Android平台下整合控制流與操作碼之惡意程式分析

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：17

、訪客IP：18.227.26.84

姓名

王奕鈞(Yi-Chun Wang) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

Android平台下整合控制流與操作碼之惡意程式分析
(Integrating Control Flow and Opcode in Android Malware Analysis)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

現今的行動惡意程式數量增長的越來越快，分析大量的應用程式為現今學者專注的項目，本研究依照惡意程式家族對應用程式進行分類，以增進整個分析的過程的效率。檢測惡意程式分為靜態分析與動態分析兩種方法，靜態分析不需要執行程式，直接反編譯程式即可取得所有資源，分析上較有效率且程式覆蓋率高；動態分析需執行取得分析特徵，分析上較為耗時，且無法保證會觸發所有惡意行為，程式覆蓋率較低且耗時，因此本研究針對靜態分析進行探討。現代程式的功能非常多元，許多良性應用程式的行為與惡意應用程式的行為越來越接近，使用早期靜態特徵提取容易造成誤判，因此基於圖型、流向和操作碼的特徵興起，但依然有所限制，容易提取到無意義的特徵，因此本研究結合調整過的操作碼與控制流作為主要靜態分析特徵作為研究。本研究提出一個應用程式檢測系統，結合操作碼與控制流作為主要特徵來分類應用程式，使其對應到所屬的家族，並使用相似度計算，檢測該應用程式除了分類出來的家族特性之外，是否含有其他家族的特性。本研究使用Drebin資料集訓練出的模型F-measure達98%且偵測未知應用程式的準確率達94.86%。

摘要(英)

Nowadays, the number of mobile malware is growing faster and faster, analyzing enor-mous malware is one of the goal for the specialist. This study classifies applications accord-ing to malware family in order to improve the efficiency of the entire analysis process.
The detection of malware is divided into two methods: dynamic analysis and static analysis. Dynamic analysis needs to execute the application to get analysis feature, which is time-consuming and cannot guarantee that all malicious behavior will be triggered. Besides, the program coverage is low in dynamic analysis. Without executing program, static analysis can obtain all resources by decompiling the application directly. Static analysis is more effi-cient and the program coverage is higher than dynamic analysis. In summary, this study fo-cuses on static analysis for further discussion.
The functions of modern application are very diverse; the behavior of benign applica-tions is closer to the behavior of malware. Thus, the use of early static feature is easy to cause misjudgment. In recent year, using the graph-based feature, flow-based feature and opcode as analysis feature is becoming more and more popular, but still have some re-strictions such as extracting meaningless features easily.
This study proposes a system that combines the adjusted opcode and control flow as the main features to classify the application to correspond to the family it belongs to, and uses the similarity calculation to detect the application whether it contains other family charac-teristics. In this study, the model F-measure trained using the Drebin data set was 98% and the accuracy of detecting unknown applications was 94.86%.

關鍵字(中)

★ Android
★ 靜態分析
★ 控制流
★ 操作碼
★ 相似度計算
★ 惡意程式分類

關鍵字(英)

★ Android
★ Static analysis
★ Control flow
★ Opcode
★ Application similarity
★ Malware classification

論文目次

目錄
論文摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章緒論 1
1-1 研究背景 1
1-2 研究動機 4
1-3 研究目的 8
1-4 論文架構 8
第二章相關研究 10
2-1 近期使用靜態特徵的分析方法與趨勢 10
2-2 使用操作碼做為靜態特徵之相關文獻 11
2-3 使用控制流做為靜態特徵之相關文獻 14
2-4 小結 16
第三章研究方法 18
3-1 系統架構 18
3-1-1 反編譯模組(Decompile Module) 18
3-1-2 特徵提取模組(Feature Extraction Module) 21
3-1-3 分類模組(Classification Module) 26
3-2 系統運作流程 30
第四章實驗結果 31
4-1 實驗環境與使用資料集 31
4-2 實驗前測 32
4-2-1 前測一 32
4-2-2 前測二 34
4-2-3 前測三 36
4-2-4 前測四 38
4-3 正式實驗 39
4-3-1 正式實驗一 39
4-3-2 正式實驗二 41
4-3-3 正式實驗三 42
4-3-4 正式實驗四 43
第五章結論與未來研究 47
5-1 結論與貢獻 47
5-2 研究限制 50
5-3 未來研究 50
參考文獻 52

參考文獻

參考文獻
[參考網站]
[1] Android A to Z: What is Dalvik. (Accessed:28-Jun-2018) from https://www.androidcentral.com/android-z-what-dalvik
[2] Android Developers. (Accessed:28-Jun-2018) from https://developer.android.com/guide/platform/
[3] Apktool A tool for reverse engineering 3rd party, closed, binary Android apps. (Ac-cessed:28-Jun-2018) from https://ibotpeaches.github.io/Apktool/
[4] Contagio Mini Dump Blog. (Accessed:28-Jun-2018) from http://contagiominidump.blogspot.tw/
[5] Dalvik opcodes. (Accessed:28-Jun-2018) from http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
[6] Difference between control flow and data flow. (Accessed:28-Jun-2018) from https://social.msdn.microsoft.com/Forums/sqlserver/en-US/0c06b2d5-97f8-4537-aaf1-47e8b8994152/difference-between-control-flow-and-data-flow?forum=sqlintegrationservices
[7] Euclidean vs. Cosine Distance. (Accessed:28-Jun-2018) from https://cmry.github.io/notes/euclidean-v-cosine
[8] McAfee(2018) “McAfee Mobile Threat Report Q1, 2018.” (Accessed:28-Jun-2018) from https://www.mcafee.com/us/resources/reports/rp-mobile-threat-report-2018.pdf
[9] Simple guide to confusion matrix terminology. (Accessed:28-Jun-2018) from https://www.dataschool.io/simple-guide-to-confusion-matrix-terminology/
[10] Soot - A framework for analyzing and transforming Java and Android applications. (Accessed:28-Jun-2018) from https://sable.github.io/soot/
[11] Statcounter(2018) “Mobile Operating System Market Share Worldwide.” (Ac-cessed:28-Jun-2018) from http://gs.statcounter.com/os-market-share/mobile/worldwide
[12] SuSi–Sources and Sinks|Secure Software Engineering. (Accessed:28-Jun-2018) from https://blogs.uni-paderborn.de/sse/tools/susi/
[13] What is a n-gram?. (Accessed:28-Jun-2018) from https://www.quora.com/What-is-a-n-gram

[14] What is metadata ? And what is the use of it in android. (Accessed:28-Jun-2018) from https://stackoverflow.com/questions/38687159/what-is-metadata-and-what-is-the-use-of-it-in-android
[15] Windows Defender Security Intelligence Naming malware. (Accessed:28-Jun-2018) from https://www.microsoft.com/en-us/wdsi/help/malware-naming
[16] Z-Score: Definition, Formula and Calculation. (Accessed:28-Jun-2018) from http://www.statisticshowto.com/probability-and-statistics/z-score/
[中文文獻]
[17] 胡哲君. “去可識別個人資訊後之Android惡意程式動態分析研究” 國立中央大學資訊管理所碩士論文 (2017)
[18] 游子慧. “基於靜態特徵與機器學習之Android惡意程式分類研究” 國立中央大學資訊管理所碩士論文 (2017)
[19] 陳太皇. “文件分類特徵選擇方法研究” 龍華科技大學資訊管理碩士論文 (2012)
[20] 許珈榮、林盈達、蔡濠全、李佳穎. “Android 惡意程式收集, 分析與評估” 國立交通大學資訊工程系碩士論文 (2012)
[21] 楊豐盛著，《Android技術內幕：探索Android核心原理與系統開發》(碁峰資訊，2011年)
[英文文獻]
[22] Alshahrani, H., Mansourt, H., Thorn, S., Alshehri, A., Alzahrani, A., & Fu, H. (2018, January). DDefender: Android application threat detection using static and dynamic analysis. In Consumer Electronics (ICCE), 2018 IEEE International Conference on (pp. 1-6). IEEE.
[23] Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., & Giacinto, G. (2015, October). Clus-tering android malware families by http traffic. In Malicious and Unwanted Software (MALWARE), 2015 10th International Conference on (pp. 128-135). IEEE.
[24] Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., & Siemens, C. E. R. T. (2014, February). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In Ndss (Vol. 14, pp. 23-26).
[25] Arzt, S., Rasthofer, S., & Bodden, E. (2017, May). The soot-based toolchain for ana-lyzing Android apps. In Proceedings of the 4th International Conference on Mobile Software Engineering and Systems (pp. 13-24). IEEE Press.
[26] Canfora, G., De Lorenzo, A., Medvet, E., Mercaldo, F., & Visaggio, C. A. (2015, Au-gust). Effectiveness of opcode ngrams for detection of multi family android malware. In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 333-340). IEEE.
[27] Cesare, S., Xiang, Y., & Zhou, W. (2014). Control Flow-Based Malware VariantDetec-tion. IEEE Trans. Dependable Sec. Comput., 11(4), 307-317.
[28] Dhaya, R., & Poongodi, M. (2014, May). Detecting software vulnerabilities in android using static analysis. In Advanced Communication Control and Computing Technolo-gies (ICACCCT), 2014 International Conference on (pp. 915-918). IEEE.
[29] Jerome, Q., Allix, K., State, R., & Engel, T. (2014, June). Using opcode-sequences to detect malicious Android applications. In Communications (ICC), 2014 IEEE Interna-tional Conference on(pp. 914-919). IEEE.
[30] Kang, B., Yerima, S. Y., McLaughlin, K., & Sezer, S. (2016, June). N-opcode analysis for android malware classification and categorization. In Cyber Security And Protec-tion Of Digital Services (Cyber Security), 2016 International Conference On(pp. 1-7). IEEE.
[31] Karimi, A., & Moattar, M. H. (2017, October). Android ransomware detection using reduced opcode sequence and image similarity. In Computer and Knowledge Engi-neering (ICCKE), 2017 7th International Conference on (pp. 229-234). IEEE.
[32] Kochhar, P. S., Lo, D., Lawall, J., & Nagappan, N. (2017). Code coverage and postre-lease defects: A large-scale study on open source projects. IEEE Transactions on Reli-ability, 66(4), 1213-1228.
[33] Lai, F., Hasan, S. S., Laugesen, A., & Chipara, O. (2014, April). Csense: A stream-processing toolkit for robust and high-rate mobile sensing applications. In Proceedings of the 13th international symposium on Information processing in sen-sor networks (pp. 119-130). IEEE Press.
[34] Ma, S., Tang, Z., Xiao, Q., Liu, J., Duong, T. T., Lin, X., & Zhu, H. (2013, December). Detecting GPS information leakage in Android applications. In Global Communica-tions Conference (GLOBECOM), 2013 IEEE (pp. 826-831). IEEE.
[35] Martin, A., Calleja, A., Menendez, H. D., Tapiador, J., & Camacho, D. (2016, Decem-ber). ADROIT: Android malware detection using meta-information. In Computational Intelligence (SSCI), 2016 IEEE Symposium Series on (pp. 1-8). IEEE.
[36] McLaughlin, N., Martinez del Rincon, J., Kang, B., Yerima, S., Miller, P., Sezer, S., ... & Joon Ahn, G. (2017, March). Deep android malware detection. In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy(pp. 301-308). ACM.
[37] Michael, S., Florian, E., Thomas, S., Felix, C. F., & Hoffmann, J. Mobilesandbox: Looking deeper into android applications. In Proceedings of the 28th International ACM Symposium on Applied Computing (SAC).
[38] Narayanan, A., Yang, L., Chen, L., & Jinliang, L. (2016, July). Adaptive and scalable android malware detection through online learning. In Neural Networks (IJCNN), 2016 International Joint Conference on (pp. 2484-2491). IEEE.
[39] Pang, Y., Chen, Z., Li, X., Wang, S., Zhao, C., Wang, L., ... & Li, Z. (2017, July). Finding Android Malware Trace from Highly Imbalanced Network Traffic. In Computational Science and Engineering (CSE) and Embedded and Ubiquitous Computing (EUC), 2017 IEEE International Conference on (Vol. 1, pp. 588-595). IEEE.
[40] Pitolli, G., Aniello, L., Laurenza, G., Querzoni, L., & Baldoni, R. (2017, October). Malware family identification with BIRCH clustering. In Security Technology (ICCST), 2017 International Carnahan Conference on (pp. 1-6). IEEE.
[41] Qi, H., & Gani, A. (2012, May). Research on mobile cloud computing: Review, trend and perspectives. In Digital Information and Communication Technology and it′s Ap-plications (DICTAP), 2012 Second International Conference on (pp. 195-202). ieee.
[42] Shen, F., Del Vecchio, J., Mohaisen, A., Ko, S. Y., & Ziarek, L. (2017, June). Android malware detection using complex-flows. In Distributed Computing Systems (ICDCS), 2017 IEEE 37th International Conference on (pp. 2430-2437). IEEE.
[43] Sinha, L., Bhandari, S., Faruki, P., Gaur, M. S., Laxmi, V., & Conti, M. (2016, January). Flowmine: Android app analysis via data flow. In Consumer Communications & Net-working Conference (CCNC), 2016 13th IEEE Annual (pp. 435-441). IEEE.
[44] Stieber, H. A., Hu, L., & Wong, W. E. (2017, October). Estimation of the Total Number of Software Failures from Test Data and Code Coverage: A Bayesian Approach. In Software Reliability Engineering Workshops (ISSREW), 2017 IEEE International Symposium on (pp. 234-238). IEEE.
[45] Wang, S., Chen, Z., Zhang, L., Yan, Q., Yang, B., Peng, L., & Jia, Z. (2016, June). TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic. In Quality of Service (IWQoS), 2016 IEEE/ACM 24th International Symposium on (pp. 1-6). IEEE.
[46] Xu, K., Li, Y., & Deng, R. H. (2016). ICCDetector: ICC-based malware detection on Android. IEEE Transactions on Information Forensics and Security, 11(6), 1252-1264.
[47] Yusof, M., Saudi, M. M., & Ridzuan, F. (2017, September). A new mobile botnet clas-sification based on permission and API calls. In Emerging Security Technologies (EST), 2017 Seventh International Conference on (pp. 122-127). IEEE.
[48] Zeng, H., Ren, Y., Wang, Q. X., He, N. Q., & Ding, X. Y. (2014, December). Detecting malware and evaluating risk of app using Android permission-API system. In Wavelet Active Media Technology and Information Processing (ICCWAMTIP), 2014 11th In-ternational Computer Conference on (pp. 440-443). IEEE.
[49] Zhong, J., Huang, J., & Liang, B. (2012, August). Android permission re-delegation detection and test case generation. In Computer Science & Service System (CSSS), 2012 International Conference on (pp. 871-874). IEEE.
[50] Zhou, H., Zhang, W., Wei, F., & Chen, Y. (2017, June). Analysis of Android malware family characteristic based on isomorphism of sensitive API call graph. In 2017 IEEE Second International Conference on Data Science in Cyberspace (DSC) (pp. 319-327). IEEE.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2018-7-31

推文