-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathintro.tex
executable file
·99 lines (92 loc) · 6.95 KB
/
intro.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
\section{Introduction}
Android-based mobile devices and smartphones are becoming increasingly popular. The number of mobile phones
sold has surpassed the number of laptops, reaching 1.3 billion in
2014~\cite{market}. Google is
reported to have more than a billion active users of
Android-based devices~\cite{android-users}.
As their popularity increases, so does their value as
a target for malware.
This is particularly true for low cost smartphones sold in developing countries. According to \cite{zheng2014droidray}
some vendors there intentionally create conditions facilitating various security violations on these devices.
There are many possible risks associated with using compromised devices. Nowadays due to universal interconnectivity and
interdependence between devices and networks, the
possible compromise of a mobile device will affect not only applications on it and its users, but all other
networked computers and communication infrastructure.
\eat {There are many possible risks.
Many people use smartphones for financial transactions.
Attackers could get personal information for systems administrators and CIOs from their phones and
use that for spear phishing. mention security and privacy issues} % end comment
With the development of the mobile communication platforms that share different devices resources, applications and data,
vulnerabilities and security threat will become more wide-spread.
For mobile devices to communicate with each other and download apps securely,
it is desirable to compute trust metrics among them. Trust can be modeled at
multiple levels, e.g. at the application level, on a device (hardware and software), or among a network of devices. Ultimately, our goal
is to integrate these metrics into a single conceptual framework so that we can reason about complex systems at a
higher level, and we can also use them to verify trust for individual components.
The trust evaluation could
be applied to optimize data collection and communication schemes in order to satisfy multiple criteria such as
data quality, overall
system performance and/or resource consumption, subject to the constraints based on security and privacy requirements.
Also, the user of a device may benefit from the trust evaluation as it might
provide useful information about areas in need of improvement. The trust evaluation could also be combined with other techniques for
non-signature based intrusion detection.
The more sophisticated mobile devices become, the more complex the threat model is, and the more opportunities there
are for vulnerabilities to appear. Trust evaluation should be sensitive to the detection of viruses and other
malicious agents in a system.
However, finding viruses and other malware using software signatures is less likely to
work. Signature based intrusion detection systems have to be complemented with a system-wide approach that
involves assessing trust for the different
components by detecting anomalies in sensor-originated data.
\eat{
In recent research done by Hoffman, the authors developed a hierarchical
mechanism that is scalable and expandable for evaluating security of
Android smartphones by investigating various sources of information regarding
the mobile devices.
The three sources of information that they integrate are:
analysis of installed applications using metadata provided by the Google Play store,
usage information coming from security tools embedded in the OS, and
validation of the device by inspection of sensor data.
The sensors in this context refer to any function that
measures the physical state of the smartphone. This can include geolocation, accelerometers, CPU
utilization, and battery charge.} % end comment
\eat{
- McKnight and Chervany, What is Trust? A Conceptual Analysis and an Interdisciplinary Model
- Paul England, Butler Lampson, John Manferdelli, Marcus Peinado, Bryan Willman: A
Trusted Open Platform. IEEE Computer Scciety, p55-62, July 2003.
- Adrian Baldwin, Simon Shiu: Hardware Security Appliances for Trust. In Proceedings of
the First International Conference of Trust Management (iTrust 2003), Crete, Greece, May
2003.
- Daniel W. Manchala: Xerox Research and Technology. E-Commerce Trust Metrics and
Models. IEEE Internet Computing, vol.4, no.2 p.36-44 (2000).
- Mui Lik, Mohtashemi Mojdeh, Halberstadt Ari: A Computational Model of Trust and Repu-
tation. In Proc. Of the 35th Annual Hawaii International Conference on System sciences, 7-
10 (Jan. 2002), Big Island, HI, USA.
- Mogens Nielsen, Karl Krukow A Bayesian Model for Event-based Trust, 2007
- Zheng Yan and Piotr Cofta, “A Mechanism for Trust
Sustainability among Trusted Computing Platforms", In Proceedings of the 1st
International Conference on Trust and Privacy in Digital Business
(TrustBus2004), LNCS Vol. 3184/2004, pp. 11-19, Spain, September 2004.
} % end comment
The concepts of trust and trust evaluation have been discussed by many others~\cite{jing2014riskmon,shabtai2010google,zheng2014droidray};
however, it seems that the problem of quantification is largely unsolved, especially with respect to complex systems.
Yet, the nature of our work points to ways in which
this could be used to produce secure or trustworthy systems.
This paper presents the development of the novel hierarchical model that enables the evaluation of trust for a
network of mobile devices. Trust evaluation depends on numerous factors. The hierarchical or umbrella structure allows for the
inclusion of various trust evaluation systems used to assess diverse trusted components as well as their integration
in order to produce a cumulative trust score. Also, it allows for extending the framework by inclusion of new trust
metrics and facilitates both self-evaluation for a particular device as well as the collaborative evaluation of
diverse devices and applications.
The paper describes the version developed for Android-based devices.
The rest of this paper is organized as follows.
Section~\ref{sec-umbrella} describes the framework design principles and an overall architecture. Also, this section
briefly describes a few of the trust evaluation metrics developed for individual apps and
smartphones that are included in the current implementation.
Details about a few of the trust evaluation metrics are provided in Section~\ref{sec-iheart}--\ref{sec:geolocation}. In particular, Section~\ref{sec-iheart} discusses metrics
for individual apps based on measuring resource utilization such as battery voltage, CPU and network bandwidth usage,
which can be done on the smartphone.
Section~\ref{sec:blursense} describes metrics based on multiple sensors that impact the level of privacy supported, and how
privacy-enhancing tools can interact with trust evaluation.
Section~\ref{sec:geolocation} discusses the possible ways in which trust evaluation can be verified and adjusted, based on multiple sources
of data. We show that data collected simultaneously from a smartphone and on-board diagnostics (OBD)
sensor of an automobile can be used in trust evaluation.