miércoles, 7 de agosto de 2013

Building an Android IDS on Network Level at DEFCON 21


Being popular is not always a good thing and here is why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices.

I'll show how I built a new detection framework that will be the first open source Android IDS on network level. 

This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring:
  • Protocol analysis
  • Content searching
  • Content matching 

In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom build signatures, the framework can also be used to :
  • Detect probes or attacks designed for mobile devices
  • Fool and cheat operating system fingerprinting attempts (like nmap or p0f)
  • Server message block probes
  • Detect and block well-known malware
  • Decode and create meterpreter honeypots

if you missed my talk at DEFCON 21, you can see the slides now on Slideshare:


Hope you like it and feel free to share with anyone and everyone! :)