Mobile Security Tools
Exploitable weaknesses in mobile security can come from a combination of three sources: vulnerabilities in the hardware and software components of the mobile device (smartphone, tablet, etc.), weaknesses due to the remote environment (e.g., unauthorized onlookers, untrusted networks), and weaknesses introduced by the behavior of the mobile user, be it intentional or unintentional.
Existing mobile security tools such as Centrify, Trend Micro, and CA Technologies rely on policy-based configuration, single sign-on, application whitelisting/blacklisting, and reputation and anti-malware services. A primary feature that neither of the existing solutions has — and forms the essence of the current proposal — is anomaly detection, and in particular context-aware anomaly detection. The existing tools all rely on configurable policies, thereby providing fixed — and therefore also rigid — strategies to detect potential security and privacy threats. Moreover, the focus of existing solutions is set exclusively on the device and the installed applications, without considering the usage patterns of the human interacting with the device and the scenarios involving users that possess multiple devices.
We outline below some example scenarios to illustrate how these weaknesses can be exploited and how we propose to detect/protect against them:
- Scenario 1: Data leakage
"Fred" really enjoys the iPhone the organization he works for gave to him. In particular, he always takes pictures of the people who attend meetings or are given awards and posts them on the organizations’ social media site for everybody to enjoy usually only days after a meeting or event. At some point the mobile analytics software notices several changes in Fred’s behavior: usage of the camera and uploading data happen within quite short amount of time of each other. Further analysis shows that the compressed picture sizes are smaller (which implies that the content contains artifacts such as diagrams) and that pictures are deleted from the phone. The software then analyzes the visual features captured by the mobile data collector and use image recognition software at the server to confirm those are indeed diagrams and text. Was Fred deliberately sending confidential information outside the organization? If the risk is high, then our system shall request the mobile collector on Fred’s device to collect more detailed visual features on his ongoing pictures so that the server can store more evidence for investigation.
- Scenario 2: So busy you're in two places at once and have time to play games?
"Jane" is an avid Apple fan who usually carries both work issued iPad and iPhone with her. One day she is with her kids but has to attend an emergency conference call at the same time. In spite of knowing that this is not allowed, she gives the kids her iPad to play games so she has some quiet time for her call. She finishes the call and they return home. However, the management server detects that her behavior is unusual - she normally does not play games at all and would not download a new game when her calendar is blocked for a conference call at the same time. Furthermore, the management server detects that the location of the iPhone is changing rapidly and that the location of the iPad is staying at a mall. In this scenario Jane forgot the iPad at the mall exposing confidential information stored on her iPad. Our system can detect this by tracking the relationships between devices and combining the information with the usage data and forwarded to the management server.
The System G Mobile Security Toolkit offers a more comprehensive solution to mobile security management via analyzing the anomalies in people’s behavior on mobile devices. We utilize the heterogeneous information fusion method to combine human behavior across various mobile devices. The system architecture is composed of analytics and alert generation on the server, a web-based management interface, and a persistent distributed graph storage system which stores relationships among users, devices, services, and actions and retrieves them in real-time. In addition, we will also prototype data acquisition on mobile devices to demonstrate the capabilities of the proposed management tool.
The toolkit is composed of four components: mobile data collection agent, server infrastructure, analytics, and security management interface:
- Mobile data collection agent: Our data collection agent features (a) unnoticeable data acquisition, with negligible memory and performance footprint, such that user experience is not disrupted; (b) secure storage, management and transmission of collected data, such that the data is not intercepted by an unintended third party; and (c) user privacy, such that unnecessary raw user data shall not be directly transmitted to and stored on the server. Our approach is to sample and aggregate the data on the client-side device via a designated agent application, such that the acquisition and transmission are lightweight and have less privacy concern than transmitting raw data. We further utilize existing solutions, such as SSL, to encrypt the data and transmit it to reduce the threat of interception by third parties.
- Server infrastructure: To handle the large number of mobile activities and with high refreshing rate, a scalable data store is necessary for mobile security systems. To store all mobile activities on the devices as well as the user-device, user-user, and device-device relationship, we utilize System G Native store for such type of highly dynamic and connected data.
- Analytics: When identifying if an activity is malicious, i.e., triggering an alert, activities on other devices owned by the same user as well as the user’s past behavior have to be jointly considered. For example, if two devices owned by the same user are both active in two geo-locations that are far away from each other, then chances of at least one of the device being compromised is high. Also, if a user never uses the camera on the mobile devices during office hours and suddenly starts taking pictures at work, then these camera activities could be more anomalous then if it is a user who has the habit of using a camera at work. To solve such a challenge, we build user behavior models based on activities on all of the user’s devices to identify anomalies. Note that supervised machine learning approaches or traditional rule-based management tools will not be appropriate for mobile security requirements. We have developed layered unsupervised user reasoning mechanisms that allow system to learn anomalies from a user’s own behavior or from various system-detected affinity groups of similar behavior and activity patterns.
- Security management interface: The results of the mobile security system has to be presented to the end analysts for evaluation. This posts a need for a user interface that displays the analysis results as well as the mobile activity data as evidences supporting the analysis.