結合靜態權限及動態封包分析以提升Android惡意程式偵測效能之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：8

、訪客IP：18.191.5.239

姓名

熊永菁(Yung-Ching Shyong) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

結合靜態權限及動態封包分析以提升Android惡意程式偵測效能之研究
(Combining Static Permissions and Dynamic Packet Analysis to Improve Android Malware Detection Performance)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

現今Android智慧行動裝置普及，成為惡意程式開發者的主要攻擊目標，如何將行動惡意程式進行偵測及防範已成為一大資安議題。同時，行動應用程式的網路流量成長快速，使得將網路封包作為資料集來檢測行動惡意軟體的可行性也提高。然而動態分析具有蒐集資料耗時的缺點，且過去文獻僅從網路封包中提取單一種類協定特徵，此外，僅將應用程式判斷是否為惡意是不夠的。基於此，本研究提出一個結合靜態權限及動態封包分析的Android惡意程式分析系統，先以靜態分析方式，透過應用程式的宣告資訊權限過濾掉良性應用程式，避免過多的資料蒐集時間，並從惡意程式網路流量提取多種類特徵，提升偵測效果同時降低誤判率，最後進行惡意程式家族分類，由於同個惡意家族下的應用程式具有類似的惡意行為，此分類方式能提供資安人員足夠資訊來建立防範策略。經實驗證實，靜、動態模型準確度分別為98.96%及95.6%，其中網路封包動態分析，高於惡意家族分類的94.33%準確度。以測試資料驗證系統整體效能上，準確率為89.1%，然而本實驗證實在動態分析的資料蒐集時間上有大幅改善，僅47.5%的應用程式需進行五分鐘的動態網路封包蒐集。

摘要(英)

The popularity of Android smart mobile devices has become the main target of malware developers. How to detect and prevent mobile malware has become a major issue. At the same time, the mobile application′s network traffic has grown rapidly, making it more feasible to use network packets as a data set to detect malicious applications. However, dynamic analysis has the disadvantage of collecting data and taking time, and the past literature only extracts a single kind of agreement feature from the network packet. In addition, it is not enough to distinguish application into malicious or benign. Based on this, this study proposes an Android malware analysis system combining static permissions and dynamic packet analysis. Firstly, static analysis is used to filter out benign applications through the application′s announcement information permission, avoiding excessive data collection time and maliciously. The program network traffic extracts multiple types of features, improves the detection effect and reduces the false positive rate. Finally, the malware family is classified. Since the application under the same malicious family has similar malicious behavior, this classification method can provide sufficient information for the security personnel. To establish a prevention strategy. The experimental results show that the accuracy of static and dynamic models are 98.96% and 95.6%, respectively, and the dynamic analysis of network packets is higher than the accuracy of 94.33% of malicious family classification. Using the test data to verify the overall performance of the system, the accuracy rate was 89.1%. However, this experiment confirmed that the data collection time of the dynamic analysis was greatly improved, and only 47.5% of the applications required a five-minute dynamic network packet collection.

關鍵字(中)

★ 動態分析
★ Android
★ 惡意程式分類
★ 網路封包
★ 應用程式權限

關鍵字(英)

★ Dynamic analysis
★ Android
★ malware classification
★ network packet
★ application permission

論文目次

論文摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章緒論 1
1-1研究背景 1
1-2研究動機與目的 5
1-3章節架構 8
第二章相關文獻 9
2-1 Android惡意程式靜態分析 9
2-2 Android惡意程式動態分析 11
2-3 Android惡意程式網路流量分析 12
2-3-1 基於TCP及HTTP封包之網路流量分析 12
2-3-2 基於DNS封包之網路流量分析 15
2-3-3 基於其他特徵之網路流量分析 15
2-4 小結 17
第三章研究方法 20
3-1系統架構 20
3-1-1風險偵測模組 20
3-1-2 資料蒐集模組 22
3-1-3特徵提取模組 24
3-1-4 分類模組 27
3-2系統流程 28
第四章實驗與討論 30
4-1實驗環境 30
4-2實驗一 : 風險偵測模組功能驗證 31
4-2-1 實驗目的 31
4-2-2 實驗方法 31
4-2-3 實驗結果 31
4-3實驗二 : 風險偵測模組之分析效率驗證 33
4-3-1 實驗目的 33
4-3-2 實驗方法 33
4-3-3 實驗結果 33
4-4實驗三 : 不同網路封包特徵之偵測率評估 35
4-4-1 實驗目的 35
4-4-2 實驗方法 35
4-4-3 實驗結果 36
4-5實驗四 : 機器學習演算法之分類效果評估 37
4-5-1 實驗目的 37
4-5-2 實驗方法 37
4-5-3 實驗結果 38
4-6實驗五 : 結合靜態權限及動態網路封包模型之分類效能驗證 39
4-6-1 實驗目的 39
4-6-2 實驗方法 39
4-6-3 實驗結果 40
第五章結論與未來研究 42
5-1研究結論與貢獻 42
5-2研究限制 43
5-3未來研究 43
參考文獻 45

參考文獻

[ 1 ] ”2018 Malware Forecast: the onward march of Android malware”. (Accessed : 20-May-2018)取自: https://nakedsecurity.sophos.com/2017/11/07/2018-malware-forecast-the-onward-march-of-android-malware/。
[ 2 ] Android Developer : “Define a Custom App Permission”. 2018年4月17日(Accessed : 14-Jun-2018)取自: https://developer.android.com/guide/topics/permissions/defining。
[ 3 ] Android Developer : ”Permissions overview”. 2018年6月15日(Accessed : 14-Jun-2018)取自: https://developer.android.com/guide/topics/permissions/overview。
[ 4 ] Android Developer : “Set up Android Emulator Networking”. 2018年6月5日(Accessed : 26-Jun-2018)取自: https://developer.android.com/studio/run/emulator-networking。
[ 5 ] ”Contagio Malware dump”. (Accessed : 1-Mar-2018)取自: http://contagiodump.blogspot.com/。
[ 6 ] ”Forget The Sheeple: Android fans are atually the most loyal.”. (Accessed : 20-Jun-2018)取自: http://bgr.com/2018/03/08/iphone-vs-android-market-share/。
[ 7 ] “Cisco visual networking index: Global mobile data traf?c forecast update(2017)”. (Accessed : 20-Jun-2018)取自: https://goo.gl/ylTuVx。
[ 8 ] “Global mobile OS market share in sales to end users from 1st quarter 2009 to 2nd quarter 2017”. (Accessed : 20-Jun-2018)取自: https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/。
[ 9 ] ”Google Play Apps”. (Accessed : 27-May-2018)取自: https://play.google.com/store/apps?hl=zh_TW。
[ 10 ]”Little418:Check APK Permissions with aapt". 2014年7月1日(Accessed : 20-Mar-2018)取自: https://little418.com/2014/07/check-apk-permissions-with-aapt.html。
[ 11 ]”Scapy-Packet crafting for Python2 and Python3”. (Accessed : 20-Fab-2018)取自: https://scapy.net/。
[ 12 ]“WEKA – Performing Attribute Selection”. (Accessed : 1-Jul-2018)取自: https://weka.wikispaces.com/Performing+attribute+selection。
[ 13 ]胡哲君. ”去可識別個人資訊後之 Android 惡意程式動態分析研究; Dynamic Android Malware Analysis with de-identification of personal identifiable information”. 國立中央大學資訊管理學系碩士論文(2017).
[ 14 ]Afonso, V. M., de Amorim, M. F., Gregio, A. R. A., Junquera, G. B., & de Geus, P. L. (2015). Identifying Android malware using dynamically obtained features. Journal of Computer Virology and Hacking Techniques, 11(1), 9-17.
[ 15 ]Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., & Giacinto, G. (2015, October). Clustering android malware families by http traffic. In Malicious and Unwanted Software (MALWARE), 2015 10th International Conference on (pp. 128-135). IEEE.
[ 16 ]Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., & Siemens, C. E. R. T. (2014, February). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In The Network and Distributed System Security Symposium (NDSS) (Vol. 14, pp. 23-26).
[ 17 ]Bierma, M., Gustafson, E., Erickson, J., Fritz, D., & Choe, Y. R. (2014). Andlantis: Large-scale Android dynamic analysis. arXiv preprint arXiv:1410.7751.
[ 18 ]Blokhin, K., Saxe, J., & Mentis, D. (2013, July). Malware similarity identification using call graph based system call subsequence features. In 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops (pp. 6-10). IEEE.
[ 19 ]Chen, Z., Han, H., Yan, Q., Yang, B., Peng, L., Zhang, L., & Li, J. (2015, August). A first look at android malware traffic in first few minutes. In Trustcom/BigDataSE/ISPA, 2015 IEEE (Vol. 1, pp. 206-213). IEEE.
[ 20 ]Crammer, K., Kulesza, A., & Dredze, M. (2009). Adaptive regularization of weight vectors. In Advances in neural information processing systems (pp. 414-422).
[ 21 ]De la Puerta, J. G., Sanz, B., Grueiro, I. S., & Bringas, P. G. (2015). The Evolution of Permission as Feature for Android Malware Detection. In International Joint Conference (pp. 389-400). Springer, Cham.
[ 22 ]Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M. S., & Bharmal, A. (2013, November). AndroSimilar: robust statistical feature signature for Android malware detection. In Proceedings of the 6th International Conference on Security of Information and Networks (pp. 152-159). ACM.
[ 23 ]Ghaffari, F., Abadi, M., & Tajoddin, A. (2017, May). AMD-EC: Anomaly-based Android malware detection using ensemble classifiers. In Electrical Engineering (ICEE), 2017 Iranian Conference on (pp. 2247-2252). IEEE.
[ 24 ]Hawkins, D. M. (2004). The problem of overfitting. Journal of chemical information and computer sciences, 44(1), 1-12.
[ 25 ]Kandukuru, S., & Sharma, R. M. (2017, April). Android malicious application detection using permission vector and network traffic analysis. In Convergence in Technology (I2CT), 2017 2nd International Conference for (pp. 1126-1132). IEEE.
[ 26 ]Li, D., Wang, Z., Li, L., Wang, Z., Wang, Y., & Xue, Y. (2017, June). FgDetector: Fine-Grained Android Malware Detection. In Data Science in Cyberspace (DSC), 2017 IEEE Second International Conference on (pp. 311-318). IEEE.
[ 27 ]Li, Z., Sun, L., Yan, Q., Srisa-an, W., & Chen, Z. (2016, October). Droidclassifier: Efficient adaptive mining of application-layer header for classifying android malware. In International Conference on Security and Privacy in Communication Systems(pp. 597-616). Springer, Cham.
[ 28 ]Lin, Y. D., Lai, Y. C., Chen, C. H., & Tsai, H. C. (2013). Identifying android malicious repackaged applications by thread-grained system call sequences. computers & security, 39, 340-350.
[ 29 ]Lin, Z., Wang, R., Jia, X., Zhang, S., & Wu, C. (2016, August). Classifying Android malware with dynamic behavior dependency graphs. In Trustcom/BigDataSE/I SPA, 2016 IEEE (pp. 378-385). IEEE.
[ 30 ]Liu, X., & Liu, J. (2014, April). A two-layered permission-based Android malware detection scheme. In Mobile cloud computing, services, and engineering (mobilecloud), 2014 2nd ieee international conference on (pp. 142-148). IEEE.
[ 31 ]Malik, J., & Kaushal, R. (2016, July). CREDROID: Android malware detection by network traffic analysis. In Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile Computing (pp. 28-36). ACM.
[ 32 ]Martin, A., Calleja, A., Menendez, H. D., Tapiador, J., & Camacho, D. (2016, December). ADROIT: Android malware detection using meta-information. In Computational Intelligence (SSCI), 2016 IEEE Symposium Series on (pp. 1-8). IEEE.
[ 33 ]Narayanan, A., Yang, L., Chen, L., & Jinliang, L. (2016, July). Adaptive and scalable android malware detection through online learning. In Neural Networks (IJCNN), 2016 International Joint Conference on (pp. 2484-2491). IEEE.
[ 34 ]Narudin, F. A., Feizollah, A., Anuar, N. B., & Gani, A. (2016). Evaluation of machine learning classifiers for mobile malware detection. Soft Computing, 20(1), 343-357.
[ 35 ]Pang, Y., Chen, Z., Li, X., Wang, S., Zhao, C., Wang, L, & Li, Z. (2017, July). Finding Android Malware Trace from Highly Imbalanced Network Traffic. In Computational Science and Engineering (CSE) and Embedded and Ubiquitous Computing (EUC), 2017 IEEE International Conference on (Vol. 1, pp. 588-595). IEEE.
[ 36 ]Qiao, M., Sung, A. H., & Liu, Q. (2016, July). Merging permission and api features for android malware detection. In 2016 5th IIAI International Congress on Advanced Applied Informatics (IIAI-AAI) (pp. 566-571). IEEE.
[ 37 ]Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P. G., & Alvarez, G. (2013). Puma: Permission usage to detect malware in android. In International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions (pp. 289-298). Springer, Berlin, Heidelberg.
[ 38 ]?ah?n, D. O., Kural, O. E., Akleylek, S., & Kilic, E. (2018, March). New results on permission based static analysis for Android malware. In Digital Forensic and Security (ISDFS), 2018 6th International Symposium on (pp. 1-4). IEEE.
[ 39 ]Wang, S., Yan, Q., Chen, Z., Yang, B., Zhao, C., & Conti, M. (2018). Detecting android malware leveraging text semantics of network flows. IEEE Transactions on Information Forensics and Security, 13(5), 1096-1109.
[ 40 ]Wang, S., Yan, Q., Chen, Z., Yang, B., Zhao, C., & Conti, M. (2017, May). TextDroid: Semantics-based detection of mobile malware using network flows. In Computer Communications Workshops (INFOCOM WKSHPS), 2017 IEEE Conference on(pp. 18-23). IEEE.
[ 41 ]Wang, S., Chen, Z., Zhang, L., Yan, Q., Yang, B., Peng, L., & Jia, Z. (2016, June). TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic. In Quality of Service (IWQoS), 2016 IEEE/ACM 24th International Symposium on (pp. 1-6). IEEE.
[ 42 ]Wu, D. J., Mao, C. H., Wei, T. E., Lee, H. M., & Wu, K. P. (2012, August). Droidmat: Android malware detection through manifest and api calls tracing. In Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on (pp. 62-69). IEEE.
[ 43 ]Xiao, X., Xiao, X., Jiang, Y., Liu, X., & Ye, R. (2016). Identifying Android malware with system call co?occurrence matrices. Transactions on Emerging Telecommunications Technologies, 27(5), 675-684.
[ 44 ]Xu, K., Li, Y., & Deng, R. H. (2016). ICCDetector: ICC-based malware detection on Android. IEEE Transactions on Information Forensics and Security, 11(6), 1252-1264.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2018-7-31

推文