running. The generated profile is sent to the anomaly detection component, which uses an associative classifier to predict a class label (either normal or intrusion) with all of the received profiles. This classifier is useful for detecting un- known attacks in the network. In case an intrusion is detected, an alert is sent to the severity calculation module,



Published @ September 27, 2021 4:40 am