基於靜態特徵與機器學習之Android惡意程式分類研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：14

、訪客IP：3.139.240.56

姓名

游子慧(ZIH-HUEI YOU) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

基於靜態特徵與機器學習之Android惡意程式分類研究
(Android Malware Classifier based on Static Feature and Machine Learning)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

針對每一特定類型的惡意程式進行分類是很重要的，以便得知每一種類的惡意程式特性，如此才能作相對應的防護措施。現今的惡意程式數量不僅逐漸上升，還不斷的變種，使得單一一個惡意程式的特性不只一個可能性，還可能包含了其他惡意程式類別的特性，故本研究除了將檢測惡意程式進行分類，還會檢測其是否包含其他類別的風險值。本研究採用省時且覆蓋率高的靜態分析深入研究，在特徵提取的部分，以往文獻幾乎都採用permissions, API calls, components等等來檢測惡意程式，但這些特徵都需仰賴專家分析來過濾這些特徵，才可進行使用，而opcode不需仰賴專家分析，可直接使用原始資料來進行分析，且和應用程式的程式碼密切相關。本研究提出一個應用程式檢測平台，採用opcode sequence與機器學習來分類其檢測應用程式，我們採用靜態分析文獻常用的J48、RandomForest(RF)、NaiveBayes、LibSVM與Partial Decision Tree(PART)五種分類演算法來進行訓練與10折交叉驗證，其RandomForest 搭配4gram opcode sequence的F-Measure最高擁有97.5%。分類後再進行風險值計算，計算其檢測應用程式是否包含其他種類的惡意程式特性，給予其百分比做為判斷依據。

摘要(英)

It is important to classify each particular type of malware in order to know the malware features of each class, so that the corresponding protective measures can be made. The number of malware is not only gradually rising and constantly variants. Making a malware features more than one possibility class, but also may contain other malware class characteristics. In this study have to detection of malware for classification and in addition to check whether it contains other classes of risk values, the use of time-saving and high coverage of the static analysis. The static analysis past literature extraction feature almost all use permissions, API calls, components and so on to detect malicious programs, but these features need to rely on expert analysis to filter these features before they can be used, and opcode do not need to rely on expert analysis, Directly using raw data for analysis, and is closely related to the application code, this study uses opcode as a static analysis feature as a study. In this study, we propose an application detection platform, which uses opcode sequence and machine learning to classify. We use J48, RandomForest (RF), NaiveBayes, LibSVM and Partial Decision Tree (PART), which are commonly used in static analysis literature. We use 10-fold cross validation to training and testing. The result is the RandomForest with 4gram opcode sequence of F-Measure has of 97.5%. After classification we can calculate risk value of application that whether contains other class of malware features and given the percentage as a basis for judging.

關鍵字(中)

★ Android
★ 靜態分析
★ 機器學習
★ opcode sequence
★ 惡意程式分類
★ 相似度計算

關鍵字(英)

★ Android
★ static analysis
★ machine learning
★ opcode sequence
★ similarity calculation

論文目次

論文摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章緒論 …………………………………………………………………………….. 1
1-1 研究背景 1
1-2 研究動機 5
1-3 研究目的 6
1-4 論文架構 7
第二章相關研究 ……………………………………………………………………….. 8
2-1 靜態分析近期使用的方法與趨勢 8
2-2 使用權限做為靜態特徵之相關文獻 9
2-3 使用API Call做為靜態特徵之相關文獻 10
2-4 使用結合兩種或兩種以上不同特徵做為靜態特徵之相關文獻 12
2-5 使用操作指令碼(opcode)做為靜態特徵之相關文獻 13
2-6 小結 16
第三章研究方法 ……………………………………………………………………… 17
3-1 分析工具 17
3-2 系統架構 19
3-2-1 ShadowDroid App中的模組 20
3-2-2 ShadowDroid Server中的模組 21
3-3 系統運作流程 33
第四章實驗結果 ……………………………………………………………………… 35
4-1 實驗環境 35
4-2 實驗一：應用程式檢測分類之功能驗證 36
4-2-1 實驗目的 36
4-2-2 實驗環境 36
4-2-3 實驗結果 37
4-3 實驗二：檢測應用程式之風險值計算 38
4-3-1 實驗目的 38
4-3-2 實驗環境 38
4-3-3 實驗結果 38
第五章結論與未來研究 ……………………………………………………………… 40
5-1 結論與貢獻 40
5-2 研究限制 41
5-3 未來研究 42
參考文獻 43
附錄一：惡意程式樣本 …………………………………………………………………… 46
附錄二：分類器參數…………………………………………………………………….…. 54

參考文獻

 網站文獻
[1] 8,400 new Android malware samples every day. https://www.gdatasoftware.com/blog/2017/04/29712-8-400-new-android-malware-samples-every-day (Accessed: 20-Jun-2017)
[2] Contagio Blog. http://contagiominidump.blogspot.tw/ (Accessed: 20-Jun-2017)
[3] Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2017. https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/ (Accessed: 20-Jun-2017)
[4] SLocker malware is back: over 400 new variants detected by MI:RIAM. https://www.wandera.com/blog/miriam-detects-slocker-malware/ (Accessed: 20-Jun-2017)
[5] 用機器學習檢測Android惡意代碼並分類_Dalvik虛擬機&Opcode. https://kknews.cc/zh-tw/tech/n2gv8.html (Accessed: 20-Jun-2017)
[6] 惡意軟體分類. http://www.jadespring.com.tw/internet-security-center/threats/malware-classifications.html (Accessed: 20-Jun-2017)
[7] APK Extractor. https://play.google.com/store/apps/details?id=com.ext.ui&hl=zh_TW (Accessed: 20-Jun-2017)
 中文文獻
[8] 楊豐盛，(2011) “Android技術內幕：探索Android核心原理與系統開發” 碁峰資訊，ISBN：9789862763407
[9] 許珈榮、林盈達、蔡濠全、李佳穎. (2012). “Android惡意程式收集,分析與評估.” 國立交通大學資訊工程系，碩士論文
 英文文獻
[10] Aafer, Y., Du, W., & Yin, H. (2013, September). “Droidapiminer: Mining api-level features for robust malware detection in android.” In International Conference on Security and Privacy in Communication Systems (pp. 86-103). Springer, Cham.
[11] Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., & Siemens, C. E. R. T. (2014, February). “DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.” In National Diabetes Services Scheme(NDSS).
[12] Baskaran, B., & Ralescu, A. (2016). “A Study of Android Malware Detection Tech-niques and Machine Learning.” In Modern Artificial Intelligence and Cognitive Science Conference. eCommence.
[13] Canfora, G., De Lorenzo, A., Medvet, E., Mercaldo, F., & Visaggio, C. A. (2015, August). “Effectiveness of opcode ngram for detection of multi family android malware.” In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 333-340) IEEE.
[14] Jerome, Q., Allix, K., State, R., & Engel, T. (2014, June). “Using opcode-sequences to detect malicious Android applications.” In Communications (ICC), 2014 IEEE International Conference on (pp. 914-919).
[15] Kang, B., Yerima, S. Y., McLaughlin, K., & Sezer, S. (2016, June). “N-opcode analysis for android malware classification and categorization.” In Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On (pp. 1-7) IEEE.
[16] Niall McLaughlin et al. (2017, March). “Deep Android Malware Detection.” In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (pp. 301-308).
[17] Moonsamy, V., Rong, J., Liu, S., Li, G., & Batten, L. M. (2013, September). “Con-trasting Permission Patterns between Clean and Malicious Android Applications.” In SecureComm (pp. 69-85).
[18] Ping, X., Xiaofeng, W., Wenjia, N., Tianqing, Z., & Gang, L. (2014). “Android malware detection with contrasting permission patterns.” China Communications, IEEE
[19] B.B. Rad and M. Masrom. (2010) “Metamorphic Virus Variants Classification Using Opcode Frequency Histogram.” Latest Trends on Computers (Volume I).
[20] Wang, Xiaoqing, Junfeng Wang, and Xiaolan Zhu. (2016) “A Static Android Mal-ware Detection Based on Actual Used Permissions Combination and API Calls.” World Academy of Science, Engineering and Technology, International Journal of Computer, Electrical, Automation, Control and Information Engineering 10.9 : 1630-1637.
[21] Wang, Z., Li, C., Guan, Y., & Xue, Y. (2015, September). “Droidchain: A novel malware detection method for android based on behavior chain.” In Communica-tions and Network Security (CNS), 2015 IEEE Conference on (pp. 727-728).
[22] Yang, C., Xu, Z., Gu, G., Yegneswaran, V., & Porras, P. (2014, September). “Droidminer: Automated mining and characterization of fine-grained malicious be-haviors in android applications.” In European Symposium on Research in Computer Security (pp. 163-182). Springer, Cham.
[23] Yerima, Suleiman Y., Sakir Sezer, and Igor Muttik. (2015) “Android malware de-tection: An eigenspace analysis approach.” Science and Information Conference (SAI), 2015. IEEE.
[24] Yuhui, Fan, and Xu Ning. (2015) “The Analysis of Android Malware Behaviors.” International Journal of Security and Its Applications, pp.335-346.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2017-8-8

推文