博碩士論文 103423006 詳細資訊




以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:19 、訪客IP:54.162.10.211
姓名 林修妤(Xiu-Yu Lin)  查詢紙本館藏   畢業系所 資訊管理學系
論文名稱 基於自動化權限分析之 BYOD安全政策制定研究
(Automated Permission-Based Analysis for Developing of BYOD Security Policy)
檔案 [Endnote RIS 格式]    [Bibtex 格式]    至系統瀏覽論文 (2019-7-31以後開放)
摘要(中) BYOD (Bring Your Own Device) 為企業節省採購成本,並使工作產能提升;另一方面也讓企業面臨新的資訊安全風險,因此如何制訂與實施BYOD安全政策成為一項重要的企業資訊安全議題。而在應用程式方面,值得注意的是能夠帶來危害的並不只有惡意程式,合法的應用程序也可能暴露隱密資訊,但面對逐漸增長的應用程式數量,已無法單靠資訊人員逐一分析應用程式是否對企業造成風險。為解決上述問題,本研究提出一個稱為「自動化BYOD安全政策制定」的平台,當員工安裝了一個新的應用程式時,本平台將自動地偵測員工新安裝的應用程式是否為惡意程式,對於合法的應用程式也會分析其宣告的權限是否會對企業帶來安全風險,並將以上分析的結果以安全政策來表示,提供給企業做為制定安全政策的參考。本研究經實驗證明確實可以滿足安全政策制定功能,且本平台也具有足夠高的效率可以進行大量的應用程式分析,幫助企業面對BYOD對於管理應用程式安全性上的挑戰。
摘要(英) BYOD (Bring Your Own Device) make enterprises reduce their cost of purchasing and improve work efficiency. On the other hand, they also face the risks of information security, such as stealing confidential business information by employee’s own device. Therefore, it’s an important issue that how to formulate and implement the BYOD security policy in the enterprises. In the application, it is worth to notice that not only malware has risk, legitimate applications may also expose the secret information. However, with the increasing applications, it’s impossible just to rely on IT analyzing applications one by one. In order to solve these problems which enterprise faces, we propose a platform of formulating security policy for Bring Your Own Device (BYOD) by analyzing Android permission. When employees install an unknown application, the platform will automatically detect the application if a malware, and if not, we are going to find out the application have possibility of having a business risk. The results of the above analysis will translate into security policy for enterprises as a reference. Finally, the experiment proved that we actually can give the security policy advice to enterprise, and our effectiveness in analyzing application is enough to handle the tremendous amount of Android applications.
關鍵字(中) ★ BYOD安全政策
★ Android權限分析
★ 惡意程式
★ 風險程式
關鍵字(英)
論文目次 論文摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章 緒論 1
1-1 研究背景 1
1-2 研究動機與目的 3
1-3 名詞解釋 6
1.3.1 BYOD (Bring Your Own Device) 6
1.3.2 BYOD安全政策 7
1.3.3 Android風險與Android風險程式 7
1-4 章節架構 8
第二章 相關研究 9
2-1 BYOD安全機制的相關文獻 9
2.2.1 常見的BYOD安全機制 9
2.2.1 其他BYOD安全機制研究 10
2-2 Android權限分析相關文獻 14
2-3 Android風險評估與應用程式類別關聯研究文獻 18
2-4 小結 21
第三章 BYOD安全政策制定平台 22
3-1 平台架構 22
3-1-1 應用程式檢測模組 22
3-1-1.1 白名單比對元件 23
3-1-1.2 惡意程式比對元件 24
3-1-2 風險程式分析模組 27
3-1-2.1 敏感權限辨識元件 28
3-1-2.2 標準權限分析元件 31
3-1-3 產生政策模組 34
3-2 平台流程 36
第四章 實驗與討論 39
4-1 實驗環境 39
4-2 實驗一:當員工安裝惡意程式之功能驗證 40
4-2-1 實驗目的 40
4-2-2 實驗環境 40
4-2-3 實驗結果 41
4-3 實驗二:當員工安裝風險程式之功能驗證 44
4-3-1 實驗目的 44
4-3-2 實驗環境 44
4-3-3 實驗結果 45
4-4 實驗三:當員工安裝合法程式之功能驗證 48
4-4-1 實驗目的 48
4-4-2 實驗環境 48
4-4-3 實驗結果 49
4-5 實驗四:應用程式分析之效率驗證 50
4-5-1 實驗目的 50
4-5-2 實驗環境 51
4-5-3 實驗結果 51
4-6 小結 53
第五章 結論與未來研究 54
5-1 研究結論與貢獻 54
5-2 研究限制 56
5-3 未來研究 56
參考文獻 58
附錄 62
A. Android權限列表 62
B. 分類器詳細參數設定 67
參考文獻 [1] iThome. 讓員工自帶設備上班?──BYOD的兩難. Retrieved from http://www.ithome.com.tw/article/89297 (Accessed: 20-Jun-2016)
[2] EY. (September 2013). Bring your own device. Retrieved from http://www.ey.com/publication/vwluassets/ey-bring_your_own_device/$file/ey-bring-your-own-device.pdf (Accessed: 20-Jun-2016)
[3] Lookout. (2015). Risky v. Malicious apps: How they’re different & why you need to care about both. Retrieved from https://blog.lookout.com/blog/2015/10/13/risky-malicious-apps/ (Accessed: 20-Jun-2016)
[4] Appthority. (Summer 2014). App Reputation Report.
[5] AppBrain. Number of Android applications. Retrieved from http://www.appbrain.com/stats/number-of-android-apps (Accessed: 20-Jun-2016)
[6] Airwatch-MDM. Retrieved from http://www.air-watch.com/zh- (Accessed: 20-Jun-2016)hant/solutions/mobile-device-management
[7] MobileIron-MAM. Retrieved from https://www.mobileiron.com/en/solutions/mobile-application-management-mam (Accessed: 20-Jun-2016)
[8] Oxford Dictionaries. Retrieved from http://www.oxfordlearnersdictionaries.com/ (Accessed: 20-Jun-2016)
[9] Samsung KNOX. Retrieved from http://www.samsung.com/global/business/mobile/platform/mobile-platform/knox/ (Accessed: 20-Jun-2016)
[10] 維基百科. Retrieved from https://zh.wikipedia.org (Accessed: 20-Jun-2016)
[11] Gartner. (2016). Gartner Mobile App Survey Reveals 24 Percent More Spending on In-App Transactions Than on Upfront App Payments. Retrieved from http://www.gartner.com/newsroom/id/3331117 (Accessed: 20-Jun-2016)
[12] Google. Google Play. Retrieved from https://play.google.com/store. (Accessed: 20-Jun-2016)
[13] Google. Google Play 開發人員. Retrieved from https://support.google.com/googleplay/android-developer/answer/1153481?hl=zh-Hant (Accessed: 20-Jun-2016)
[14] iThome. (2014). FTC控告Amazon的程式內購買機制讓兒童擅自消費. Retrieved from http://www.ithome.com.tw/news/89365 (Accessed: 20-Jun-2016)
[15] iThome. (2014/08/22). F-Secure:手機惡意程式盛行,濫發簡訊程式肆虐. Retrieved from http://www.ithome.com.tw/news/90376 (Accessed: 20-Jun-2016)
[16] keyence. 風險與安全. Retrieved from http://www.keyence.com.tw/ss/products/safetyknowledge/about/ (Accessed: 20-Jun-2016)
[17] Micro, T. (2015). 最新「Ghost Push」變種宛若幽靈,暗中威脅Android 用戶,同一作者發行逾 600 惡意應用程式. Retrieved from http://blog.trendmicro.com.tw/?p=14633 (Accessed: 20-Jun-2016)
[18] T客邦. (2014/07/15). 手機程式內購買爭議多,消保處提醒當心購物方便期. Retrieved from http://www.techbang.com/posts/19044-phone-app-program-to-purchase-form-of-dispute-the-executive-yuan-consumer-protection-department-announced-the-consumer-trap (Accessed: 20-Jun-2016)
[19] Micro, T. (2014). 八成Google Play前 50 大熱門免費 App有山寨版 !. Retrieved from http://www.trendmicro.tw/tw/about-us/newsroom/releases/articles/20140829083222.html (Accessed: 20-Jun-2016)
[20] Micro, T. (2012/04/25). 《山寨版免費Android App》Instagram和Angry Birds Space憤怒鳥星際版/太空版 下載後電信費暴增. Retrieved from http://blog.trendmicro.com.tw/?p=1292 (Accessed: 20-Jun-2016)
[21] virustotal. Retrieved from https://www.virustotal.com/zh-tw/ (Accessed: 20-Jun-2016)
[22] cultofmac. (2014). Uber’s data-sucking Android app is dangerously close to malware. Retrieved from http://www.cultofmac.com/304401/ubers-android-app-literally-malware/ (Accessed: 20-Jun-2016)
[23] Mila. contagio: Take a sample, leave a sample. Mobile malware mini-dump. Retrieved from http://contagiodump.blogspot.tw/2011/03/take-sample-leave-sample-mobile-malware.html (Accessed: 20-Jun-2016)
[24] 安智官網. Retrieved from http://www.anzhi.com/ (Accessed: 20-Jun-2016)
[25] Wang, X., Sun, K., Wang, Y., & Jing, J. (2015). DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices. Paper presented at the NDSS.
[26] Armando, A., Costa, G., Merlo, A., & Verderame, L. (2014). Enabling byod through secure meta-market. Paper presented at the Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks.
[27] Johnson, N. L., Cross, M., & Piltzecker, T. (2002). Security+ Study Guide and DVD Training System.
[28] Maiwald, E. (2003). Fundamentals of network security: Dreamtech press.
[29] Chang, J. M., Ho, P.-C., & Chang, T.-C. (2014). Securing BYOD. IT Professional, 16(5), 9-11.
[30] Ocano, S. G., Ramamurthy, B., & Wang, Y. (2015). Remote Mobile Screen (RMS): an approach for secure BYOD environments. Paper presented at the Computing, Networking and Communications (ICNC), 2015 International Conference on.
[31] Aung, Z., & Zaw, W. (2013). Permission-based android malware detection. International Journal of Scientific and Technology Research, 2(3), 228-234.
[32] Moonsamy, V., Rong, J., Liu, S., Li, G., & Batten, L. (2013). Contrasting permission patterns between clean and malicious android applications. Paper presented at the International Conference on Security and Privacy in Communication Systems.
[33] Xiong, P., Wang, X., Niu, W., Zhu, T., & Li, G. (2014). Android malware detection with contrasting permission patterns. China Communications, 11(8), 1-14.
[34] Sarma, B. P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., & Molloy, I. (2012). Android permissions: a perspective combining risks and benefits. Paper presented at the Proceedings of the 17th ACM symposium on Access Control Models and Technologies.
[35] Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., & Zhang, X. (2014). Exploring permission-induced risk in Android applications for malicious application detection. IEEE Transactions on Information Forensics and Security, 9(11), 1869-1882.
[36] Teufl, P., Kraxberger, S., Orthacker, C., Lackner, G., Gissing, M., Marsalek, A. Prevenhueber, O. (2011). Android market analysis with activation patterns. Paper presented at the International Conference on Security and Privacy in Mobile Information and Communication Systems.
[37] Takahashi, T., Ban, T., Mimura, T., & Nakao, K. (2015). Fine-Grained Risk Level Quantication Schemes Based on APK Metadata. Paper presented at the International Conference on Neural Information Processing.
[38] Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., & Hoffmann, J. (2013). Mobile-sandbox: having a deeper look into android applications. Paper presented at the Proceedings of the 28th Annual ACM Symposium on Applied Computing.
[39] Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., & Wu, K.-P. (2012). Droidmat: Android malware detection through manifest and API calls tracing. In Proc. of Asia Joint Conference on Information Security (Asia JCIS), 2012
[40] Wang, Y., Watson, B., Zheng, J., & Mukkamala, S. (2015). ARP-Miner: Mining Risk Patterns of Android Malware. In International Workshop on Multi-disciplinary Trends in Artificial Intelligence
[41] Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., & Rieck, K. (2014). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. Paper presented at the NDSS.
[42] Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R. Molloy, I. (2012). Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM conference on Computer and communications security
[43] Miller, K. W., Voas, J. M., & Hurlburt, G. F. (2012). BYOD : Security and Privacy Considerations. IT Professional, 14(5), 53-55.
[44] Singh, N. (2012). BYOD genie is out of the bottle–“Devil or angel”. Journal of Business Management & Social Sciences Research, 1(3), 1-12.
[45] 李佩芸. (2015). 企業實施 BYOD 之安全政策管理平台設計與雛型實作 國立中央大學資訊管理所.
[46] 陶嘉仁. (2012). Android 程式權限分析. 國立交通大學資訊工程所.
[47] 黄洁, 谭博, & 谭成翔. (2015). 用户友好的 Android 隐私监管机制. Journal of Computer Application计算机应用, 35(3) , 751-755.
指導教授 陳奕明 審核日期 2016-7-25
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明