Disruption-tolerant networking has gained currency in the United States due to support from DARPA, which has funded many DTN projects. Disruption may occur because of the limits of wireless radio range, sparsity of mobile nodes, energy resources, attack, and noise. The delay-tolerant-network (DTN) model is becoming a viable communication alternative to the traditional infrastructural model for modern mobile consumer electronics equipped with short-range communication technologies such as Bluetooth, NFC, and Wi-Fi Direct. Proximity malware is a class of malware that exploits the opportunistic contacts and distributed nature of DTNs for propagation. Behavioral characterization of malware is an effective alternative to pattern matching in detecting malware, especially when dealing with polymorphic or obfuscated malware. In this paper, we first propose a general behavioral characterization of proximity malware which based on Naive Bayesian model, which has been successfully applied in non-DTN settings such as filtering email spams and detecting bonnets. We identify two unique challenges for extending Bayesian malware detection to DTNs (“insufficient evidence vs. evidence collection risk” and “filtering false evidence sequentially and distributedly”), and propose a simple yet effective method, look-ahead, to address the challenges. Furthermore, we propose two extensions to look-ahead, dogmatic filtering and adaptive look-ahead, to address the challenge of “malicious nodes sharing false evidence”. Real mobile network traces are used to verify the effectiveness of the proposed methods.

delay-tolerant networks; proximity malware; behavioral malware characterization; Bayesian filtering

Trend Micro Inc. (2004) SYMBOS CABIR.A. [Online]. Available: http://goo.gl/aHcES

[Online]. Available: http://goo.gl/iqk7

Trend Micro Inc. (2009) IOS IKEE.A. [Online]. Available: http://goo.gl/z0j56

P. Akritidis, W. Chin, V. Lam, S. Sidiroglou, and K. Anagnostakis, “Proximity breeds danger: emerging threats in metro-area wireless networks,” in Proc. USENIX Security, 2007.

A. Lee. (2012) FBI warns: New malware threat targets travelers, infects via hotel Wi-Fi. [Online]. Available: http://goo.gl/D8vNU

NFC Forum. About NFC. [Online]. Available: http: //goo.gl/zSJqb

Wi-Fi Alliance. Wi-Fi Direct. [Online]. Available: http: //goo.gl/fZuyE

C. Kolbitsch, P. Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang, “Effective and efficient malware detection at the end host,” in Proc. USENIX Security, 2009.

U. Bayer, P. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda, “Scalable, behavior-based malware clustering,” in Proc. IEEE NDSS, 2009.

D. Dash, B. Kveton, J. Agosta, E. Schooler, J. Chandrashekar, A. Bachrach, and A. Newman, “When gossip is good: Distributed probabilistic inference for detection of slow network intrusions,” in Proc. AAAI, 2006.

G. Zyba, G. Voelker, M. Liljenstam, A. M´ehes, and P. Johansson, “Defending mobile phones from proximity malware,” in Proc. IEEE INFOCOM, 2009.

F. Li, Y. Yang, and J. Wu, “CPMC: an efficient proximity malware coping scheme in smartphone-based mobile networks,” in Proc. IEEE INFOCOM, 2010.

I. Androutsopoulos, J. Koutsias, K. Chandrinos, and C. Spyropoulos, “An experimental comparison of naïve bayesian and keyword-based anti-spam filtering with personal e-mail messages,” in Proc. ACM SIGIR, 2000.

P. Graham. Better Bayesian filtering. [Online]. Available: http://goo.gl/AgHkB

J. Zdziarski, Ending spam: Bayesian content filtering and the art of statistical language classification. No Starch Press, 200 5.

R. Villamar´ın-Salom´on and J. Brustoloni, “Bayesian bot detection based on DNS traffic similarity,” in Proc. ACM SAC.

J. Agosta, C. Diuk-Wasser, J. Chandrashekar, and C. Livadas, “An adaptive anomaly detector for worm detection,” in Proc. USENIX SysML, 2007.

S. Marti, T. Giuli, K. Lai, M. Baker et al., “Mitigating routing misbehavior in mobile ad hoc networks,” in Proc. ACM MobiCom, 2000.