現今Android智慧行動裝置普及,成為惡意程式開發者的主要攻擊目標,如何將行動惡意程式進行偵測及防範已成為一大資安議題。同時,行動應用程式的網路流量成長快速,使得將網路封包作為資料集來檢測行動惡意軟體的可行性也提高。然而動態分析具有蒐集資料耗時的缺點,且過去文獻僅從網路封包中提取單一種類協定特徵,此外,僅將應用程式判斷是否為惡意是不夠的。基於此,本研究提出一個結合靜態權限及動態封包分析的Android惡意程式分析系統,先以靜態分析方式,透過應用程式的宣告資訊權限過濾掉良性應用程式,避免過多的資料蒐集時間,並從惡意程式網路流量提取多種類特徵,提升偵測效果同時降低誤判率,最後進行惡意程式家族分類,由於同個惡意家族下的應用程式具有類似的惡意行為,此分類方式能提供資安人員足夠資訊來建立防範策略。經實驗證實,靜、動態模型準確度分別為98.96%及95.6%,其中網路封包動態分析,高於惡意家族分類的94.33%準確度。以測試資料驗證系統整體效能上,準確率為89.1%,然而本實驗證實在動態分析的資料蒐集時間上有大幅改善,僅47.5%的應用程式需進行五分鐘的動態網路封包蒐集。;The popularity of Android smart mobile devices has become the main target of malware developers. How to detect and prevent mobile malware has become a major issue. At the same time, the mobile application′s network traffic has grown rapidly, making it more feasible to use network packets as a data set to detect malicious applications. However, dynamic analysis has the disadvantage of collecting data and taking time, and the past literature only extracts a single kind of agreement feature from the network packet. In addition, it is not enough to distinguish application into malicious or benign. Based on this, this study proposes an Android malware analysis system combining static permissions and dynamic packet analysis. Firstly, static analysis is used to filter out benign applications through the application′s announcement information permission, avoiding excessive data collection time and maliciously. The program network traffic extracts multiple types of features, improves the detection effect and reduces the false positive rate. Finally, the malware family is classified. Since the application under the same malicious family has similar malicious behavior, this classification method can provide sufficient information for the security personnel. To establish a prevention strategy. The experimental results show that the accuracy of static and dynamic models are 98.96% and 95.6%, respectively, and the dynamic analysis of network packets is higher than the accuracy of 94.33% of malicious family classification. Using the test data to verify the overall performance of the system, the accuracy rate was 89.1%. However, this experiment confirmed that the data collection time of the dynamic analysis was greatly improved, and only 47.5% of the applications required a five-minute dynamic network packet collection.
