Motivation

The problem

Mobile and smartphone security is a fast moving field. New vulnerabilities and resulting attacks need to be detected and analyzed as fast as possible. Unfortunately the attacker side is always a step ahead. Indeed, over the past decade we have are witnessed an ever-increasing amount of cyberattacks on the Internet. Prolific, ingenious, and ranging in style from large-scale worms to "below the radar" phishing attempts, cyberattacks have evolved to unprecedented levels of sophistication. It is now evident that, in order to advance in the field of cybersecurity and counter these cyberattacks, we should become proactive and work on predicting threats and vulnerabilities and build our defense before threats materialize, rather than chasing after attackers without ever being able to catch up.

The Needs

With respect to the general problem of cyber threats against smart mobile devices, the following open issues have been identified and addressed by the NEMESYS project:

  • Missing infrastructure for collecting attack traces. Without an infrastructure to collect attack traces against mobile devices, we will be unable to detect, analyse and understand the attack strategies of cyber-criminals and build appropriate countermeasures which will allow for the provisioning of seamless and secure mobile services.
  • Mobile shadow honeypot development. The majority of conventional types of honeypots are mostly instrumented for the detection of undirected, widely spread attacks. Contrary shadow honeypots can be used to address the targeted attacks against the mobile ecosystem. Moreover, in order to avoid the honeypot (mobile device), a containment mechanism is needed in addition to the monitoring and logging.
  • New potential for exploiting security vulnerabilities by creating mobile botnets. Botnets are steadily moving towards smartphones, since those devices are now powerful enough to run a bot and offer additional gains for a botmaster. Payloads for mobile botnets are very interesting since a bot on a smartphone possesses many abilities not present on a desktop computer. The ability to build a mobile botnet for attacking the core network infrastructure has been demonstrated by recent studies which have presented cases of legitimate but malfunctioning mobile applications.
  • New types of attacks that cross service, platform and network boundaries - Crime fingerprints identification. 3G wireless networks are significantly more fragile than wireline networks, since the unique vulnerabilities of 3G networks can be exploited by new forms of wireless-specific attacks. Moreover, the integration of different services allows an attacker to cross service and network boundaries. Such identification within a large set of heterogeneous data is a very difficult and time consuming task, particularly across layers (network, service, transaction and platform).
  • Rapidly changing cyber-crime tactics. Cyber criminals have become adept at modifying their strategies and tactics as methods are developed to combat their activities. The evolutive nature of real-world phenomena, as certain characteristics of attack phenomena may evolve. Thus, security solutions should rely less on signatures and instead adopt other forms of detection.
  • Virtualization. Endpoints, especially laptops, netbooks and smart mobile devices are increasingly difficult to protect given the growing malware threat. By using virtualization, the user's environment can be locked down to remove unnecessary functions and features. Virtualization can remove threats in that when the virtual machine is closed, any malware that was picked up will be eliminated.
  • Information on attack traces against mobile smartphones is sparse and, yet, not satisfactorily analyzed. It is almost impossible to collect information about the traffic that traverses their network and analyse it later on. Smartphones should be capable of detecting possible intrusions and sending all relevant information to data collection points. However, statistical analysis is challenged by rare and as such statistically insignificant events in massive amounts of data.
  • Attack attribution and understanding of the cyber-criminals’ modus operandi. Mitigation strategies need to be evaluated in order to choose the one that can highlight the occurrence of new phenomena and changes in the modus operandi of malicious actors. This requires that attacks are analysed in a detailed way, in order to “attribute” responsibility to the exact attacker, or to protect the true targets.

Last Update: 26/11/2013 17:24