Software technology has witnessed a surge of malicious programs which are written by malware writers. This presents a major threat to software technology. Software developers such as Android have developed security mechanisms to identify and ensure the security of information stored in smartphone devices (Iqbal & Zulkernine, 2018).
An example is the permission mechanism. However, researchers have proposed threats which can bypass the mechanism; thus there is a need to develop the most effective mechanism to eliminate potential threats over the internet. The antivirus programs installed on smartphone devices can secure the devices because of the restrictive nature of operating systems, i.e., an android which does not allow programs to scan the runtime behavior of users.
The antivirus malware detection relies on the identification of signature, a mechanism that is reactive rather than proactive. Great efforts have been made to improve the situation which involves dynamic and static analytical techniques. The static analysis comprises decompilation of an application file (apk) for example analysis of control flow, data flow, API call fingerprinting and byte N-gram.
However, the system of static analysis is becoming less effective because of the powerful techniques used in transmission. Thus, dynamic analysis is a useful complement to static analysis due to less vulnerability to transmission of codes. It can extract features which represent unique execution patterns. About 98% over of malware is different from traditional malware family (Iqbal & Zulkernine, 2018).
Dynamic analysis is used by software’s developer such as Google which uses Google bouncer which offer analysis to apks submitted (Iqbal & Zulkernine, 2018). Unfortunately, an Android application has a challenge in using an emulator because malware writers can evade detection. The writers can detect such emulators.
However, integration of the techniques is difficult on devices used by end users and requires a combination of techniques because a single technique or antivirus can only detect a particular family of malware. Currently, there are a number of techniques which are more effective in detecting malicious programs for example siren and spy droid. This paper discusses siren, an injection system that works collaboratively with an intrusion detection system to identify malware. It injects human input using virtual machine technology.
Technical review of the siren
Human input in siren is designed to generate network requests in a known pattern which is sent to the IDS. The IDS is expected to raise the alarm if traffic in the actual network change. Also, IDS detect blending in or mimicry of malware with siren activities. In situations where siren generates an activity which is difficult to separate from normal usage by malware attacks and the malware continue to mimic activity over time, then the likelihood of detecting the malware declines (Iqbal & Zulkernine, 2018).
Also, malware writer can avoid detection if they learn to differentiate between injected input and real input. This is possible by identifying an activity of end-users via out of band channel through calling him or her and request for input of predetermined sequence which triggers malware. An attack that involves the end-user is difficult. The identification of human input presents a real challenge. This is similar to a reverse Turing test which applies CAPTCHA to identify human and computer. This system gives human a challenge which he or she can solve and locks out a computer.
Monitoring web content is one of the many possible ways to identify blending malware. The contents are monitored in terms of what comes into the web browser and human input for example typing in URLs and click links. A comparison is made between the resulting traffic generated by the network and the expected traffic. A difference between the two raises suspicion.
This method has limitations in its implementation although it is effective and does not need an injection of an input. Sophisticated modeling needed to determine what is expected of a web browser in addition to using a different machine to run an input. The security over the internet is culminated by habits of users to download not recommended programs and to copy and paste data into various forms and to upload files.
Software developers, however, continue to take a different approach to curb threats. Siren takes a different technique of injecting a known sequence of input instead of trying to predict network traffic which is a result of human input so that it has control over form data, file uploads, and other browsing activity.
This is possible through the use of a virtual machine (VM) technology useful in injecting an input to enable isolation from the guest operating system. The operating mat sometimes is infected or compromised by malware. A virtual machine has beneficial security features and able to run low-performance overhead. These have been advantageous in the inspection of the condition of an operating system installed on user machines without interfering with its operation and to check its susceptibility to threats.
However, virtual machines are limited to the number of machines which can be operated simultaneously although it often tampers with security features. The host machine can revert to its initial checkpoints. This is a gap in which many security companies take advantage. Siren can run with the main VM from the guest OS and in rare occasions, revert to checkpoints. Also, virtual machines have limited to its current wide use and must be installed for one to use Siren.
Recent research has shown the feasibility of operating the whole operating system inside of a VM without disturbing the OS, significantly hurting performance, or requiring any user interaction (Borders, Zhao, & Prakash, 2006). The current design of Siren comprises guest OS containing normal files of end users and applications. This is found in situations where the end users send emails, browse the internet and compose documents. Mostly, the guest operating system is vulnerable to infection by worms, spyware, and rootkits among other malicious software.
Siren operates at the background of a guest OS on the virtual machine monitor (VMM) thereby isolating itself from any possible threats. Background operation makes it able to view input and output (I/O) originating from guest OS and inject input without detection or disruption by a guest operating system.
Siren takes advantage of the fact that most legitimate programs less often communicate over the network when the user is not around. Many personal computers (PCs) have the ability to run less of the trusted processes, i.e. event notification programs and automated software updates which can generate traffic in the absence of its users.
These programs are capable of generating false positives if unfiltered (Borders, Zhao, & Prakash, 2006). The traffic which is based on process ID can be ignored as a way of filtering trusted applications and network messages. Most commercial protection programs (Black Ice Defender and Nortion Personal Firewall) apply this approach.
Injection and execution into other processes if often straightforward even though the decision by trust does not work well by origin processes. Most malware programs insert libraries into a browser to track the browsing pattern of the end users and at the same time send private information to host servers through the web browser (Borders, Zhao, & Prakash, 2006).
A good security program should support a whitelist of trusted destination addresses of a given network instead of just checking for the origin of processes. Softwares such as siren and spyDroid take advantage of this. As an example, if windows update, Google toolbar, and WeatherBug were to be installed, and the network messages should be ignored if they originate from workstation to the websites, i.e., windowsupdate.com and google.com and weatherbug.com respectively without looking at the application the request originates.
Using a white list of trusted addresses may craete gaps in the system (Borders, Zhao, & Prakash, 2006).
Evaluation of effectiveness for security software
Software’s developers for example siren and android developers aims at eliminating spyware. The programs installed in our devices should be evaluated before allowed into the market for end users who are ignorant of the probability of threats. Evaluation of the effectiveness of any security features of programs first requires its installation on a PC.
Different types of spyware should be installed. The first phase of the evaluation or test involves Siren run without injection of additional input to determine the number of spyware programs which generate network traffic in the absence of end user. However, this test has drawbacks when spyware programs make few web requests to camouflage with normal browsing activities. Also, it is difficult to identify spyware programs if they run as plug-ins within a web browser. This is a trusted process which receives legitimate input. This requires a program that uses input injection to detect embedded spyware in a web browser.
Evaluation malware detectors such as spyDroid and siren require manual creation of a pattern of web activities and replaying each with an installed spyware program. The detectors run a script to make a comparison of the websites that have been visited during a run for every input.
Flagged requests for the sites not visited in initial input run are considered as malicious. Application of this approach, the malware detectors can identify spyware programs even those that run within the web browser and evade detection. Many spyware programs do communicate during active browsing to camouflage with normal traffic.
The past techniques which are used in the identification of malicious activities are susceptible to attack and therefore are needed to develop programs which are difficult to mimic and trace activities of end users. Also, the end user should play their part by evading installation of software’s which are not recommended by device developers. A collaboration between and users and program developers, especially those dealing with an operating system of devices which handle sensitive information such as bank accounts, is necessary.
This can greatly help to reduce threats or attacks by malware. The findings in evaluating malware detection programs conclude that spyDroid in android smartphone devices and Siren is effective in the identification of malicious software which embeds themselves in web browsers.
- Borders, K., Zhao, X., & Prakash, A. (2006, May). Siren: Catching evasive malware. In 2006 IEEE Symposium on Security and Privacy (S&P’06) (pp. 6-pp). IEEE.
- Iqbal, S., ; Zulkernine, M. (2018, October). SpyDroid: A Framework for Employing Multiple Real-Time Malware Detectors on Android. In 2018 13th International Conference on Malicious and Unwanted Software (MALWARE) (pp. 1-8). IEEE.