research-article

DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging

Authors:

Omid Setayeshfar,

Kyu Hyung LeeAuthors Info & Claims

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

Pages 666 - 677

https://doi.org/10.1145/3052973.3052984

Published: 02 April 2017 Publication History

Abstract

The goal of cyber attack investigation is to fully reconstruct the details of an attack, so we can trace back to its origin, and recover the system from the damage caused by the attack. However, it is often difficult and requires tremendous manual efforts because attack events occurred days or even weeks before the investigation and detailed information we need is not available anymore. Consequently, forensic logging is significantly important for cyber attack investigation. In this paper, we present DroidForensics, a multi-layer forensic logging technique for Android. Our goal is to provide the user with detailed information about attack behaviors that can enable accurate post-mortem investigation of Android attacks. DroidForensics consists of three logging modules. API logger captures Android API calls that contain high-level semantics of an application. Binder logger records interactions between applications to identify causal relations between processes, and system call logger efficiently monitors low-level system events. We also provide the user interface that the user can compose SQL-like queries to inspect an attack. Our experiments show that Droid Forensics has low runtime overhead (2.9% on average) and low space overhead (105 ~ 169 MByte during 24 hours) on real Android devices. It is effective in the reconstruction of realworld Android attacks we have studied.

References

[1]

3dmark. https://www.futuremark.com/benchmarks/3dmark/android/.

[2]

Android compatibility test suite (cts). https://source.android.com/compatibility/cts/.

[3]

Antutu. http://www.antutu.com/en/index.shtml.

[4]

Auditdandroid. https://github.com/nwhusted/AuditdAndroid.

[5]

Binder ipc mechanism. http://www.angryredplanet.com/~hackbod/openbinder/docs/html/BinderIPCMechanism.html.

[6]

Contagio mobile. http://contagiominidump.blogspot.com.es/.

[7]

Discomakr. https://play.google.com/store/apps/details?id=ch.ethz.disco.gino.androidbenchmarkaccessibilityrecorder&hl=en/.

[8]

Dtrace. http://dtrace.org/blogs/.

[9]

errno - number of last error. http://man7.org/linux/man-pages/man3/errno.3.html.

[10]

Pcmark for android. https://www.futuremark.com/benchmarks/pcmark-android/.

[11]

Redhat linux audit. https://people.redhat.com/sgrubb/audit/.

[12]

Sysdig. http://www.sysdig.org/.

[13]

Tabletmark. https://bapco.com/products/tabletmark/.

[14]

Trojan:android/avpass.c. https://www.f-secure.com/v-descs/trojan_android_avpass_c.shtml.

[15]

Using the linux kernel tracepoints. https://www.kernel.org/doc/Documentation/trace/tracepoints.txt/.

[16]

Y. Aafer, W. Du, and H. Yin. Droidapiminer: Mining api-level features for robust malware detection in android. In SecureComm '13. 2013.

[17]

V. Afonso, A. Bianchi, Y. Fratantonio, A. Doupe, M. Polino, P. d. Geus, C. Kruegel, and G. Vign. Going native: Using a large-scale analysis of android apps to create a practical native-code sandboxing policy. In NDSS '16.

[18]

P. Ammann, S. Jajodia, and P. Liu. Recovery from malicious transactions. IEEE Trans. on Knowl. and Data Eng., 2002.

Digital Library

[19]

D. Apostolopoulos, G. Marinakis, C. Ntantogian, and C. Xenakis. Discovering authentication credentials in volatile memory of android mobile devices. In In Collaborative, Trusted and Privacy-Aware e/m-Services, 2015.

[20]

D. Arp, M. Spreitzenbarth, H. Malte, H. Gascon, and K. Rieck. Drebin : Effective and Explainable Detection of Android Malware in Your Pocket. In NDSS '14.

[21]

S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. Le~Traon, D. Octeau, and P. McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In PLDI '14.

Digital Library

[22]

F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX ATEC '05.

Digital Library

[23]

A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, and G. Vigna. What the app is that? deception and countermeasures in the android user interface. In S&P '15.

Digital Library

[24]

K. D. Bowers, C. Hart, A. Juels, and N. Triandopoulos. PillarBox: Combating Next-Generation Malware with Fast Forward-Secure Logging. In RAID '14.

[25]

Y. Cao, Y. Fratantonio, A. Bianchi, M. Egele, C. Kruegel, G. Vigna, and Y. Chen. EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework. In NDSS '15.

[26]

Q. A. Chen, Z. Qian, and Z. M. Mao. Peeking into your app without actually seeing it: Ui state inference and novel android attacks. In Usenix Security '14.

Digital Library

[27]

J. Chow, B. Pfaff, T. Garfinkel, K. Christopher, and M. Rosenblum. Understanding data lifetime via whole system simulation. In SSYM'04.

Digital Library

[28]

CVE-2015--3864. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015--3864.

[29]

D. Devecsery, M. Chow, X. Dou, J. Flinn, and P.M. Chen. Eidetic Systems. In OSDI '14

Digital Library

[30]

M. Dietz, A. Shu, and D. S. Wallach. Quire : Lightweight Provenance for Smart Phone Operating Systems. In Usenix Security '11.

Digital Library

[31]

W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. . G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In OSDI'10.

Digital Library

[32]

L. Falsina, Y. Fratantonio, S. Zanero, C. Kruegel, G. Vigna, and F. Maggi. Grab 'n run: Secure and practical dynamic code loading for android applications. In ACSAC '15.

Digital Library

[33]

E. Fernandes, Q. Chen, J. Paupore, G. J. Essl, A. Halderman, Z. M. Mao, and A. Prakash. Android ui deception revisited: Attacks and defenses. In FC '16.

[34]

Y. Fratantonio, A. Bianchi, W. Robertson, E. Kirda, C. Kruegel, and G. Vigna. Triggerscope: Towards detecting logic bombs in android applications. In S&P '16.

[35]

A. Goel, K. Po, K. Farhadi, Z. Li, and E. de~Lara. The taser intrusion recovery system. In SOSP '05.

Digital Library

[36]

L. Gomez, I. Neamtiu, T. Azim, and T. Millstein. Reran: Timing- and touch-sensitive record and replay for android. In ICSE '13.

Digital Library

[37]

M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock android smartphones. In NDSS '12.

[38]

J. Grover. Android forensics: Automated data collection and reporting from a mobile device. Digit. Investig., 2013.

Digital Library

[39]

M. Halpern, Y. Zhu, R. Peri, and V. J. Reddi. Mosaic: cross-platform user-interaction record and replay for the fragmented android ecosystem. In ISPASS '15.

[40]

Y. Hu, T. Azim, and I. Neamtiu. Versatile yet lightweight record-and-replay for android. In OOPSLA '15.

Digital Library

[41]

X. Jiang, A. Walters, D. Xu, E. H. Spafford, F. Buchholz, and Y.-M. Wang. Provenance-aware tracing ofworm break-in and contaminations: A process coloring approach. In ICDCS '06.

Digital Library

[42]

T. Kim, X. Wang, N. Zeldovich, and M. F. Kaashoek. Intrusion recovery using selective re-execution. In OSDI'10.

Digital Library

[43]

S. T. King and P. M. Chen. Backtracking intrusions. In SOSP '03.

Digital Library

[44]

S. T. King, Z. M. Mao, D. G. Lucchetti, and P. M. Chen. Enriching intrusion alerts through multi-host causality. In NDSS '05.

[45]

K. H. Lee, X. Zhang, and D. Xu. High accuracy attack provenance via binary-based execution partition. In NDSS '13.

[46]

K. H. Lee, X. Zhang, and D. Xu. Loggc: garbage collecting audit log. In CCS '13.

Digital Library

[47]

L. Lu, Z. Li, Z. Wu, W. Lee, and G. Jiang. Chex: Statically vetting android apps for component hijacking vulnerabilities. In CCS '12.

Digital Library

[48]

S. Ma, K. H. Lee, C. H. Kim, J. Rhee, X. Zhang, and D. Xu. Accurate, low cost and instrumentation-free security audit logging for windows. In ACSAC '15.

Digital Library

[49]

S. Ma, X. Zhang, and D. Xu. Protracer: Towards practical provenance tracing by alternating between logging and tainting. In NDSS '16.

[50]

C. Mann and A. Starostin. A framework for static detection of privacy leaks in android applications. In SAC '12.

Digital Library

[51]

G. A. Marson and B. Poettering. Practical secure logging: Seekable sequential key generators. In ESORICS '13.

[52]

C. Mulliner, W. Robertson, and E. Kirda. Virtualswindle: An automated attack against in-app billing on android. In AsiaCCS '14.

Digital Library

[53]

J. Newsome and D. X. Song. Dynamic taint analysis for automatic detection, analysis, and signaturegeneration of exploits on commodity software. In NDSS '05.

[54]

S. Poeplau, Y. Fratantonio, A. Bianchi, C. Kruegel, and G. Vigna. Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In NDSS '14.

[55]

Z. Qin, Y. Tang, E. Novak, and Q. Li. Mobiplay: A remote execution based record-and-replay tool for mobile applications. In ICSE '16.

Digital Library

[56]

V. Rastogi, Y. Chen, and X. Jiang. Catch me if you can: Evaluating android anti-malware against transformation attacks. Trans. Info. For. Sec., 2014.

Digital Library

[57]

V. Rastogi, R. Shao, Y. Chen, X. Pan, S. Zou, and R. Riley. Are these ads safe: Detecting hidden attacks through the mobile app-web interfaces. In NDSS '16.

[58]

C. Ren, Y. Zhang, H. Xue, T. Wei, and P. Liu. Towards discovering and understanding task hijacking in android. In Usenix Security '15.

Digital Library

[59]

B. Saltaformaggio, R. Bhatia, Z. Gu, X. Zhang, and D. Xu. Guitar: Piecing together android app guis from memory images. In CCS '15.

Digital Library

[60]

B. Saltaformaggio, R. Bhatia, X. Zhang, D. Xu, and G. G. R. III. Screen after previous screens: Spatial-temporal recreation of android app displays from memory images. In Usenix Security '16.

[61]

M. Sun and G. Tan. Nativeguard: Protecting android applications from third-party native libraries. In WiSec '14.

Digital Library

[62]

M. Sun, T. Wei, and J. C.S.Lui. TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime. In CCS '16.

Digital Library

[63]

K. Tam, S. J. Khan, A. Fattori, and L. Cavallaro. CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In NDSS '15.

[64]

F. Wei, S. Roy, X. Ou, and Robby. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In CCS '14.

Digital Library

[65]

M. Xia, L. Gong, Y. Lyu, Z. Qi, and X. Liu. Effective real-time android application auditing. In S&P '15.

Digital Library

[66]

L. K. Yan and H. Yin. DroidScope : Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In Usenix Security '12.

Digital Library

[67]

H. Zhang, D. D. Yao, and N. Ramakrishnan. Causality-based sensemaking of network traffic for android application security. In AISec '16.

Digital Library

[68]

Y. Zhauniarovich, M. Ahmad, O. Gadyatskaya, B. Crispo, and F. Massacci. Stadyna: Addressing the problem of dynamic code updates in the security analysis of android applications. In CODASPY '15.

Digital Library

[69]

Y. Zhou and X. Jiang. Detecting passive content leaks and pollution in android applications. In NDSS '12.

Cited By

Kariofillis VJerger N(2024)Workload Characterization of Commercial Mobile Benchmark Suites2024 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS)10.1109/ISPASS61541.2024.00017(73-84)Online publication date: 5-May-2024
https://doi.org/10.1109/ISPASS61541.2024.00017
Elmisery A(2024)Collaborative Forensic Platform for Electronic Artefacts in the Internet of VehiclesProceedings of the Future Technologies Conference (FTC) 2024, Volume 210.1007/978-3-031-73122-8_10(140-153)Online publication date: 5-Nov-2024
https://doi.org/10.1007/978-3-031-73122-8_10
Bellizzi JLosiouk EConti MColombo CVella M(2023)VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory ForensicsJournal of Cybersecurity and Privacy10.3390/jcp30300193:3(364-395)Online publication date: 10-Jul-2023
https://doi.org/10.3390/jcp3030019
Show More Cited By

Index Terms

DroidForensics: Accurate Reconstruction of Android Attacks via Multi-layer Forensic Logging
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
    1. Malware and its mitigation
  2. Systems security
    1. Operating systems security
      1. Mobile platform security

Recommendations

Cyber-attacks against cyber-physical power systems security: State estimation, attacks reconstruction and defense strategy
Highlights
- A method of security state estimation and attack reconstruction of attacked CPPS based on robust intermediate observer is proposed.
Abstract
In modern power systems, the connection between cyber part and physical part is more and more close and deeply coupled, while cyber-physical power systems (CPPS) can exactly describe the dynamic process of modern power grids. The ...
Resilient control of cyber‐physical systems using adaptive super‐twisting observer
Abstract
In this work, the problem of online secure state estimation and attack reconstruction in the face of offensives that corrupt the sensor measurements and modify the actuator commands of cyber–physical systems is investigated for designing a ...
Forensic Investigation of Google Assistant
Abstract
Google Nest devices have seen a rise in demand especially with Google’s huge advantage in search engine results and a complex ecosystem that consists of a range of companion devices and compatible mobile applications integrated and interacting ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

April 2017

952 pages

ISBN:9781450349444

DOI:10.1145/3052973

General Chairs:
Ramesh Karri
New York University, New York, USA
,
Ozgur Sinanoglu
New York University Abu Dhabi, UAE
,
Program Chairs:
Ahmad-Reza Sadeghi
Technische Universität Darmstadt, Germany
,
Xun Yi
RMIT University, Australia

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 April 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

by the United States Air Force and Defense Advanced Research Agency (DARPA)

Conference

ASIA CCS '17

Sponsor:

SIGSAC

ASIA CCS '17: ACM Asia Conference on Computer and Communications Security

April 2 - 6, 2017

Abu Dhabi, United Arab Emirates

Acceptance Rates

ASIA CCS '17 Paper Acceptance Rate 67 of 359 submissions, 19%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
456
Total Downloads

Downloads (Last 12 months)31
Downloads (Last 6 weeks)1

Reflects downloads up to 19 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Kariofillis VJerger N(2024)Workload Characterization of Commercial Mobile Benchmark Suites2024 IEEE International Symposium on Performance Analysis of Systems and Software (ISPASS)10.1109/ISPASS61541.2024.00017(73-84)Online publication date: 5-May-2024
https://doi.org/10.1109/ISPASS61541.2024.00017
Elmisery A(2024)Collaborative Forensic Platform for Electronic Artefacts in the Internet of VehiclesProceedings of the Future Technologies Conference (FTC) 2024, Volume 210.1007/978-3-031-73122-8_10(140-153)Online publication date: 5-Nov-2024
https://doi.org/10.1007/978-3-031-73122-8_10
Bellizzi JLosiouk EConti MColombo CVella M(2023)VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory ForensicsJournal of Cybersecurity and Privacy10.3390/jcp30300193:3(364-395)Online publication date: 10-Jul-2023
https://doi.org/10.3390/jcp3030019
Chen LZhang TMa YChen M(2023)Monitoring method of API encryption parameter tamper attack based on deep learningSixth International Conference on Intelligent Computing, Communication, and Devices (ICCD 2023)10.1117/12.2682859(28)Online publication date: 16-Jun-2023
https://doi.org/10.1117/12.2682859
Inam MChen YGoyal ALiu JMink JMichael NGaur SBates AHassan W(2023)SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179405(2620-2638)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179405
Trivedi DTriandopoulos N(2023)VaultBox: Enhancing the Security and Effectiveness of Security AnalyticsScience of Cyber Security 10.1007/978-3-031-45933-7_24(401-422)Online publication date: 11-Jul-2023
https://dl.acm.org/doi/10.1007/978-3-031-45933-7_24
Meng ZXiong YHuang WMiao FHuang J(2021)AppAngio: Revealing Contextual Information of Android App Behaviors by API-Level Audit LogsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2020.304486716(1912-1927)Online publication date: 2021
https://doi.org/10.1109/TIFS.2020.3044867
Mazuera-Rozo AMojica-Hanke ALinares-Vasquez MBavota G(2021)Shallow or Deep? An Empirical Study on Detecting Vulnerabilities using Deep Learning2021 IEEE/ACM 29th International Conference on Program Comprehension (ICPC)10.1109/ICPC52881.2021.00034(276-287)Online publication date: May-2021
https://doi.org/10.1109/ICPC52881.2021.00034
Luo CGoncalves JVelloso EKostakos V(2020)A Survey of Context Simulation for Testing Mobile Context-Aware ApplicationsACM Computing Surveys10.1145/337278853:1(1-39)Online publication date: 6-Feb-2020
https://dl.acm.org/doi/10.1145/3372788
Meng ZXiong YHuang WMiao FJung THuang JMussbacher GAtlee JBultan T(2019)Divide and conquerProceedings of the 41st International Conference on Software Engineering: Companion Proceedings10.1109/ICSE-Companion.2019.00089(230-231)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE-Companion.2019.00089

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents