摘要: | 在手機、平板及各式各樣的IoT(Internet of Things)裝置中,Android系統的市占率維持在第一名,Android系統相較於iOS系統能夠更自由的安裝軟體,透過網路取得APK檔案進行下載即可安裝,然而這樣的方便性也帶來了不少風險,為了因應這些風險,許多針對Android 惡意軟體偵測(malware detection)的方法也因此產生,如靜態分析、動態分析、混合方法及網路分析,這些方法能夠確保使用者安裝的APK是安全無害的。在靜態分析方法中,使用程式碼(Source code)來做分析是常見的方法,其中在程式碼分析中可以透過APK檔案取得函式呼叫圖(Function Call Graph,FCG),在FCG中可以看到函式之間彼此的呼叫關係即先後順序,也可以觀察到特定函式的使用次數及頻率,由函式建構圖可以做為偵測惡意軟體的分析,然而若將這些函式呼叫的名稱直接公開可能會讓有惡意的人有機可乘,因此把函式呼叫的名稱去除能夠防止一些資料洩漏。此外FCG有數以萬計個節點,透過人眼難以觀察與辨識,因此使用圖神經網路的方式能夠快速且自動分類出該惡意軟體。 本論文針對無特徵圖分類問題,提出GNeP(GIN with ENhance Android DEgree Profile)框架,基於圖神經網路(Graph Neural Network,GNN)並結合處理無特徵圖的(Enhance Android Degree Profile,EADP)方法能夠解決無特徵圖的問題,本論文使用圖同構網路(Graph Isomorphic Network,GIN)作為GNN的模型,由實驗結果顯示在MalNet資料集,GNeP在FCG分類中有93.12%的準確率,優於圖卷積網路(Graph Convolution Network)的80.12%的準確率;本論文提出分類方法不僅適用於偵測Android惡意軟體也適用於其他的圖分類問題。 ;Among mobile phones, tablets and various Internet of Things(IoT)devices, the market share of the Android system maintains the first place. Compared with the iOS system, the Android system can install software more freely, and the APK file can be downloaded through the Internet. However, this convenience also brings a lot of risks. In order to cope with these risks, many methods for Android malware detection have been developed, such as static analysis, dynamic analysis, hybrid methods and network analysis, these methods can ensure that the APK installed by the user is safe and harmless. In the static analysis method, using of code (Source code) for analysis is a common method. In the code analysis, the function call graph (FCG) can be obtained through the APK file and code analysis tool. The calling relationship between functions is represented as a side. It is difficult to observe the usage times and frequency of a specific function by human. The entire graph constructed by the function can be used as an analysis to detect malware. However, if the names of these function calls are directly exposed, malicious people may take advantage, so removing the names of the function calls can prevent the leakage of these data. In addition, the FCG has tens of thousands of nodes, which are difficult to observe and identify through the human eye. Therefore, the method of using graph neural network can quickly and automatically classify the malware. In order to solve the problem of featureless graph classification, this paper proposes the main mechanism: GNeP, based on the Graph Neural Network (GNN), which has developed rapidly in recent years, combined with the method of dealing with featureless graphs(Enhance Android Degree Profile,EADP)can solve the problem of non-feature graphs. For the problem of graph classfication, this paper uses Graph Isomorphic Network (GIN) as the model of GNN. GNeP has an accuracy rate of 93.12% in the classification of function call graph, which is better than the highest accuracy rate of 80.02% for Graph Convolution Network; the classification method proposed in this paper is not only suitable for Android malware detection but also for other graph classification problems. |