The rapidly growing capability and world-wide proliferation of smart phones and mobile handhelds have begun to attract the attention of virus writers in recent years. The past three years alone have witnessed an exponential rise in the number of distinct mobile malware families to over 30, and their variants to more than 170. These malware can spread via Bluetooth and SMS/MMS messages, enable remote control of a device, modify critical system files, damage existing applications including anti-virus programs, and block MMC memory cards, to name a few. Current-generation mobile anti-virus solutions are primitive when compared to their desktop counterparts, and may not be scalable given the small footprint of mobile devices as new families of cross-platform malware continue to appear.
This invention focuses on a novel behavioral detection technique tailored to mobile handsets that captures mobile worms, viruses and Trojans, replacing the signature-based solutions currently available for mobile devices. Specifically, this invention presents a method of classifying the behavior of programs for mobile handsets, which yields the construction of compact database of program behavior patterns to be used to detect existence of malicious programs at run-time. This is achieved by first generating a collection of malicious and non-malicious behavior signatures from known mobile malware and chosen handset applications, and then training an optimal classifier (comprising an equation and associated parameters adaptively chosen from the training data of behavior signatures) using a machine learning algorithm such as Support Vector Machines (SVMs). The resulting classifier allows us to discriminate malicious behavior of malware from normal be havior of applications. Our evaluation results indicate that behavioral detection can identify current mobile viruses and worms with over 96% accuracy. Most mobile device manufacturers and mobile service providers can implement our proposed method without any major modification of the handset operating environment.