KB-IDS
Academic Advisor:
Dr. Yuval Elovici
Technical Advisor:
Asaf Shabtai
Team Members:
Eliya Rahamim
Elad Ankry
Uri Kanonov
Background
 An IDS is used to detect malicious behaviors that
indicates a breach in the security of a computer system
 The Knowledge-based Temporal-Abstraction (KBTA)
method in which a computational mechanism extracts
meaningful conclusions from raw time-stamped data and
knowledge.
 Android is an operating system for mobile devices, based
on the Linux kernel, developed by Google. It allows
development of applications in Java, controlling the
phone via Google-developed Java libraries.
Problem Domain
Threat
 In the modern age Smartphones as
well as the threats they are
susceptible to, are a growing trend
 This strengthens the need for
sophisticated defense mechanisms
to protect them
Current Situation
 Mobile devices lack the computational strength needed to
support PC-like security solutions
 Android, being an open source and open platform introduces
new potential risks and types of attacks
 Android has some inherent security mechanisms that cannot
cope with all possible threats
 Due to application sandboxing, conventional methods such as
AntiVirus are futile. There is a need for a different solution…
Proposed Solution - HIDS
Threat
Knowledge-based
Temporal Abstraction
 Developed by Prof. Yuval Shahar, 1997
Time-Stamped Raw Data:
- Primitive Parameters
- Events
Higher Level Meaningful
Temporal Information:
- Contexts
- Abstractions
- Temporal Patterns
Four inference mechanisms:
- Temporal Context Forming
- Contemporaneous Abstraction
- Temporal Interpolation
- Temporal Pattern Matching
Knowledge (KBTA
Security ontology)
KBTA – cont.
Worm Pattern
Patterns
I2
TCP Packets Sent State = HIGH
Abstractions
I1
Internet Connection
Mode Context
Contexts
TCP Packets High
Medium
Sent ( )
Primitives
Low
T0
Events (
)
T1
Wi-Fi Connection
T2
T3
Time
Events
Func. Requirements - Agent
Registration/Login
Ability to register with the Control Center.
Ability to login to the Control Center and to receive
configuration for the various installed components
Monitor
Every predefined time window, the agent samples state
parameters, and counts the number of system/user
events that occurred in the time-window.
Send monitored data
The agent will send the monitored data to the analysis
servers and the Control Center at the end of each
predefined time window.
Receive alerts
Ability to receive alerts along with any associated data
from the Threat Weighting Unit.
Func. Requirements – Analysis Servers
Receive and analyze
monitored data
Ability to receive and analyze the data received from the
agent and output a conclusion regarding the existence of
a threat
Send analysis result
Ability to send the analysis result to the Threat Weighting
Unit
Func. Requirements – KBTA Server
KBTA processing
Ability to incrementally process the received data
according to the KBTA method supporting the following
elements:
- Primitive
- Event
- Context
- State
- Trend
- Pattern
Configure monitored
patterns
Ability to set which patterns will be computed and
monitored for threat presence
Func. Requirements –
Threat Weighting Unit
Weight Threat
Assessments
Ability to receive threat assessments (along with any
associated data) from multiple local analysis servers and
weight them, outputting a single assessment.
Alert
Ability to dispatch an alert (along with any associated
data) to both the agent and the Control Center in case of
threat detection
Non-Func. Requirements
 Gathering a feature batch (maximum 40) by the agent




should take less than 10 seconds.
CPU usage by the HIDS should be under 10%
The HIDS should take at most 10MB on the data partition
of the device
The HIDS will be developed in Java using the Android SDK
For demo and testing purposes, a real device will be
supplied by DT Labs
Collect features, Analyze Data and
Weight Assessments
 Primary actors: Android
 Description: After a time trigger the agent collects the monitored
feature values and sends them to all of the local analysis servers.
Each of the servers analyzes the data and outputs a threat
assessment. The assessments are weighted by the TWU and if a
threat is found, an alert along with any associated data, is
dispatched to the agent and the Control Center.
 Trigger: A time trigger from Android
 Pre-conditions: The agent is installed on the device and is running
 Post-conditions: If a threat is found, an alert along with any
associated data has been dispatched
Risks
 Risk: The HIDS consumes too much CPU
 Solution: Reducing the quantity of the features collected by
the agent and/or decreasing the collection rate
 Risk: The HIDS consumes too much memory
 Solution: Reducing the time frame for keeping raw data in the
KBTA’s memory
 Risk: The HIDS consumes too much bandwidth
 Solution: Lessening the amount of data transmitted to and
from the Control Center
The End
And so Android lived happily ever after…