automated assessment of security risks for mobile …science of security lablet security...
Post on 25-Sep-2020
1 Views
Preview:
TRANSCRIPT
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Automated Assessment of Security Risks for Mobile Applications
Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie
Department of Computer Science North Carolina State University
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Source: https://blog.lookout.com/blog/2011/12/12/2012-mobile-threat-predictions
Lookout Mobile Security has reported that android malware resulted in a loss of US $1 million in 2011.
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Source : http://www.f-secure.com/static/doc/labs_global/Research/Mobile%20Threat%20Report%20Q4%202012.pdf
F-Secure MOBILE THREAT REPORT Q4 2012
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Approach to Mobile Apps Distribution
® Google Inc.
Open system
Users can directly install the Apps
Developer releases the App on Play Store
User has to explicitly grant permissions requested by the App
SECURITY
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Problem Felt, Adrienne Porter, et al. "Android permissions: User attention, comprehension, and behavior."
Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM, 2012.
Only 17% users (participating in the study) paid attention to permissions.
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Source: http://security.networksasia.net/system/files/Security+Asia+-+Symantec+-+Motivations+of+recent+android+malware.PDF
Motivations of Recent Android Malware
"Yet another modification of the Google Android Snake game. This one listens to
the taps for its turn directions."
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Solution
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Simple Solution: Keyword-based search
Keyword-based search on application descriptions
Photo Credit: Ahora estoy en via Flickr
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Problems with Keyword-based Search
Confounding effects: Certain keywords such as contact have a confounding meaning
... displays user contact, .... …contact me at abc@xyz.com
Semantic Inference:
Sentences often describe a sensitive operation such as reading contacts without actually referring to keyword contact. share yoga exercises with your friends via email, sms.
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
WHYPER Implementation
APP Description
APP Permission Semantic Engine
API Docs
Annotated Description
WHYPER
NLP Parser
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Example
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
For suggestion please contact me at abc@xyz.com
Example
For suggestion please contact me at abc@xyz.com
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Also you can share the yoga exercise to your friends via Email and SMS.
Example
Also you can share the yoga exercise to your friends via Email and SMS.
Email a sub resource of Contacts
share semantically equivalent to send
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Evaluation Results
PERMISSION No. of Apps
Sent. Permission Sentences
Annotated
Precision
Recall F-Score
READ CONTACTS
190 3379 235 204 91.2 79.2 84.8
READ CALENDAR
191 2752 283 288 83.7 85.2 84.5
RECORD AUDIO
200 3822 245 259 75.3 79.6 77.4
TOTAL 581 9953 763 751 82.9 81.6 82.3
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
PERMISSION Delta Precision
Delta Recall
Delta F-score
Delta Accuracy
READ CONTACTS 50.3 1.3 31.1 7.2 READ CALENDAR 39.2 1.5 26.3 9.2 RECORD AUDIO 36.8 -6.7 24.1 6.7 TOTAL 41.6 -1.2 27.2 7.6
Evaluation Results Contd.
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Improvement
Better NLP infrastructure
Better Semantic Representation of Permissions “Blow into the microphone to extinguish candle”
“record calls”
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Future Work
refine the NLP infrastructure input from the third-party mobile developers propose security metrics (Transparency Metrics)
“quantifying the degree to which an application description describes the privacy and security sensitive operations”
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Industrial Collaboration
Text analytics for security
Text construction for security
Repository of textual artifacts for security
Science of Security Lablet
Security Metrics-Driven Evaluation, Design, Development, & Deployment
Our evaluation results show that WHYPER achieves an average precision of 82.8%, and an average recall of 81.5% for three permissions. In summary, our results demonstrate great promise in using NLP techniques to access security risks in mobile applications.
Summary
top related