基於自動化權限分析之 BYOD安全政策制定研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：62

、訪客IP：3.137.214.219

姓名

林修妤(Xiu-Yu Lin) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

基於自動化權限分析之 BYOD安全政策制定研究
(Automated Permission-Based Analysis for Developing of BYOD Security Policy)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

BYOD (Bring Your Own Device) 為企業節省採購成本，並使工作產能提升；另一方面也讓企業面臨新的資訊安全風險，因此如何制訂與實施BYOD安全政策成為一項重要的企業資訊安全議題。而在應用程式方面，值得注意的是能夠帶來危害的並不只有惡意程式，合法的應用程序也可能暴露隱密資訊，但面對逐漸增長的應用程式數量，已無法單靠資訊人員逐一分析應用程式是否對企業造成風險。為解決上述問題，本研究提出一個稱為「自動化BYOD安全政策制定」的平台，當員工安裝了一個新的應用程式時，本平台將自動地偵測員工新安裝的應用程式是否為惡意程式，對於合法的應用程式也會分析其宣告的權限是否會對企業帶來安全風險，並將以上分析的結果以安全政策來表示，提供給企業做為制定安全政策的參考。本研究經實驗證明確實可以滿足安全政策制定功能，且本平台也具有足夠高的效率可以進行大量的應用程式分析，幫助企業面對BYOD對於管理應用程式安全性上的挑戰。

摘要(英)

BYOD (Bring Your Own Device) make enterprises reduce their cost of purchasing and improve work efficiency. On the other hand, they also face the risks of information security, such as stealing confidential business information by employee’s own device. Therefore, it’s an important issue that how to formulate and implement the BYOD security policy in the enterprises. In the application, it is worth to notice that not only malware has risk, legitimate applications may also expose the secret information. However, with the increasing applications, it’s impossible just to rely on IT analyzing applications one by one. In order to solve these problems which enterprise faces, we propose a platform of formulating security policy for Bring Your Own Device (BYOD) by analyzing Android permission. When employees install an unknown application, the platform will automatically detect the application if a malware, and if not, we are going to find out the application have possibility of having a business risk. The results of the above analysis will translate into security policy for enterprises as a reference. Finally, the experiment proved that we actually can give the security policy advice to enterprise, and our effectiveness in analyzing application is enough to handle the tremendous amount of Android applications.

關鍵字(中)

★ BYOD安全政策
★ Android權限分析
★ 惡意程式
★ 風險程式

關鍵字(英)

論文目次

論文摘要 i
Abstract ii
誌謝 iii
目錄 iv
圖目錄 vi
表目錄 viii
第一章緒論 1
1-1 研究背景 1
1-2 研究動機與目的 3
1-3 名詞解釋 6
1.3.1 BYOD (Bring Your Own Device) 6
1.3.2 BYOD安全政策 7
1.3.3 Android風險與Android風險程式 7
1-4 章節架構 8
第二章相關研究 9
2-1 BYOD安全機制的相關文獻 9
2.2.1 常見的BYOD安全機制 9
2.2.1 其他BYOD安全機制研究 10
2-2 Android權限分析相關文獻 14
2-3 Android風險評估與應用程式類別關聯研究文獻 18
2-4 小結 21
第三章 BYOD安全政策制定平台 22
3-1 平台架構 22
3-1-1 應用程式檢測模組 22
3-1-1.1 白名單比對元件 23
3-1-1.2 惡意程式比對元件 24
3-1-2 風險程式分析模組 27
3-1-2.1 敏感權限辨識元件 28
3-1-2.2 標準權限分析元件 31
3-1-3 產生政策模組 34
3-2 平台流程 36
第四章實驗與討論 39
4-1 實驗環境 39
4-2 實驗一：當員工安裝惡意程式之功能驗證 40
4-2-1 實驗目的 40
4-2-2 實驗環境 40
4-2-3 實驗結果 41
4-3 實驗二：當員工安裝風險程式之功能驗證 44
4-3-1 實驗目的 44
4-3-2 實驗環境 44
4-3-3 實驗結果 45
4-4 實驗三：當員工安裝合法程式之功能驗證 48
4-4-1 實驗目的 48
4-4-2 實驗環境 48
4-4-3 實驗結果 49
4-5 實驗四：應用程式分析之效率驗證 50
4-5-1 實驗目的 50
4-5-2 實驗環境 51
4-5-3 實驗結果 51
4-6 小結 53
第五章結論與未來研究 54
5-1 研究結論與貢獻 54
5-2 研究限制 56
5-3 未來研究 56
參考文獻 58
附錄 62
A. Android權限列表 62
B. 分類器詳細參數設定 67

參考文獻

[1] iThome. 讓員工自帶設備上班？──BYOD的兩難. Retrieved from http://www.ithome.com.tw/article/89297 (Accessed: 20-Jun-2016)
[2] EY. (September 2013). Bring your own device. Retrieved from http://www.ey.com/publication/vwluassets/ey-bring_your_own_device/$file/ey-bring-your-own-device.pdf (Accessed: 20-Jun-2016)
[3] Lookout. (2015). Risky v. Malicious apps: How they’re different & why you need to care about both. Retrieved from https://blog.lookout.com/blog/2015/10/13/risky-malicious-apps/ (Accessed: 20-Jun-2016)
[4] Appthority. (Summer 2014). App Reputation Report.
[5] AppBrain. Number of Android applications. Retrieved from http://www.appbrain.com/stats/number-of-android-apps (Accessed: 20-Jun-2016)
[6] Airwatch-MDM. Retrieved from http://www.air-watch.com/zh- (Accessed: 20-Jun-2016)hant/solutions/mobile-device-management
[7] MobileIron-MAM. Retrieved from https://www.mobileiron.com/en/solutions/mobile-application-management-mam (Accessed: 20-Jun-2016)
[8] Oxford Dictionaries. Retrieved from http://www.oxfordlearnersdictionaries.com/ (Accessed: 20-Jun-2016)
[9] Samsung KNOX. Retrieved from http://www.samsung.com/global/business/mobile/platform/mobile-platform/knox/ (Accessed: 20-Jun-2016)
[10] 維基百科. Retrieved from https://zh.wikipedia.org (Accessed: 20-Jun-2016)
[11] Gartner. (2016). Gartner Mobile App Survey Reveals 24 Percent More Spending on In-App Transactions Than on Upfront App Payments. Retrieved from http://www.gartner.com/newsroom/id/3331117 (Accessed: 20-Jun-2016)
[12] Google. Google Play. Retrieved from https://play.google.com/store. (Accessed: 20-Jun-2016)
[13] Google. Google Play 開發人員. Retrieved from https://support.google.com/googleplay/android-developer/answer/1153481?hl=zh-Hant (Accessed: 20-Jun-2016)
[14] iThome. (2014). FTC控告Amazon的程式內購買機制讓兒童擅自消費. Retrieved from http://www.ithome.com.tw/news/89365 (Accessed: 20-Jun-2016)
[15] iThome. (2014/08/22). F-Secure：手機惡意程式盛行，濫發簡訊程式肆虐. Retrieved from http://www.ithome.com.tw/news/90376 (Accessed: 20-Jun-2016)
[16] keyence. 風險與安全. Retrieved from http://www.keyence.com.tw/ss/products/safetyknowledge/about/ (Accessed: 20-Jun-2016)
[17] Micro, T. (2015). 最新「Ghost Push」變種宛若幽靈,暗中威脅Android 用戶,同一作者發行逾 600 惡意應用程式. Retrieved from http://blog.trendmicro.com.tw/?p=14633 (Accessed: 20-Jun-2016)
[18] T客邦. (2014/07/15). 手機程式內購買爭議多，消保處提醒當心購物方便期. Retrieved from http://www.techbang.com/posts/19044-phone-app-program-to-purchase-form-of-dispute-the-executive-yuan-consumer-protection-department-announced-the-consumer-trap (Accessed: 20-Jun-2016)
[19] Micro, T. (2014). 八成Google Play前 50 大熱門免費 App有山寨版！. Retrieved from http://www.trendmicro.tw/tw/about-us/newsroom/releases/articles/20140829083222.html (Accessed: 20-Jun-2016)
[20] Micro, T. (2012/04/25). 《山寨版免費Android App》Instagram和Angry Birds Space憤怒鳥星際版/太空版下載後電信費暴增. Retrieved from http://blog.trendmicro.com.tw/?p=1292 (Accessed: 20-Jun-2016)
[21] virustotal. Retrieved from https://www.virustotal.com/zh-tw/ (Accessed: 20-Jun-2016)
[22] cultofmac. (2014). Uber’s data-sucking Android app is dangerously close to malware. Retrieved from http://www.cultofmac.com/304401/ubers-android-app-literally-malware/ (Accessed: 20-Jun-2016)
[23] Mila. contagio: Take a sample, leave a sample. Mobile malware mini-dump. Retrieved from http://contagiodump.blogspot.tw/2011/03/take-sample-leave-sample-mobile-malware.html (Accessed: 20-Jun-2016)
[24] 安智官網. Retrieved from http://www.anzhi.com/ (Accessed: 20-Jun-2016)
[25] Wang, X., Sun, K., Wang, Y., & Jing, J. (2015). DeepDroid: Dynamically Enforcing Enterprise Policy on Android Devices. Paper presented at the NDSS.
[26] Armando, A., Costa, G., Merlo, A., & Verderame, L. (2014). Enabling byod through secure meta-market. Paper presented at the Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks.
[27] Johnson, N. L., Cross, M., & Piltzecker, T. (2002). Security+ Study Guide and DVD Training System.
[28] Maiwald, E. (2003). Fundamentals of network security: Dreamtech press.
[29] Chang, J. M., Ho, P.-C., & Chang, T.-C. (2014). Securing BYOD. IT Professional, 16(5), 9-11.
[30] Ocano, S. G., Ramamurthy, B., & Wang, Y. (2015). Remote Mobile Screen (RMS): an approach for secure BYOD environments. Paper presented at the Computing, Networking and Communications (ICNC), 2015 International Conference on.
[31] Aung, Z., & Zaw, W. (2013). Permission-based android malware detection. International Journal of Scientific and Technology Research, 2(3), 228-234.
[32] Moonsamy, V., Rong, J., Liu, S., Li, G., & Batten, L. (2013). Contrasting permission patterns between clean and malicious android applications. Paper presented at the International Conference on Security and Privacy in Communication Systems.
[33] Xiong, P., Wang, X., Niu, W., Zhu, T., & Li, G. (2014). Android malware detection with contrasting permission patterns. China Communications, 11(8), 1-14.
[34] Sarma, B. P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., & Molloy, I. (2012). Android permissions: a perspective combining risks and benefits. Paper presented at the Proceedings of the 17th ACM symposium on Access Control Models and Technologies.
[35] Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., & Zhang, X. (2014). Exploring permission-induced risk in Android applications for malicious application detection. IEEE Transactions on Information Forensics and Security, 9(11), 1869-1882.
[36] Teufl, P., Kraxberger, S., Orthacker, C., Lackner, G., Gissing, M., Marsalek, A. Prevenhueber, O. (2011). Android market analysis with activation patterns. Paper presented at the International Conference on Security and Privacy in Mobile Information and Communication Systems.
[37] Takahashi, T., Ban, T., Mimura, T., & Nakao, K. (2015). Fine-Grained Risk Level Quantication Schemes Based on APK Metadata. Paper presented at the International Conference on Neural Information Processing.
[38] Spreitzenbarth, M., Freiling, F., Echtler, F., Schreck, T., & Hoffmann, J. (2013). Mobile-sandbox: having a deeper look into android applications. Paper presented at the Proceedings of the 28th Annual ACM Symposium on Applied Computing.
[39] Wu, D.-J., Mao, C.-H., Wei, T.-E., Lee, H.-M., & Wu, K.-P. (2012). Droidmat: Android malware detection through manifest and API calls tracing. In Proc. of Asia Joint Conference on Information Security (Asia JCIS), 2012
[40] Wang, Y., Watson, B., Zheng, J., & Mukkamala, S. (2015). ARP-Miner: Mining Risk Patterns of Android Malware. In International Workshop on Multi-disciplinary Trends in Artificial Intelligence
[41] Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., & Rieck, K. (2014). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. Paper presented at the NDSS.
[42] Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R. Molloy, I. (2012). Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM conference on Computer and communications security
[43] Miller, K. W., Voas, J. M., & Hurlburt, G. F. (2012). BYOD : Security and Privacy Considerations. IT Professional, 14(5), 53-55.
[44] Singh, N. (2012). BYOD genie is out of the bottle–“Devil or angel”. Journal of Business Management & Social Sciences Research, 1(3), 1-12.
[45] 李佩芸. (2015). 企業實施 BYOD 之安全政策管理平台設計與雛型實作國立中央大學資訊管理所.
[46] 陶嘉仁. (2012). Android 程式權限分析. 國立交通大學資訊工程所.
[47] 黄洁, 谭博, & 谭成翔. (2015). 用户友好的 Android 隐私监管机制. Journal of Computer Application计算机应用, 35(3) , 751-755.

指導教授

陳奕明

審核日期

2016-7-25

推文