Building an Android IDS on Network Level
JAIME SANCHEZ A3SEC
Being popular is not always a good thing and hereís why. As mobile devices grow in popularity, so do the incentives for attackers. Mobile malware and threats are clearly on the rise, as attackers experiment with new business models by targeting mobile phones. Nowadays, several behavior-based malware analysis and detection techniques for mobile threats have been proposed for mobile devices. We'll show how we built a new detection framework that will be the first open source Android IDS on network level.
This open source network-based intrusion detection system and network-based intrusion protection system has the ability to perform real-time traffic analysis and packet logging on Internet Protocol (IP) networks, featuring: Protocol analysis, Content searching and Content matching.
In IDS/IPS mode, the program will monitor network traffic and analyze it against a rule set defined by the user, and then perform a specific action based on what has been identified. With the help of custom build signatures, the framework can also be used to detect probes or attacks designed for mobile devices, fool and cheat operating system fingerprinting attempts (like nmap or p0f), server message block probes, etc.
Jaime Sanchez (@segofensiva) is passionate about computer security. He has worked for over 13 years as a specialist advisor for large national and international companies. As a specialist advisor, he focuses on different aspects of security such as consulting, auditing, training and ethical hacking techniques. He works in the Security Operations Center (SOC) of a multinational telecommunications company offering managed security services for IBEX35 companies. He has a Computer Engineering degree and has completed an Executive MBA (Master in Business Administration). In addition, he holds several certifications: CISA, CISM, CISSP, CCNA, CCNA SECURITY, and ITIL, just to name a few.
In his free time, he conducts research on security and works as an independent consultant. He has spoken in renowned security conferences nationally and internationally, introducing new bugs and exploitation techniques and mitigation, as in RootedCON in Spain, and Nuit du Hack in Paris. In the coming months, he will be presenting at Blackhat Arsenal USA 2013. Defcon XXI, DerbyCON or Hacktivity.
Jaime is a frequent contributor to several technical magazines involved with state-of-the-art attack and defense mechanisms, network security and general ethical hacking techniques. He also writes a blog called "Seguridad Ofensiva"(http://www.seguridadofensiva.com/) touching on current topics in the field of hacking and security.