Blue-Watchdog: Detecting Bluetooth worm propagation in public areas

The rising popularity of mobile devices, such as cellular phones and PDAs, has made them a lucrative playground for mobile malware propagation. One common infection vector exploited by these mobile malware is Bluetooth. In this paper, we propose an architecture called Blue-Watchdog that detects Bluetooth worm propagation in public areas based on statistical methods. To achieve fast and accurate Bluetooth worm detection, Blue-Watchdog monitors abrupt changes of average paging rate per Bluetooth device from both temporal and temporal-spatial perspectives. The temporal scheme relies on the CUSUM (Cumulative Sum) sequential test together with the generalized likelihood ratio (GLR), and the temporal-spatial scheme aims to identify spatial regions with abnormally frequent paging attempts. Experimental results show that Blue-Watchdog not only has low false alarm rates, but also effectively detects Bluetooth worms that spread quickly in areas where Bluetooth devices are greatly mixed due to high mobility and also those that propagate relatively slowly in a spatially constrained fashion.