去可識別個人資訊後之 Android惡意程式動態分析研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：11

、訪客IP：3.137.176.213

姓名

胡哲君(HU,CHE-CHUN) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

去可識別個人資訊後之 Android惡意程式動態分析研究
(Dynamic Android Malware Analysis with de-identification of personal identifiable information)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

近年來，智慧型手機因為普及和承載更多個人資訊而成為駭客的目標。安全防護工具會蒐集手機內大量資訊，當資訊上傳雲端平台進行惡意程式分析時，可能造成使用者隱私洩漏。本研究針對Android平台的間諜軟體、殭屍網路、勒索軟體三類惡意程式，提出ShadowDroid系統，採用動態分析技術。在手機端蒐集分析所需資料時，在手機上建立VPN截取所有網路流量，並透過字串比對方法從中找出隱私資訊，接著將其去識別化，確保上傳的分析資料不包含任何隱私資料。
目前許多惡意程式分類相關研究是將惡意程式分類到家族，但惡意家族是惡意程式作者為了規避檢測或加強功能而不斷使惡意程式演化變種，惡意家族並不代表某一行為特徵。本研究將惡意程式依其行為分類為木馬、勒索軟體等。以方便使用者針對該特徵尋找合適對策，同前分類是根據某一種行為特徵所定義，而某些惡意程式可能混合多種惡意種類行為，例如Xbot包含網路釣魚、加密勒索等惡意行為，因此本研究將手機端上傳的資料和各類別的標準特徵集合進行相似度計算，其中分析所用的特徵不需要任何隱私資料，我們的分析結果可顯示其與各惡意類別的相似度，由此判斷該惡意程式可能包含哪些惡意行為。經實驗證實，本研究在沒有隱私洩漏的情況下，以相似度最高為分類結果，良性程式及三種類惡意程式的分類結果有90%準確度，只略低於惡意家族分類的92%準確度。

摘要(英)

In recent years, smart phones become the target of hackers, because of the popularity and the store of more personal information. Information security tools will collect a lot of information from user′s smart phone and may cause privacy information leakage when it uploads to cloud server for malware analysis. In order to protect user′s privacy information, information security tools need to remove the privacy information from uploading data. Our study aims for spyware, botware, ransomware these three kinds of malware on the Android platform. And proposed a dynamic malware classification system, named ShadowDroid. ShadowDroid will establish a VPN to intercept all network packets to the phone. ShadowDroid collecting all network packets that be detected app and use string matching method to find the privacy information, then de-Identify it to make sure that the uploaded classify data doesn′t contain any personal identifiable information.
At present, malware classification research is classified malware in the malicious family. But the malicious family is malware continue to make the evolution, in order to circumvent the detection or enhance the function. This research will be classified malware, according to their behavioral feature, like ransomware, botware, spyware. To facilitate the user to find suitable measures for the behavior feature. Our classification is based on a certain behavioral feature of the definition. And some malware may be mixed with a malicious behavior of variety malicious types. For example, Xbot contains malicious behavior, such as phishing, and encrypt file to extortion. Therefore, this research will calculate the similarity between the data uploaded from the user′s mobile and the standard feature set of each category. And the classification features do not need any privacy information. Our classification results can be shown similarities between its with each malicious category, thus judging the malicious program may contain malicious behavior. The results show that the classification of the benign app and the three categories of malware is 90% accurate, which is only slightly lower than the 92% accuracy of the malicious family classification.

關鍵字(中)

★ 動態分析
★ Android
★ 惡意程式分類
★ 網路封包
★ 去識別化

關鍵字(英)

★ Dynamic analysis
★ malware classification
★ network packets
★ system call
★ de-identification

論文目次

目錄
論文摘要 i
Abstract ii
誌謝 iii
圖目錄 vi
表目錄 viii
第一章緒論 1
1-1 研究背景 1
1-2 研究動機與目的 5
1-3 名詞解釋 7
1-3-1 勒索軟體(Ransomware) 7
1-3-2 殭屍軟體(Botware) 7
1-3-3 間諜軟體(Spyware) 8
1-4 章節架構 8
第二章相關研究 9
2-1 Android惡意程式分析研究 9
2-1-1 惡意程式靜態分析研究 9
2-1-2 Android惡意程式動態分析研究 10
2-2 惡意程式分類 13
2-2-1 惡意程式家族分類 13
2-2-2 相似度計算方法 15
2-2-3 計算標準特徵集合 17
2-3 行動裝置防止隱私資料洩漏相關研究 18
2-4 小結 20
第三章 ShadowDroid 去可識別個人資訊後之Android惡意程式分類平台 22
3-1 平台架構 22
3-1-1 資料蒐集 22
3-1-11 System call元件 23
3-1-12 網路封包元件 23
3-1-2 Shadow 去識別化模組 26
3-1-3 分析模組 27
3-1-31 前處理元件 27
3-1-32 分析元件 29
3-2 平台流程 40
第四章實驗與討論 44
4-1 實驗環境 44
4-2 實驗一：驗證去除可識別個人資訊之功能 45
去可識別個人資訊後之 Android 惡意程式動態分析研究
國立中央大學資訊管理學系碩士論文 v
4-2-1 實驗目的 45
4-2-2 實驗環境 45
4-2-3 實驗結果 46
4-3 實驗二：單用system call特徵進行分類 47
4-3-1 實驗目的 47
4-3-2 實驗環境 47
4-3-3 實驗結果 47
4-4 實驗三：單用網路封包特徵進行分類 51
4-4-1 實驗目的 51
4-4-2 實驗環境 51
4-4-3 實驗結果 51
4-5 實驗四：實驗system call及網路封包特徵進行分類 53
4-5-1 實驗目的 53
4-5-2 實驗環境 53
4-5-3 實驗結果 54
4-6 實驗五：實驗ShadowDroid能否正確分類 55
4-6-1 實驗目的 55
4-6-2 實驗環境 55
4-6-3 實驗結果 55
結論與未來研究 60
5-1 研究結論與貢獻 60
5-2 研究限制 62
5-3 未來研究 62
參考文獻 64

參考文獻

[1] 愛立信：行動趨勢報告。2016年6月，取自https://www.ericsson.com/res/site_TW/docs/Ericsson%20Mobility%20Report%20June%202016-%E6%84%9B%E7%AB%8B%E4%BF%A1%E8%A1%8C%E5%8B%95%E8%B6%A8%E5%8B%A2%E5%A0%B1%E5%91%8A%E6%9A%A8%E6%9D%B1%E5%8C%97%E4%BA%9E%E5%8D%80%E9%99%84%E9%8C%84.pdf。
[2] E. Chin :“Gartner says worldwide mobile phone sales declined 1.7 percent in 2012”。2013年2月13日，取自http://www.gartner.com/newsroom/id/2335616。
[3] NetMarketShare:行動作業系統市佔率。2017年，取自https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=9&qpcustomb=1&qpsp=194&qpnp=25&qptimeframe=M。
[4] 趨勢科技全球技術支援與研發中心, T. L. : ”「行動惡意程式數量將成長至 2,000 萬」, PC花了 21 年才累計達到這個數字.” 。2015年，取自http：//blog.trendmicro.com.tw/?p=15589。
[5] G DATA : ”G DATA MOBILE MALWARE REPORT.”。2016年，取自https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_Mobile_Malware_Report_H1_2016_EN.pdf。
[6] 趨勢科技全球技術支援與研發中心, T. L. : ”2015 上半年行動威脅情勢.”。2015年，取自http：//blog.trendmicro.com.tw/?p=14069。
[7] IThome 蘇文彬: 國內10月將開始試辦app安全檢測認證機制。2015年，取自: http://www.ithome.com.tw/news/98117。
[8] DCCI互聯網數據中心 and 360手機安全中心 : 中國Android手機用戶隱私安全認知調查報告。2015年，取自http://www.dcci.com.cn/media/download/412746f501681a20b1eca7aeac546d87303a.pdf。
[9] James Price : IDC Tech Spotlight: From Silicon To Cloud。2009年，取自https://www.slideshare.net/jamesprice3/idc-tech-spotlight-from-silicon-to-cloud
[10] Milaparkour contagion mobile malware blog : Android Xbot ransomware，2016年5月14日，取自http://contagiominidump.blogspot.tw/2016/05/android-Xbot-ransomware.html。
[11] Cong Zheng, Claud Xiao , Zhi Xu : New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom 。 2016年2月18日，取自https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-Xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/
[12] 趨勢科技全球技術支援與研發中心: 認識惡意威脅:病毒（Virus）,木馬（Trojan Horse）等11 個網路威脅定義及安全小秘訣。2013年7月，取自: https://blog.trendmicro.com.tw/?tag=%E6%AE%AD%E5%B1%8D%E9%9B%BB%E8%85%A6%E5%92%8C%E6%AE%AD%E5%B1%8D%E7%B6%B2%E8%B7%AF%EF%BC%88bot%E5%92%8Cbotnet%EF%BC%89
[13] 陳曉莉:IThome 新Android木馬程式現身。2010年12月，取自: http://www.ithome.com.tw/node/65279
[14] Laura O′Brien:Symantec. The Future of Mobile Malware.。2014年2月23日，取自: http://www.symantec.com/connect/blogs/future-mobile-malware
[15] IThome 蘇文彬: 業者說明外交部信箱帳密外洩：備份伺服器被駭。2010年，取自: http://www.ithome.com.tw/node/63035
[16] TWCERT/CC: 日本JTB旅行社遭駭，793萬筆個資外洩。2016年，取自: http://www.ithome.com.tw/node/71785
[17] Milaparkour contagion mobile malware blog。取自http://contagiominidump.blogspot.tw/
[18] IThome 陳曉莉: Check Point：CopyCat感染1400萬台Android裝置，駭客兩個月內賺進150萬美元。2017年7月，取自: http://www.ithome.com.tw/news/115431
[19] Adaptive Mobile. Worm.Gazon: Want Gift Card? Get Malware。2015年，取自https://www.adaptivemobile.com/blog/worm-gazon-want-gift-card-get-malware
[20] Trend Micro, Jordan Pan : Fake Bank App Ramps Up Defensive Measures。2016年，取自: http://blog.trendmicro.com/trendlabs-security-intelligence/fake-bank-app-phishes-credentials-locks-users-out/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Anti-MalwareBlog+%28Trendlabs+Security+Intelligence+Blog%29
[21] 張育妮, & 林盈達. (2012). 以共同行為為基礎之三階式 Android 惡意程式偵測與分類.國立交通大學資訊科學與工程研究所碩士論文.
[22] 劉恩榜. (2011). Android 上的殭屍網路攻擊偵測. 國立交通大學資訊科學與工程研究所碩士論文.
[23] 黄洁, 谭博, & 谭成翔. (2015). 用户友好的 Android 隐私监管机制. Journal of Computer Application计算机应用, 35(3) , 751-755.
[24] Yang, W., Xiao, X., Andow, B., Li, S., Xie, T., & Enck, W. (2015, May). Appcontext: Differentiating malicious and benign mobile app behaviors using context. In Software engineering (ICSE), 2015 IEEE/ACM 37th IEEE international conference on (Vol. 1, pp. 303-313).
[25] Feng, Y., Anand, S., Dillig, I., & Aiken, A. (2014, November). Apposcopy: Semantics-based detection of android malware through static analysis. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering (pp. 576-587).
[26] Wei, F., Roy, S., & Ou, X. (2014, November). Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 1329-1341).
[27] Baumgärtner, L., Graubner, P., Schmidt, N., & Freisleben, B. (2015, June). AndroLyze: A Distributed Framework for Efficient Android App Analysis. In Mobile Services (MS), 2015 IEEE International Conference on (pp. 73-80).
[28] Rasthofer, S., Arzt, S., Kolhagen, M., Pfretzschner, B., Huber, S., Bodden, E., & Richter, P. (2015, July). Droidsearch: A tool for scaling android app triage to real-world app stores. In Science and Information Conference (SAI), 2015 (pp. 247-256). IEEE.
[29] Enck, William, et al. ”TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones.” ACM Transactions on Computer Systems (2014).
[30] Jing, Y., Ahn, G. J., Zhao, Z., & Hu, H. (2014, March). Riskmon: Continuous and automated risk assessment of mobile applications. In Proceedings of the 4th ACM Conference on Data and Application Security and Privacy (pp. 99-110).
[31] Kim, K. H., & Choi, M. J. (2015, August). Android malware detection using multivariate time-series technique. In Network Operations and Management Symposium (APNOMS), 2015 17th Asia-Pacific (pp. 198-202).
[32] Qiu, L., Zhang, Z., Shen, Z., & Sun, G. (2015, June). AppTrace: Dynamic trace on Android devices. In Communications (ICC), 2015 IEEE International Conference on (pp. 7145-7150).
[33] Zhang, N., Yuan, K., Naveed, M., Zhou, X., & Wang, X. (2015, May). Leave me alone: App-level protection against runtime information gathering on android. In Security and Privacy (SP), 2015 IEEE Symposium on (pp. 915-930).
[34] Qi, H., & Gani, A. (2012, May). Research on mobile cloud computing: Review, trend and perspectives. In Digital Information and Communication Technology and it′s Applications (DICTAP), 2012 Second International Conference on (pp. 195-202).
[35] Damopoulos, D., Kambourakis, G., & Portokalidis, G. (2014, April). The best of both worlds: a framework for the synergistic operation of host and cloud anomaly-based IDS for smartphones. In Proceedings of the Seventh European Workshop on System Security (p. 6). ACM.
[36] Suarez-Tangil, G., Tapiador, J. E., Peris-Lopez, P., & Blasco, J. (2014). Dendroid: A text mining approach to analyzing and classifying code structures in android malware families. Expert Systems with Applications, 41(4), 1104-1117.
[37] Zhang, M., Duan, Y., Yin, H., & Zhao, Z. (2014, November). Semantics-aware android malware classification using weighted contextual api dependency graphs. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (pp. 1105-1116).
[38] Sun, M., Li, X., Lui, J. C., Ma, R. T., & Liang, Z. (2017). Monet: a user-oriented behavior-based malware variants detection system for android. IEEE Transactions on Information Forensics and Security, 12(5), 1103-1112.
[39] Mohaisen, A., West, A. G., Mankin, A., & Alrawi, O. (2014, October). Chatter: Classifying malware families using system event ordering. In Communications and Network Security (CNS), 2014 IEEE Conference on (pp. 283-291).
[40] Jang, J. W., Yun, J., Mohaisen, A., Woo, J., & Kim, H. K. (2016). Detecting and classifying method based on similarity matching of Android malware behavior with profile. SpringerPlus, Springer, Berlin.
[41] Fereidooni, H., Moonsamy, V., Conti, M., & Batina, L. (2016). Efficient classification of android malware in the wild using robust static features. Protecting Mobile Networks and Devices: Challenges and Solutions, 1, 181-209.
[42] Zhou, Y., Wang, Z., Zhou, W., & Jiang, X. (2012, February). Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. In Network and Distributed System Security (Vol. 25, No. 4, pp. 50-52).
[43] Truong, H. T. T., Lagerspetz, E., Nurmi, P., Oliner, A. J., Tarkoma, S., Asokan, N., & Bhattacharya, S. (2014, April). The company you keep: Mobile malware infection rates and inexpensive risk indicators. In Proceedings of the 23rd international conference on World wide web (pp. 39-50).
[44] Burguera, I., Zurutuza, U., & Nadjm-Tehrani, S. (2011, October). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices(pp. 15-26).
[45] Rashidi, B., Fung, C., & Vu, T. (2014, September). Recdroid: A resource access permission control portal and recommendation service for smartphone users. In Proceedings of the ACM MobiCom workshop on Security and privacy in mobile environments (pp. 13-18).
[46] Andronio, N., Zanero, S., & Maggi, F. (2015, November). Heldroid: Dissecting and detecting mobile ransomware. In International Workshop on Recent Advances in Intrusion Detection (pp. 382-404). Springer International Publishing.
[47] Feizollah, A., Anuar, N. B., Salleh, R., & Wahab, A. W. A. (2015). A review on feature selection in mobile malware detection. Digital Investigation, 13, 22-37.
[48] Tchakounté, F., & Dayang, P. (2013). System calls analysis of malwares on android. International Journal of Science and Technology, 2(9), 669-674.
[49] Wahanggara, V., & Prayudi, Y. (2015, October). Malware Detection through Call System on Android Smartphone Using Vector Machine Method. In Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec), 2015 Fourth International Conference on (pp. 62-67).
[50] Zheng, M., Sun, M., & Lui, J. C. (2014, August). DroidTrace: A ptrace based Android dynamic analysis system with forward execution capability. In Wireless Communications and Mobile Computing Conference (IWCMC), 2014 International (pp. 128-133). IEEE.
[51] Canfora, G., Medvet, E., Mercaldo, F., & Visaggio, C. A. (2015, August). Detecting android malware using sequences of system calls. In Proceedings of the 3rd International Workshop on Software Development Lifecycle for Mobile(pp. 13-20). ACM.
[52] Lin, Y. D., Lai, Y. C., Chen, C. H., & Tsai, H. C. (2013). Identifying android malicious repackaged applications by thread-grained system call sequences. computers & security, 39, 340-350.
[53] Zhou, Y., & Jiang, X. (2012, May). Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 95-109).
[54] Arora, A., Garg, S., & Peddoju, S. K. (2014, September). Malware detection using network traffic analysis in android based mobile devices. In Next generation mobile apps, services and technologies (NGMAST), 2014 eighth international conference on (pp. 66-71).
[55] Ghaffari, F., & Abadi, M. (2015, October). Droidmalhunter: a novel entropy-based anomaly detection system to detect malicious android applications. In Computer and Knowledge Engineering (ICCKE), 2015 5th International Conference on (pp. 301-306).
[56] Iland, D., Pucher, A., & Schäuble, T. (2011). Detecting android malware on network level. [online], http://cs.ucsb.edu/~iland/AndroidMalwareDetection.pdf.
[57] Wei, T. E., Mao, C. H., Jeng, A. B., Lee, H. M., Wang, H. T., & Wu, D. J. (2012, June). Android malware detection via a latent network behavior analysis. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2012 IEEE 11th International Conference on (pp. 1251-1258). IEEE.
[58] Malik, J., & Kaushal, R. (2016, July). CREDROID: Android malware detection by network traffic analysis. In Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile Computing (pp. 28-36).
[59] Zheng, M., Sun, M., & Lui, J. C. (2013, July). Droid analytics: a signature based analytic system to collect, extract, analyze and associate android malware. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on (pp. 163-171).
[60] Ren, J., Rao, A., Lindorfer, M., Legout, A., & Choffnes, D. (2016, June). Recon: Revealing and controlling pii leaks in mobile network traffic. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services (pp. 361-374).
[61] Razaghpanah, A., Vallina-Rodriguez, N., Sundaresan, S., Kreibich, C., Gill, P., Allman, M., & Paxson, V. (2015). Haystack: A Multi-Purpose Mobile Vantage Point in User Space. [online] Available: https://arxiv.org/abs/1510.01419.
[62] Song, Y., & Hengartner, U. (2015, October). Privacyguard: A vpn-based platform to detect information leakage on android devices. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (pp. 15-26).

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2017-8-8

推文