Please use this identifier to cite or link to this item:
Full metadata record
DC FieldValueLanguage
dc.contributor.authorBellizzi, Jennifer-
dc.contributor.authorLosiouk, Eleonora-
dc.contributor.authorConti, Mauro-
dc.contributor.authorColombo, Christian-
dc.contributor.authorVella, Mark-
dc.identifier.citationBellizzi, J., Losiouk, E., Conti, M., Colombo, C., & Vella, M. (2023). VEDRANDO: A Novel Way to Reveal Stealthy Attack Steps on Android through Memory Forensics. Journal of Cybersecurity and Privacy, 3(3), 364-395.en_GB
dc.description.abstractThe ubiquity of Android smartphones makes them targets of sophisticated malware, which maintain long-term stealth, particularly by offloading attack steps to benign apps. Such malware leaves little to no trace in logs, and the attack steps become difficult to discern from benign app functionality. Endpoint detection and response (EDR) systems provide live forensic capabilities that enable anomaly detection techniques to detect anomalous behavior in application logs after an app hijack. However, this presents a challenge, as state-of-the-art EDRs rely on device and third-party application logs, which may not include evidence of attack steps, thus prohibiting anomaly detection techniques from exposing anomalous behavior. While, theoretically, all the evidence resides in volatile memory, its ephemerality necessitates timely collection, and its extraction requires device rooting or app repackaging. We present VEDRANDO, an enhanced EDR for Android that accomplishes (i) the challenge of timely collection of volatile memory artefacts and (ii) the detection of a class of stealthy attacks that hijack benign applications. VEDRANDO leverages memory forensics and app virtualization techniques to collect timely evidence from memory, which allows uncovering attack steps currently uncollected by the state-of-the-art EDRs. The results showed that, with less than 5% CPU overhead compared to normal usage, VEDRANDO could uniquely collect and fully reconstruct the stealthy attack steps of ten realistic messaging hijack attacks using standard anomaly detection techniques, without requiring device or app modification.en_GB
dc.publisherMDPI AGen_GB
dc.subjectRemote sensingen_GB
dc.subjectComputer networks -- Security measuresen_GB
dc.subjectMobile computing -- Security measuresen_GB
dc.subjectMobile communication systems -- Security measuresen_GB
dc.titleVEDRANDO : a novel way to reveal stealthy attack steps on android through memory forensicsen_GB
dc.rights.holderThe copyright of this work belongs to the author(s)/publisher. The rights of this work are as defined by the appropriate Copyright Legislation or as modified by any successive legislation. Users may access this work and can make use of the information contained in accordance with the Copyright Legislation provided that the author must be properly acknowledged. Further distribution or reproduction in any format is prohibited without the prior permission of the copyright holderen_GB
dc.publication.titleJournal of Cybersecurity and Privacyen_GB
Appears in Collections:Scholarly Works - FacICTCS

Files in This Item:
File Description SizeFormat 
VEDRANDO.pdf1.08 MBAdobe PDFView/Open

Items in OAR@UM are protected by copyright, with all rights reserved, unless otherwise indicated.