@inproceedings{zhou_singh_jiang_2016, title={AppShell: Making data protection practical for lost or stolen Android devices}, DOI={10.1109/noms.2016.7502850}, abstractNote={Mobile apps continue to consume increasing amounts of sensitive data, such as banking credentials and classified documents. At the same time, the number of smartphone thefts is increasing at a rapid speed. As a result, there is an imperative need to protect sensitive data on lost or stolen mobile devices. In this work, we develop a practical solution to protect sensitive data on mobile devices. Our solution enables adaptive protection by pro-actively stepping up or stepping down data security based on perceived contextual risk of the device. We realize our solution for the Android platform in the form of a system called AppShell. AppShell does not require root privilege, nor need any modification to the underlying framework, and hence is a ready-to-deploy solution. It supports both in-memory and on-disk data protection by transparently encrypting the data, and discarding the encryption key, when required, for enhanced protection. We implement a working prototype of AppShell and evaluate it against several popular Android apps. Our results show that AppShell can successfully protect sensitive data in the lost devices with a reasonable performance overhead.}, booktitle={Noms 2016 - 2016 ieee/ifip network operations and management symposium}, author={Zhou, Y. J. and Singh, K. and Jiang, X. X.}, year={2016}, pages={502–508} }
 @article{elish_shu_yao_ryder_jiang_2015, title={Profiling user-trigger dependence for Android malware detection}, volume={49}, ISSN={["1872-6208"]}, DOI={10.1016/j.cose.2014.11.001}, abstractNote={As mobile computing becomes an integral part of the modern user experience, malicious applications have infiltrated open marketplaces for mobile platforms. Malware apps stealthily launch operations to retrieve sensitive user or device data or abuse system resources. We describe a highly accurate classification approach for detecting malicious Android apps. Our method statically extracts a data-flow feature on how user inputs trigger sensitive API invocations, a property referred to as the user-trigger dependence. Our evaluation with 1433 malware apps and 2684 free popular apps gives a classification accuracy (2.1% false negative rate and 2.0% false positive rate) that is better than, or at least competitive against, the state-of-the-art. Our method also discovers new malicious apps in the Google Play market that cannot be detected by virus scanning tools. Our thesis in this mobile app classification work is to advocate the approach of benign property enforcement, i.e., extracting unique behavioral properties from benign programs and designing corresponding classification policies.}, journal={COMPUTERS & SECURITY}, author={Elish, Karim O. and Shu, Xiaokui and Yao, Danfeng and Ryder, Barbara G. and Jiang, Xuxian}, year={2015}, month={Mar}, pages={255–273} }
 @article{rastogi_chen_jiang_2014, title={Catch Me If You Can: Evaluating Android Anti-Malware Against Transformation Attacks}, volume={9}, ISSN={["1556-6021"]}, DOI={10.1109/tifs.2013.2290431}, abstractNote={Mobile malware threats (e.g., on Android) have recently become a real concern. In this paper, we evaluate the state-of-the-art commercial mobile anti-malware products for Android and test how resistant they are against various common obfuscation techniques (even with known malware). Such an evaluation is important for not only measuring the available defense against mobile malware threats, but also proposing effective, next-generation solutions. We developed DroidChameleon, a systematic framework with various transformation techniques, and used it for our study. Our results on 10 popular commercial anti-malware applications for Android are worrisome: none of these tools is resistant against common malware transformation techniques. In addition, a majority of them can be trivially defeated by applying slight transformation over known malware with little effort for malware authors. Finally, in light of our results, we propose possible remedies for improving the current state of malware detection on mobile devices.}, number={1}, journal={IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY}, author={Rastogi, Vaibhav and Chen, Yan and Jiang, Xuxian}, year={2014}, month={Jan}, pages={99–108} }
 @article{rhee_riley_lin_jiang_xu_2014, title={Data-Centric OS Kernel Malware Characterization}, volume={9}, ISSN={["1556-6021"]}, DOI={10.1109/tifs.2013.2291964}, abstractNote={Traditional malware detection and analysis approaches have been focusing on code-centric aspects of malicious programs, such as detection of the injection of malicious code or matching malicious code sequences. However, modern malware has been employing advanced strategies, such as reusing legitimate code or obfuscating malware code to circumvent the detection. As a new perspective to complement code-centric approaches, we propose a data-centric OS kernel malware characterization architecture that detects and characterizes malware attacks based on the properties of data objects manipulated during the attacks. This framework consists of two system components with novel features: First, a runtime kernel object mapping system which has an un-tampered view of kernel data objects resistant to manipulation by malware. This view is effective at detecting a class of malware that hides dynamic data objects. Second, this framework consists of a new kernel malware detection approach that generates malware signatures based on the data access patterns specific to malware attacks. This approach has an extended coverage that detects not only the malware with the signatures, but also the malware variants that share the attack patterns by modeling the low level data access behaviors as signatures. Our experiments against a variety of real-world kernel rootkits demonstrate the effectiveness of data-centric malware signatures.}, number={1}, journal={IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY}, author={Rhee, Junghwan and Riley, Ryan and Lin, Zhiqiang and Jiang, Xuxian and Xu, Dongyan}, year={2014}, month={Jan}, pages={72–87} }
 @article{gu_jiang_xue_zou_guo_2014, title={Protecting communications infrastructure against cyber attacks}, volume={11}, number={8}, journal={China Communications}, author={Gu, D. W. and Jiang, X. X. and Xue, Y. B. and Zou, W. and Guo, L.}, year={2014}, pages={I-} }
 @book{jiang_zhou_2013, title={Android malware}, DOI={10.1007/978-1-4614-7394-7}, abstractNote={Mobile devices, such as smart phones, have achieved computing and networking capabilities comparable to traditional personal computers. Their successful consumerization has also become a source of pai}, publisher={New York: Springer}, author={Jiang, X. and Zhou, Y.}, year={2013} }
 @inproceedings{zhou_zhou_grace_jiang_zou_2013, title={Fast, scalable detection of "piggybacked" mobile applications}, DOI={10.1145/2435349.2435377}, abstractNote={Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.}, booktitle={ACM Conference on Data and Application Security and Privacy}, author={Zhou, W. and Zhou, Y. and Grace, M. and Jiang, X. and Zou, S.}, year={2013}, pages={185–195} }
 @article{zhou_jiang_2012, title={Dissecting Android Malware: Characterization and Evolution}, ISSN={["1081-6011"]}, DOI={10.1109/sp.2012.16}, abstractNote={The popularity and adoption of smart phones has greatly stimulated the spread of mobile malware, especially on the popular platforms such as Android. In light of their rapid growth, there is a pressing need to develop effective solutions. However, our defense capability is largely constrained by the limited understanding of these emerging mobile malware and the lack of timely access to related samples. In this paper, we focus on the Android platform and aim to systematize or characterize existing Android malware. Particularly, with more than one year effort, we have managed to collect more than 1,200 malware samples that cover the majority of existing Android malware families, ranging from their debut in August 2010 to recent ones in October 2011. In addition, we systematically characterize them from various aspects, including their installation methods, activation mechanisms as well as the nature of carried malicious payloads. The characterization and a subsequent evolution-based study of representative families reveal that they are evolving rapidly to circumvent the detection from existing mobile anti-virus software. Based on the evaluation with four representative mobile security software, our experiments show that the best case detects 79.6% of them while the worst case detects only 20.2% in our dataset. These results clearly call for the need to better develop next-generation anti-mobile-malware solutions.}, journal={2012 IEEE SYMPOSIUM ON SECURITY AND PRIVACY (SP)}, author={Zhou, Yajin and Jiang, Xuxian}, year={2012}, pages={95–109} }
 @article{deng_xu_zhang_jiang_2012, title={IntroLib: Efficient and transparent library call introspection for malware forensics}, volume={9}, ISSN={["1873-202X"]}, DOI={10.1016/j.diin.2012.05.013}, abstractNote={Dynamic malware analysis aims at revealing malware’s runtime behavior. To evade analysis, advanced malware is able to detect the underlying analysis tool (e.g., one based on emulation.) On the other hand, existing malware-transparent analysis tools incur signicant performance overhead, making them unsuitable for live malware monitoring and forensics. In this paper, we present IntroLib, a practical tool that traces user-level library calls made by malware with low overhead and high transparency. IntroLib is based on hardware virtualization and resides outside of the guest virtual machine where the malware runs. Our evaluation of an IntroLib prototype with 93 real-world malware samples shows that IntroLib is immune to emulation and API hooking detection by malware, uncovers more semantic information about malware behavior than system call tracing, and incurs low overhead (< 15% in all-but-one test case) in performance benchmark testing.}, journal={DIGITAL INVESTIGATION}, author={Deng, Zhui and Xu, Dongyan and Zhang, Xiangyu and Jiang, Xuxiang}, year={2012}, month={Aug}, pages={S13–S23} }
 @article{mao_wu_jiang_2012, title={Intrusion Detection Models Based on Data Mining}, volume={5}, ISSN={["1875-6883"]}, DOI={10.1080/18756891.2012.670519}, abstractNote={Abstract Computer intrusions are taking place everywhere, and have become a major concern for information security. Most intrusions to a computer system may result from illegitimate or irregular calls to the operating system, so analyzing the system-call sequences becomes an important and fundamental technique to detect potential intrusions. This paper proposes two models based on data mining technology, respectively called frequency patterns (FP) and tree patterns (TP) for intrusion detection. FP employs a typical method of sequential mining based on frequency analysis, and uses a short sequence model to find out quickly frequent sequential patterns in the training system-call sequences. TP makes use of the technique of tree pattern mining, and can get a quality profile from the training system-call sequences of a given system. Experimental results show that FP has good performances in training and detecting intrusions from short system-call sequences, and TP can achieve a high detection precision in han...}, number={1}, journal={INTERNATIONAL JOURNAL OF COMPUTATIONAL INTELLIGENCE SYSTEMS}, author={Mao, Guojun and Wu, Xindong and Jiang, Xuxian}, year={2012}, month={Feb}, pages={30–38} }
 @article{riley_jiang_xu_2010, title={An Architectural Approach to Preventing Code Injection Attacks}, volume={7}, ISSN={["1941-0018"]}, DOI={10.1109/tdsc.2010.1}, abstractNote={Code injection attacks, despite being well researched, continue to be a problem today. Modern architectural solutions such as the execute-disable bit and PaX have been useful in limiting the attacks; however, they enforce program layout restrictions and can oftentimes still be circumvented by a determined attacker. We propose a change to the memory architecture of modern processors that addresses the code injection problem at its very root by virtually splitting memory into code memory and data memory such that a processor will never be able to fetch injected code for execution. This virtual split memory system can be implemented as a software-only patch to an operating system and can be used to supplement existing schemes for improved protection. Furthermore, our system is able to accommodate a number of response modes when a code injection attack occurs. Our experiments with both benchmarks and real-world attacks show the system is effective in preventing a wide range of code injection attacks while incurring reasonable overhead.}, number={4}, journal={IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING}, author={Riley, Ryan and Jiang, Xuxian and Xu, Dongyan}, year={2010}, pages={351–365} }
 @inproceedings{bahram_jiang_wang_grace_li_srinivasan_rhee_xu_2010, title={DKSM: Subverting virtual machine introspection for fun and profit}, booktitle={2010 29th ieee international symposium on reliable distributed systems srds 2010}, author={Bahram, S. and Jiang, X. X. and Wang, Z. and Grace, M. and Li, J. K. and Srinivasan, D. and Rhee, J. and Xu, D. Y.}, year={2010}, pages={82–91} }
 @article{zhang_wang_yang_jiang_2010, title={On the billing vulnerabilities of SIP-based VoIP systems}, volume={54}, ISSN={["1872-7069"]}, DOI={10.1016/j.comnet.2010.02.007}, abstractNote={For commercial VoIP services, billing is crucial to both service providers and their subscribers. One of the most basic requirements of any billing function is that it must be accurate and trustworthy. A reliable VoIP billing mechanism should only charge VoIP subscribers for the calls they have really made and for the durations they have called. Existing VoIP billing is based on the underlying VoIP signaling and media transport protocols. Hence, vulnerabilities in VoIP signaling and media transports can be exploited to compromise the trustworthiness of the billing of VoIP systems. In this paper, we analyze several deployed SIP-based VoIP systems, and present three types of billing attacks: call establishment hijacking, call termination hijacking and call forward hijacking. These billing attacks can result in charges on the calls the subscribers have not made or overcharges on the VoIP calls the subscribers have made. Such billing attacks essentially cause inconsistencies between what the VoIP subscribers have received and what the VoIP service provider has provided, which would create hard to resolve disputes between the VoIP subscribers and service providers. Our empirical results show that VoIP subscribers of Vonage, AT&T and Gizmo are vulnerable to these billing attacks.}, number={11}, journal={COMPUTER NETWORKS}, author={Zhang, Ruishan and Wang, Xinyuan and Yang, Xiaohui and Jiang, Xuxian}, year={2010}, month={Aug}, pages={1837–1847} }
 @article{jiang_wang_xu_2010, title={Stealthy Malware Detection and Monitoring through VMM-Based "Out-of-the-Box" Semantic View Reconstruction}, volume={13}, ISSN={["1557-7406"]}, DOI={10.1145/1698750.1698752}, abstractNote={An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware systems is that they run inside the very hosts they are protecting (“in-the-box”), making them vulnerable to counter detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (“out-of-the-box”). However, they gain tamper resistance at the cost of losing the internal semantic view of the host, which is enjoyed by “in-the-box” approaches. This poses a technical challenge known as the semantic gap.
 In this article, we present the design, implementation, and evaluation of VMwatcher—an “out-of-the-box” approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to reconstruct internal semantic views (e.g., files, processes, and kernel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)-level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest view casting to reconstruct details of system call events (e.g., the process that makes the system call as well as the system call number, parameters, and return value) in the VM, enriching the semantic view. With the semantic gap effectively narrowed, we identify three unique malware detection and monitoring capabilities: (i) view comparison-based malware detection and its demonstration in rootkit detection; (ii) “out-of-the-box” deployment of off-the-shelf anti malware software with improved detection accuracy and tamper-resistance; and (iii) nonintrusive system call monitoring for malware and intrusion behavior observation. We have implemented a proof-of-concept VMwatcher prototype on a number of VMM platforms. Our evaluation experiments with real-world malware, including elusive kernel-level rootkits, demonstrate VMwatcher's practicality and effectiveness.}, number={2}, journal={ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY}, author={Jiang, Xuxian and Wang, Xinyuan and Xu, Dongyan}, year={2010}, month={Feb} }
 @inproceedings{wang_jiang_2010, title={hypersafe: A lightweight approach to provide lifetime hypervisor control-flow integrity}, booktitle={2010 IEEE symposium on security and privacy}, author={Wang, Z. and Jiang, X. X.}, year={2010}, pages={380–395} }
 @inproceedings{wang_jiang_cui_wang_grace_2009, title={ReFormat: Automatic reverse engineering of encrypted messages}, volume={5789}, booktitle={Computer security - esorics 2009, proceedings}, author={Wang, Z. and Jiang, X. X. and Cui, W. D. and Wang, X. Y. and Grace, M.}, year={2009}, pages={200–215} }