Information Technology and Management

, Volume 18, Issue 1, pp 1–25 | Cite as

Using ontologies to perform threat analysis and develop defensive strategies for mobile security

  • Ping Wang
  • Kuo-Ming Chao
  • Chi-Chun Lo
  • Yu-Shih Wang


Existing studies on the detection of mobile malware have focused mainly on static analyses performed to examine the code-structure signature of viruses, rather than the dynamic behavioral aspects. By contrast, the unidentified behavior of new mobile viruses using the self-modification, polymorphic, and mutation techniques for variants have largely been ignored. The problem of precision regarding malware variant detection has become one of the key concerns in mobile security. Accordingly, the present study proposed a threat risk analysis model for mobile viruses, using a heuristic approach incorporating both malware behavior analysis and code analysis to generate a virus behavior ontology associated with the Protégé platform. The proposed model can not only explicitly identify an attack profile in accordance with structural signature of mobile viruses, but also overcome the uncertainty regarding the probability of an attack being successful. This model is able to achieve this by extending frequent episode rules to investigate the attack profile of a given malware, using specific event sequences associated with the sandbox technique for mobile applications (apps) and hosts. For probabilistic analysis, defense evaluation metrics for each node were used to simulate the results of an attack. The simulations focused specifically on the attack profile of a botnet to assess the threat risk. The validity of the proposed approach was demonstrated numerically by using two malware cyber-attack examples. Overall, the results presented in this paper prove that the proposed scheme offers an effective countermeasure, evaluated using a set of security metrics, for mitigating network threats by considering the interaction between the attack profiles and defense needs.


Threat risk analysis Mobile virus Ontology Behavior analysis Code analysis 



This work was supported partly by National Science Council under the Grant Nos. 103-2627-E-168-001, 103-N-358-NSC-R-040 and NSC 102-2218-E-168-044.


  1. 1.
    Jacob G, Debar H, Filiol E (2008) Behavioral detection of malware: from a survey towards an established taxonomy. J Comput Virol 4:251–266CrossRefGoogle Scholar
  2. 2.
    Bayne J (2012) An overview of threat and risk assessment. SANS Institute. Accessed 14 Jan 2010
  3. 3.
    Mitre Corporation (2011) Common vulnerabilities and exposures. Accessed 8 Jan 2012
  4. 4.
    NIST (2012) NVD (national vulnerability database). Accessed 21 Sep 2012
  5. 5.
    Sheyner O (2004) Scenario graphs and attack graphs. PhD thesis, Carnegie Mellon UniversityGoogle Scholar
  6. 6.
    Schneier B (1999) Attack trees: modeling security threats. Dr. Dobbs’ Journal. Retrieved from
  7. 7.
    Edge KS, Dalton II GC, Raines RA, Mills RF (2007) Using attack and protection trees to analyze threats and defenses to homeland security (MILCOM), pp 1–7Google Scholar
  8. 8.
    Roy A, Kim D, Trivedi KS (2010) Cyber security analysis using attack countermeasure trees. In CSIIRW’10, April 21–23Google Scholar
  9. 9.
    Clausing J (2009) Building an automated behavioral malware analysis environment using open source software. SANS Institute Reading RoomGoogle Scholar
  10. 10.
    Truman Sandbox (2013). Accessed 19 Mar 2012
  11. 11.
    Stewart J (2006) Behavioural malware analysis using Sandnets. Comput Fraud Secur 2006(12):4–6Google Scholar
  12. 12.
    Willems C, Holz T, Freiling F (2007) Toward automated dynamic malware analysis using CWSandbox. IEEE Secur Priv 5(2):32–39CrossRefGoogle Scholar
  13. 13.
    Blasing T, Batyuk L, Schmidt AD, Camtepe SA, Albayrak S (2010) An android application sandbox system for suspicious software detection. In 5th international conference of malicious and unwanted software (MALWARE)Google Scholar
  14. 14.
    Honeynet Project (2012) DroidBox.
  15. 15.
    Marianne L (1987) The knowledge acquisition grid: a method for training knowledge engineers. Int J Man Mach Stud 26(2):245–255CrossRefGoogle Scholar
  16. 16.
    Berners-Lee T (1998) Semantic web roadmap. W3C design issuesGoogle Scholar
  17. 17.
    Noy NF, Hafner CD (1997) The state of the art in ontology design: a survey and comparative review. AI Mag 18(3):53–74Google Scholar
  18. 18.
    Noy NF, McGuinness DL (2001) Ontology development 101: a guide to creating your first ontology. Technical report KSL-01-05, Stanford Knowledge Systems LaboratoryGoogle Scholar
  19. 19.
    Uschold M, Grueninger M (1996) Ontologies: principles, methods and applications. Knowl Eng Rev 11(2):93–155CrossRefGoogle Scholar
  20. 20.
    Lee CS, Wang MH (2009) Ontology-based computational intelligent multi-agent and its application to CMMI assessment. Appl Intell 30(3):203–219CrossRefGoogle Scholar
  21. 21.
    Simmonds A, Sandilands P, Ekert LV (2003) An ontology for network security attacks, RAID 2003, LCNS 2820. Springer, HeidelbergGoogle Scholar
  22. 22.
    Grit D, Lalana K, Tim F, Massimo P (2003) Security for DAML web services: annotation and matchmaking. In Proceedings of second international semantic web conference, SeptemberGoogle Scholar
  23. 23.
    Weavor N, Paxson V, Staniford S, Cunningham R (2003) A taxonomy of computer worms. UC Berkeley, ICSI, Silicon Defense, MIT Lincoln LaboratoryGoogle Scholar
  24. 24.
    Dagon D, Gu G, Zou C, Grizzard J, Dwivedi S, Lee W, Lipton R (2006) A taxonomy of botnets. Georgia Institute of technology, University of Central Florida, Orlando, FL.Google Scholar
  25. 25.
    Lee CS, Jian ZW, Huang LK (2005) A fuzzy ontology and its application to news summarization. IEEE Trans Syst Man Cybern Part B 35(5):859–880CrossRefGoogle Scholar
  26. 26.
    Huang HD, Chuang TY, Tsai YL, Lee CS (2010) Ontology-based intelligent system for malware behavioral analysis. In: 2010 IEEE international conference on fuzzy systems (FUZZ 2010), 1–6, July, 18–23, Barcelona, SpainGoogle Scholar
  27. 27.
    Huang HD, Lee CS, Kao HY, Tsai YL, Chang JG (2011) Malware behavioral analysis system: TWMAN, 2011 IEEE symposium on intelligent agent (IA), Paris, France, pp 1–8Google Scholar
  28. 28.
    Rauzy A (1993) New algorithms for fault tree analysis. Reliab Eng Syst Saf 40(3):203–211CrossRefGoogle Scholar
  29. 29.
    Kordy B, Mauw S, Radomirovic S, Schweitzer P (2010) Foundations of attack–defense trees, LNCS 2010. Springer, Heidelberg. Accessed 11 March 2012
  30. 30.
    Wikipedia (2013) Mobile security. Accessed 27 Nov 2013
  31. 31.
    Farahmand F, Navathe BS, Sharp PG, Enslow HP (2005) A management perspective on risk of security threats to information systems. Inf Technol Manag 6(2–3):203–225CrossRefGoogle Scholar
  32. 32.
    Bandyopadhyay T, Jacob V, Raghunathan S (2010) Information security in networked supply chains: impact of network vulnerability and supply chain integration on incentives to invest. Inf Technol Manag 11(1):7–23CrossRefGoogle Scholar
  33. 33.
    Wang P, Chao KM, Lo CC (2013) A novel threat and risk assessment mechanism for security controls in service management. In: IEEE international conference on e-business engineering (ICEBE 2013), pp 11–13Google Scholar
  34. 34.
    Isograph (2010) AttackTree+. Accessed 9 Apr 2011
  35. 35.
    International Organization for Standardization (2008) ISO/IEC 27005: 2008 information technology—security techniques—information security risk managementGoogle Scholar
  36. 36.
    Desnos A, Androguard (2013). Accessed 21 May 2013
  37. 37.
    Mannila H, Toivonen H, Verkamo IA (1997) Discovery of frequent episodes in event sequences. Data Min Knowl Discov 1(3):259–289CrossRefGoogle Scholar
  38. 38.
    Cincotti A, Cutello V, Pappalardo F (2003) An ant algorithm for the weighted minimum hitting set problem. In: 2003 IEEE swarm intelligence symposium (SIS), pp 24–26Google Scholar
  39. 39.
    Bulysheva L, Bulyshev A (2012) Segmentation modeling algorithm: a novel algorithm in data mining. Inf Technol Manag 13(4):263–271CrossRefGoogle Scholar
  40. 40.
    Jacks T, Palvia P (2013) SMeasuring value dimensions of IT occupational culture: an exploratory analysis. Inf Technol Manag. doi: 10.1007/s10799-013-0170-0 Google Scholar
  41. 41.
    Stanford University (2002) Protégé. Accessed 19 Oct 2011
  42. 42.
  43. 43.
    Stevens K, Jackson D (2010) Zeus banking Trojan report. Accessed 08 Oct 2011

Copyright information

© Springer Science+Business Media New York 2015

Authors and Affiliations

  • Ping Wang
    • 1
  • Kuo-Ming Chao
    • 2
  • Chi-Chun Lo
    • 3
  • Yu-Shih Wang
    • 1
  1. 1.Department of Information ManagementKun Shan UniversityYongkang DistrictTaiwan
  2. 2.School of MISCoventry UniversityCoventryUK
  3. 3.Institute of Information ManagementNational Chiao Tung UniversityHsinchuTaiwan

Personalised recommendations