MONITORING ANDROID DEVICES BY USING EVENTS AND METADATA

Authors

  • Markus Schölzel
  • Evren Eren
  • Kai-Oliver Detken
  • Leonid Schwenke

DOI:

https://doi.org/10.47839/ijc.15.4.856

Keywords:

information security, SIEM, network monitoring, IEEE 802.1X, IF-MAP, trusted network connect, TNC, event detection.

Abstract

Mobile devices such as smartphones and tablet PCs are increasingly used for business purposes. However, the trustworthiness of the operating system and apps is controversial. They can constitute a threat to corporate networks and infrastructures, if they are not audited or monitored. The concept of port-based authentication using IEEE 802.1X restricts access and may provide statistical data about users entering or leaving a network, but it does not consider the threat devices can pose if they have already been authenticated and used. Security information and event management (SIEM) software has to incorporate information about mobile devices during their usage. Those devices have to gather and publish information to make this possible. This can be achieved by using a client on the mobile device, which is proposed here. It collects metadata including information about device specific data, platform or system state, which is sent via multiple supported protocols to a central SIEM component, where the data is analyzed in assessment procedures for threat analysis by using artificial intelligence and rule-sets.

References

M. Schölzel, E. Eren and K.-O. Detken, “A viable SIEM approach for Android,” in Proceedings of the IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS), Warsaw, Poland, 2015, pp. 803-807.

Trusted Computing Group, 2016, [Online]. Available: https://www.trustedcomputinggroup.org

TCG Trusted Network Connect, TNC IF-MAP Binding for SOAP 2.2 r10, 2014, [Online]. Available: http://www.trustedcomputinggroup.org/wp-content/uploads/TNC_IFMAP_v2_2r10.pdf

N. Nitra and Y. Lafon, SOAP version 1.2 part 0: Primer (second edition), 2007, [Online]. Available: http://www.w3.org/TR/soap12/

E. Rescorla, HTTP Over TLS (RFC 2818), 2000, [Online]. Available: http://www.ietf.org/rfc/rfc2818.txt

TCG Trusted Network Connect, TNC IF-MAP Metadata for Network Security, 2012, [Online]. Available: http://www.trustedcomputinggroup.org/resources/tnc_ifmap_metadata_for_network_security

T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2 (RFC 5246), 2008, [Online]. Available: http://www.ietf.org/rfc/rfc5246.txt

J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen and L. Stewart, HTTP Authentication: Basic and Digest Access Authentication (RFC 2617), 1999, [Online]. Available: http://www.ietf.org/rfc/rfc2617.txt

C. Rigney, S. Willens, A. Rubens and W. Simpson, Remote Authentication Dial In User Service (RFC 2865), 2000, [Online]. Available: http://www.ietf.org/rfc/rfc2865.txt

K. Zeilenga, Lightweight Directory Access Protocol (LDAP): Technical Specification Roadp Map (RFC 4510), 2006, [Online]. Available: http://www.ietf.org/rfc/rfc4510.txt

Trust@FHH, irongui, 2015 [Online]. Available: https://github.com/trustathsh/irongui

SELinux Project, 2016, [Online]. Available: https://selinuxproject.org

ESUKOM, Echtzeit-Sicherheit für Unternehmensnetze durch Konsolidierung von Metadaten, 2016, [Online]. Available: http://www.esukom.de

SIMU, Security Information and Event Management (SIEM) für Klein- und Mittelständische Unternehmen (KMU), 2016, [Online]. Available: http://simu-project.de

iMonitor, intelligentes IT-Monitoring durch KI-Ereignisverarbeitung, 2016, [Online].

C. Elfers, Event Correlation Using Conditional Exponential Models with Tolerant Pattern Matching Applied to Incident Detection, Shaker Verlag GmbH, Aachen, 2014, 279 p.

DECOmap for Android, 2015, [Online]. Available: https://github.com/decoit/Android-IF-MAP-Client

C. Bormann and P. Hoffman, Concise Binary Object Representation (RFC 7049), 2013, [Online]. Available: http://www.ietf.org/rfc/rfc7049.txt

Nagios Enterprises, Nagios, 2016, [Online]. Available: https://www.nagios.org

The Icinga Project, Icinga, 2016, [Online]. Available: https://www.icinga.org

Google Developers, SafetyNet - Google APIs for Android, 2016, [Online]. Available: https://developers.google.com/android/reference/com/google/android/gms/safetynet/SafetyNet

K.-O. Detken, D. Scheuermann, B. Hellmann, “Using Extensible Metadata Definitions to Create a Vendor-Independent SIEM System,” in Advanced in Swarm and Computational Intelligence, Proceedings Part II, Editors: Y. Tan, Y. Shi, F. Buarque, A. Gelbukh, S. Das, A. Engelbrecht, ISBN 978-3-319-20471-0, publishing house Springer, Beijing, China, 2015, pp. 439-453.

A. Jamil, The difference between SEM, SIM and SIEM, 2010, [Online]. Available: http://www.gmdit.com/NewsView.aspx?ID=9IfB2Axzeew=

A. Williams, The Future of SIEM – The market will begin to diverge, 2007, [Online]. Available: https://techbuddha.wordpress.com/2007/01/01/the-future-of-siem-–-the-market-will-begin-to-diverge/

S. Howard, Securing SCADA and Control Networks, 2010, [Online]. Available: http://www.automation.com/automation-news/article/securing-scada-and-control-networks

The Icinga Project, Nagios Service Check Acceptor (NSCA), [Online]. Available: http://docs.icinga.org/latest/en/nsca.html

Microsoft, Network Access Protection (NAP), [Online]. Available: https://technet.microsoft.com/en-us/library/dd125338(v=ws.10).aspx

Cisco, NAC Appliance (Clean Access), [Online]. Available: http://www.cisco.com/go/nac

Trust@FHH, ironcontrol, 2015 [Online]. Available: https://github.com/trustathsh/ironcontrol-for-Android

Downloads

Published

2016-12-29

How to Cite

Schölzel, M., Eren, E., Detken, K.-O., & Schwenke, L. (2016). MONITORING ANDROID DEVICES BY USING EVENTS AND METADATA. International Journal of Computing, 15(4), 248-258. https://doi.org/10.47839/ijc.15.4.856

Issue

Section

Articles