Members of the Josef Ressel Center will present two papers at iiWAS 2015 in Brussels:

Stefan Marschalek, Robert Luh, Manfred Kaiser, Sebastian Schrittwieser. Classifying malicious system behavior using event propagation trees. In Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services, 2015.

Abstract: Behavior-based analysis of dynamically executed software has become an established technique to identifying and analyzing potential malware. Most solutions rely on API or system call patterns to determine whether a sample is exhibit- ing malicious activity. Analysis is usually performed on demand and offers little insight into the current system state. In addition, the fixed nature of behavioral patterns is known to cause false-positives whenever a certain, potentially malicious action is used in a benign context.

To combat these shortcomings, this paper proposes an analysis system capable of building event propagation trees from real-time kernel monitoring data. Distance-based anomaly detection is then used to find and highlight activities deviating from a predefined baseline established through heuristic clustering.

The system was tested on a set of real-world data collected by a number of host-based agents distributed across a corporate network.

Christoph Rottermanner, Peter Kieseberg, Markus Huber, Martin Schmiedecker, Sebastian Schrittwieser. Privacy and Data Protection in Smartphone Messengers. In Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services, 2015.

Abstract: Ever since the Snowden revelations regarding mass surveillance, the role of privacy protection in commodity communication software has gained increasing awareness in the general public. Still, during the last years many new messengers were developed for Android, where often privacy was not considered to be a key issue. Due to the widespread use of these apps even in corporate environments this opens up attack vectors that can result in advanced persistent threats. In this paper we analyze the most prominent messenger apps with respect to privacy concepts, focusing not only on the transmission layer regarding the support of encrypted communication, but also attacks targeting the communication metadata, e.g. detecting the existence of communication between users, as well as providing an enumeration of all users of a service. Furthermore, device theft and loss is a major issue regarding the protection of user privacy. Thus, we also analyzed, whether the messages are stored in a secure way on the device itself, or if control over the physical device allows access to the message data. In order to analyze the possible usability of these messengers as means for targeted surveillance of users by the provider (or an entity controlling it), we also analyzed the rights and privileges the respective apps need in order to be able to install and work. Here, major differences could be detected, with several apps claiming privileges that could not be explained with the normal mode of operation, thus posing a serious risk for the privacy of the respective user base.