結合權限與應用程式介面特徵之Android惡意程式分類器可持續性研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：53

、訪客IP：18.188.240.4

姓名

張玟婷(Wen-Ting Chang) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

結合權限與應用程式介面特徵之Android惡意程式分類器可持續性研究
(A Sustainability Research of Android Malware Classifier Using Permissions and APIs)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

機器學習被廣泛應用在Android惡意程式檢測研究中，且已證實機器學習模型能取得亮眼的檢測成效。然而Android開發環境持續改變，以及攻擊者不斷演進其惡意程式，導致使用舊資料訓練的模型難以檢測出後期出現的惡意程式，也就是模型檢測能力之可持續性低，此種模型檢測能力隨時間下降的現象又稱為模型老化（Model Aging）。面對此問題的常見做法為重新訓練模型，但若模型老化速度快會使得重新訓練面臨更多的困難，例如需要花費較高的成本且新標記資料取得不易，更重要的是在新模型上線前檢測系統對新惡意程式的防護力較低，也就容易出現空窗期。為了降低重訓練的困難以及在新模型上線前正確檢測出較多的惡意軟體，本研究旨在建立一個老化速度較慢的Android惡意程式檢測系統，並以AUT（Area Under Time）及模型於各時間點的F1-score來評估老化程度。具體來說，本研究組合權限（Permission）與應用程式介面（API）兩種特徵，透過線性模型學習特徵組合時的權重。同時建立兩個模型，以集成學習的軟投票（Soft Voting）判斷APK（Android Application Package）是否為惡意軟體。本研究實驗於2012~2019的資料集上，除了評估模型在同年份樣本的檢測表現外，也評估模型對新年份樣本的檢測效果。與其他Android惡意程式檢測研究相比，AUT提升2% ~ 22%。

摘要(英)

Machine learning is widely used in Android malware detection research, and it has been proven that machine learning models can achieve good results. However, detection models trained by old samples are hard to identify new malware with the changes in Android development environment and the evolution of Android applications. That is, the models’ detection ability is not sustainable. The phenomenon that the models’ detection ability degrade over time is called model aging. The common solution to this problem is to retrain models. But if the model ages quickly, it will make retraining process more difficult. More importantly, the detection system has low protection against new malwares before the retrained model released. Using AUT (Area Under Time) and F1-Score at each time slot to evaluate the degree of aging. This research establishes an Android malware detection system with higher sustainability. Specifically, this research combines APKs’ permissions and APIs by the weights learned by linear models. This research will build two detection models and using soft voting to decide whether the application is malware or not. This research evaluates the detection system’s same period and over time performance on the dataset of year 2012 to 2019. Compared to other Android malware detection research, the AUT increase of 2%~22%.

關鍵字(中)

★ 模型老化
★ 機器學習
★ Android 惡意程式檢測
★ 靜態分析

關鍵字(英)

論文目次

一、緒論 1
1.1. 研究背景 1
1.2. 研究動機與目的 2
1.3. 研究貢獻 4
1.4. 章節架構 4
二、相關研究 5
2.1. Android惡意程式檢測 5
2.1.1. 資料集與特徵獲取方法 5
2.1.2. 使用權限或API特徵的相關研究 7
2.2. 惡意程式檢測模型老化對策 9
2.2.1. 第一類：改良重訓練方式、模型更新時機與資料標記問題 10
2.2.2. 第二類：以特徵著手，降低新舊樣本特徵變化 11
2.3. 評估指標 17
2.3.1. Android惡意程式檢測常用評估指標 17
2.3.2. 探討概念飄移或模型老化問題時使用的指標 18
三、研究方法 19
3.1. 系統架構 20
3.2. 各模組說明 20
3.2.1. 特徵資料庫（Feature Database） 20
3.2.2. 特徵萃取（Feature Extraction） 22
3.2.3. 特徵組合（Feature Combination） 23
3.2.4. 惡意軟體分類（Classification） 24
3.3. Android惡意程式檢測模型之訓練與測試流程 27
3.3.1. 訓練流程 27
3.3.2. 測試流程 28
四、實驗與評估 29
4.1. 實驗環境 29
4.2. 實驗資料集 29
4.3. 評估方式 31
4.4. 實驗設計 31
4.5. 實驗 33
4.5.1. 實驗1─挑選軟投票（Soft Voting）權重 33
4.5.2. 實驗2─比較權限、API以及本研究的檢測表現與老化程度 34
4.5.3. 實驗3─比較[32]、MaMaDroid以及本研究的檢測表現與老化程度 39
4.5.4. 實驗4─比較本研究應用在多種分類模型上的檢測表現與老化程度 48
4.6. 實驗總結 56
五、結論 57
參考文獻 59

參考文獻

[1] Heqing Huang et al., "A Large-Scale Study of Android Malware Development Phenomenon on Public Malware Submission and Scanning Platform," IEEE Transactions on Big Data, vol. 7, no. 2, 2021.
[2] Kakelli Anil Kumar, A. Raman, C. Gupta, and R. R. Pillai, "The Recent Trends in Malware Evolution, Detection and Analysis for Android Devices," Journal of Engineering Science and Technology Review, vol. 13, no. 4, pp. 240-248, 2020.
[3] Kevin Allix, Tegawend´e F. Bissyand´e, J. Klein, and Y. L. Traon, "Are Your Training Datasets Yet Relevant?An Investigation into the Importance of Timeline in Machine Learning-based Malware Detection," 2015: Springer International Publishing, in Engineering Secure Software and Systems, pp. 51-67.
[4] KASPERSKY LAB, "Machine Learning Methods for Malware Detection," 2020.
[5] Zeliang Kan, Feargus Pendlebury, Fabio Pierazzi, and L. Cavallaro, "Investigating Labelless Drift Adaptation for Malware Detection," presented at the Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security (AISec ’21), 2021.
[6] Jiayun Xu, Yingjiu Li, Robert H. Deng, and K. Xu, "SDAC: A Slow-Aging Solution for Android Malware Detection Using Semantic Distance Based API Clustering," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 1149-1163, 2020.
[7] Xiaohan Zhang et al., "Enhancing State-of-the-art Classifiers with API Semantics to Detect Evolved Android Malware," presented at the ACM SIGSAC Conference on Computer and Communications Security (CCS ’20), 2020.
[8] Sean Park, Iqbal Gondal, Joarder Kamruzzaman, and Leo Zhang, "One-Shot Malware Outbreak Detection using Spatio-Temporal Isomorphic Dynamic Features," presented at the 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 2019.
[9] Borja Sanz, Igor Santos, Carlos Laorden, Xabier Ugarte-Pedrero, Pablo Garcia Bringas, and G. Alvarez, "PUMA: Permission Usage to Detect Malware in Android," presented at the International Joint Conference CISIS’12-ICEUTE´12-SOCO´12 Special Sessions, 2013.
[10] Naser Peiravian and X. Zhu, "Machine Learning for Android Malware Detection Using Permission and API Calls," presented at the IEEE 25th International Conference on Tools with Artificial Intelligence, 2013.
[11] 邱柏嘉, "結合多特徵及深度學習擴增技術提升Android小樣本惡意家族分類能力," 碩士論文, 資訊管理學系, 國立中央大學, 2021.
[12] "Cambridge Dictionary: sustainability." https://dictionary.cambridge.org/zht/%E8%A9%9E%E5%85%B8/%E8%8B%B1%E8%AA%9E/sustainability (accessed 2022).
[13] Daniel Arp, Michael Spreitzenbarth, Malte Huebner, Hugo Gascon, and Konrad Rieck, "Drebin: Efficient and Explainable Detection of Android Malware in Your Pocket," presented at the 21th Annual Network and Distributed System Security Symposium (NDSS), 2014.
[14] Fengguo Wei, Yuping Li, Sankardas Roy, Xinming Ou, and W. Zhou, "Deep Ground Truth Analysis of Current Android Malware," presented at the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, 2017.
[15] Samaneh Mahdavifar, Andi Fitriah Abdul Kadir, Rasool Fatemi, Dima Alhadidi, and A. A. Ghorbani, "Dynamic Android Malware Category Classification using Semi-Supervised Deep Learning," presented at the 18th IEEE International Conference on Dependable, Autonomic, and Secure Computing (DASC), 2020.
[16] "VirusShare.com - Because Sharing is Caring." https://virusshare.com/ (accessed 2022).
[17] "VirusTotal." https://www.virustotal.com (accessed 2022).
[18] Kevin Allix, Tegawendé F. Bissyandé, Jacques Klein, and Yves Le Traon, "AndroZoo: Collecting Millions of Android Apps for the Research Community," in Proceedings of the 13th International Conference on Mining Software Repositories, 2016: ACM, pp. 468-471.
[19] Ke Xu, Yingjiu Li, Robert H. Deng, Kai Chen, and Jiayun Xu, "DroidEvolver: Self-Evolving Android Malware Detection System," presented at the IEEE European Symposium on Security and Privacy (EuroS&P), 2019.
[20] Feargus Pendlebury, Fabio Pierazzi, Roberto Jordaney, Johannes Kinder, and Lorenzo Cavallaro, "TESSERACT: Eliminating Experimental Bias in Malware Classification across Space and Time," presented at the Proceedings of the 28th USENIX Security Symposium, 2019.
[21] Z. Q. Tao Lei, Zhibo Wang, Qi Li, and D. Ye, "EveDroid: Event-Aware Android Malware Detection Against Model Degrading for IoT Devices," IEEE Internet of Things Journal, vol. 6, 2019.
[22] "Monkey." https://developer.android.com/studio/test/other-testing-tools/monkey (accessed 2022).
[23] "Androguard." https://github.com/androguard/androguard (accessed 2022).
[24] "Soot." http://soot-oss.github.io/soot/ (accessed 2022).
[25] "Apktool." https://ibotpeaches.github.io/Apktool/ (accessed 2022).
[26] HAIPENG CAI, "Assessing and Improving Malware Detection Sustainability through App Evolution Studies," ACM Transactions on Software Engineering and Methodology, vol. 29, no. 2, 2020, Art no. 8.
[27] Alejandro Guerra-Manzanares, Hayretdin Bahsi, and S. Nõmm, "KronoDroid: Time-based Hybrid-featured Dataset for Effective Android Malware Detection and Characterization," Computers & Security, vol. 110, 2021.
[28] Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie, "WHYPER: Towards Automating Risk Assessment of Mobile Applications," in Proceedings of the 22nd USENIX Security Symposium, 2013.
[29] JOSHUA GARCIA, MAHMOUD HAMMAD, and SAM MALEK, "Lightweight, Obfuscation-Resilient Detection and Family Identification of Android Malware," ACM Transactions on Software Engineering and Methodology, vol. 26, 2018, Art no. 3.
[30] BOZHI WU et al., "Why an Android App Is Classified as Malware: Toward Malware Classification Interpretation," ACM Transactions on Software Engineering and Methodology, vol. 30, 2021, Art no. 2.
[31] Ming Fan et al., "Android Malware Familial Classification and Representative Sample Selection via Frequent Subgraph Analysis," IEEE Transactions on Information Forensics and Security, vol. 13, 2018, Art no. 8.
[32] 葉季霏, "一種多特徵 RGB 圖像表示法結合深度學習之 Android惡意軟體偵測研究," 碩士論文, 資訊管理學系, 國立中央大學, 2021.
[33] Roberto Jordaney et al., "Transcend: Detecting Concept Drift in Malware Classification Models," in Open access to the Proceedings of the 26th USENIX Security Symposium, 2017.
[34] Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and and Gianluca Stringhini, "MAMADROID: Detecting Android Malware by Building Markov Chains of Behavioral Models," presented at the Network and Distributed System Security (NDSS) Symposium, 2017.
[35] "Android權限官方列表." https://developer.android.com/reference/android/Manifest.permission (accessed 2022).
[36] Kathy Wain Yee Au, Yi Fan Zhou, Zhen Huang, and David Lie, "PScout: analyzing the Android permission specification," presented at the CCS ′12: Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012.
[37] https://bitbucket.org/gianluca_students/mamadroid_code/src/master/ (accessed 2022).
[38] Kathrin Grosse, Nicolas Papernot, Praveen Manoharan, Michael Backes, and Patrick McDaniel, "Adversarial Examples for Malware Detection," presented at the Computer Security – ESORICS 2017, 2017.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2022-7-26

推文