結合系統呼叫序列關係與局部特徵計算 之行動惡意程式檢測方法

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：31

、訪客IP：3.147.55.200

姓名

洪千惠(Chien-Hui Hung) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

結合系統呼叫序列關係與局部特徵計算之行動惡意程式檢測方法
(Combining system call sequence relationship with local feature calculation in a mobile malware detection method)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在這資訊快速發展的時代，市占率最高的作業系統—Android其開源特性成為駭客的攻擊目標，進而威脅到使用者的隱私。在惡意程式分析中的動態分析不受混淆及動態載入攻擊的影響，還可以了解到程式在執行時的行為，當中的系統呼叫（System calls）能實際呈現應用程式與內核（kernel）間的溝通，因此本研究以動態檢測方法進行，並以系統呼叫為特徵，來表示應用程式的行為。利用TF-IDF的特徵處理方法能將其系統呼叫特徵依據出現的次數以及在整體的關係給予不同重要程度的權
重分配，不過此方法以一個系統呼叫為一個單位，因此在計算時未有序列的前後關係，而在系統呼叫序列（System call sequences）中，前後關係有其重要性，因此本研究利用n-gram概念結合局部TF-IDF來讓序列型的資料能取得含有序列前後關係及重要程度的特徵。而在惡意程式檢測領域中，深度學習已有卓越的分類效果，因此本研究將動態序列特徵以提出的方法化為向量，並在深度學習的模型上分析Android應用程式。於本研究顯示利用本方法在應用程式的多元分類下能提高3%以上的準確率，而對於未知的2019年資料集準確率提升11%。

摘要(英)

In this era of rapid development of information technology, Android has the highest market share in the operating system. However, its open source feature has been the target of hackers, which in turn threatens the privacy of users. Dynamic analysis in malware analysis is not affected by obfuscation and dynamic loading attacks, but also provides insight into the behavior of the program during execution. The system
calls can actually represent the communication between the application and the kernel, so this research uses a dynamic detection method to analyze the system calls as a feature to represent the behavior of the application. The TF-IDF feature processing method can assign different weights to system call features according to the number of call occurrences and the overall relationship, but this method uses one system call as a unit, so there is no sequence relationship in the calculation. However, in System call sequences, the pre- and post-sequence relationships
have their importance. Therefore, this research uses the concept of n-gram combined with local TF-IDF to enable sequence-based data to obtain features containing the pre- and post-sequence relationships and importance of sequences. In the field of malware detection, deep learning has excellent classification results, so in this research, dynamic sequence features are transformed into vectors by the proposed method and Android applications are analyzed on the deep learning model. In this research, it is shown that using this method can improve the accuracy by more than 3% for multiple classification of applications and 11 % for unknown 2019 dataset.

關鍵字(中)

★ Android 惡意程式分析
★ 動態分析
★ 系統呼叫序列
★ 序列關係
★ 深度學習

關鍵字(英)

★ Android malware analysis
★ dynamic analysis
★ system call sequence
★ sequence relationship
★ deep learning

論文目次

摘要.......................................................i
Abstract .................................................ii
一、緒論 ..................................................1
1-1 研究背景 .............................................1
1-2 研究動機 .............................................2
1-3 研究目的及貢獻 ........................................3
1-4 章節架構 .............................................4
二、相關研究 ...............................................5
2-1 惡意程式分析之相關研究 .................................5
2-2 擷取動態特徵之相關研究 .................................5
2-3 系統呼叫特徵之相關研究 .................................7
2-4 序列型模型之相關研究 .................................13
2-5 相關研究小結 .........................................17
三、研究方法 ..............................................18
3-1 系統架構 ............................................18
3-1-1 系統呼叫提取模組（System Call Extraction Module）...19
3-1-2 系統呼叫轉換模組（System Call Conversion Module）...20
3-1-3 向量轉換模組（Vector Conversion Module）............21
3-1-4 分類模組（Classification Module） ..................24
3-2 評估指標.............................................25
3-3 系統流程.............................................27
四、實驗與討論.............................................29
4-1 實驗環境與資料集......................................29
4-1-1 實驗環境...........................................29
4-1-2 資料集.............................................30
4-2 n-gram 的參數比較....................................32
4-2-1 實驗一二元分類的 n-gram 的參數比較..................32
4-2-2 實驗二多元分類的 n-gram 的參數比較..................33
4-3 本研究方法的有效性....................................34
4-3-1 實驗三二元分類.....................................35
4-3-2 實驗四多元分類.....................................39
4-4 模型的適應性..........................................43
4-4-1 實驗五未知惡意樣本的測試............................43
4-4-2 實驗六未知惡意樣本且測試樣本較新測試.................44
4-5 實驗結果與討論........................................46
五、結論..................................................48
5-1 結論與貢獻...........................................48
5-2 本研究之限制與未來研究.................................50
5-2-1 研究限制...........................................50
5-2-2 未來研究...........................................50
參考文獻..................................................52

參考文獻

[1] Kaspersky. (2021). IT threat evolution Q3 2021. Mobile statistics. Available: https://securelist.com/it-threat-evolution-in-q3-2021-mobile-statistics/105020/(accessed 2022).
[2] StatCounter. (2022). Mobile Operating System Market Share Worldwide. Available: https://gs.statcounter.com/os-market-share/mobile/worldwide/#monthly-202102-202203-bar (accessed 2022).
[3] FireEye. Out of Pocket. (2015). A Comprehensive Mobile Threat Assessment of 7 Million iOS and Android Apps. Available: https://www.fireeye.com/blog/threat-research/2015/02/the_fireeye_mobilet.html (accessed 2022).
[4] A. Saracino, D. Sgandurra, G. Dini, and F. Martinelli, "Madam: Effective and efficient behavior-based android malware detection and prevention," IEEE Transactions on Dependable and Secure Computing, vol. 15, no. 1, pp. 83-97,
2016.
[5] P. Feng, J. Ma, C. Sun, X. Xu, and Y. Ma, "A Novel Dynamic Android Malware Detection System With Ensemble Learning," IEEE Access, vol. 6, pp. 30996-31011, 2018.
[6] M. Anshori, F. Mar′i, and F.A. Bachtiar, "Comparision of machine learning methods for android malicious software classification base on system call," in 2019 International Conference on Sustainable Information Engineering and
Technology (SIET), 2019: IEEE, pp. 343-348.
[7] S. Malik, "Android System Call Analysis for Malicious Application Detection," International Journal of Computer Sciences and Engineering , vol. 5, no. 11, pp. 105-108, 2017.
[8] M.Z. Mas′ ud, S. Sahib, M.F. Abdollah, S.R. Selamat, R. Yusof, "Analysis of Features Selection and Machine Learning Classifier in Android Malware Detection" in 2014 International Conference on Information Science and
Applications (ICISA), 2014: IEEE, pp. 1-5.
[9] M. K. Alzaylaee, S. Y. Yerima, and S. Sezer, "DL-Droid: Deep learning based android malware detection using real devices," Computers & Security, vol. 89, pp.
101663, 2020.
[10] M. K. Alzaylaee, S. Y. Yerima, and S. Sezer, "DynaLog: An automated dynamic analysis framework for characterizing android applications," in 2016 International Conference On Cyber Security And Protection Of Digital Services (Cyber
Security), 2016: IEEE, pp. 1-8.
[11] 劉育祺，2021，“使用於行動惡意程式偵測之局部權重系統呼叫序列壓縮方法，國立中央大學資訊管理研究所碩士論文。
[12] A. Martín, R. Lara-Cabrera, and D. Camacho, "Android malware detection through hybrid features fusion and ensemble classifiers: the AndroPyTool framework and the OmniDroid dataset," Information Fusion, vol. 52, pp. 128-142, 2019.
[13] pjlantz, "Droidbox: Dynamic analysis of Android apps." [Online]. Available: https://github.com/pjlantz/droidbox (accessed 2022).
[14] C. Boettiger, "An introduction to Docker for reproducible research," ACM SIGOPS Operating Systems Review, vol. 49, no. 1, pp. 71-79, 2015.
[15] J. Yan, Y. Qi, and Q. Rao, "LSTM-based hierarchical denoising network for Android malware detection," Security and Communication Networks , vol. 2018, 2018.
[16] M. Z. Mas′ ud, S. Sahib, M. F. Abdollah, S. R. Selamat, and C. Y. Huoy, "A Comparative Study on Feature Selection Method for N-gram Mobile Malware Detection," Int. J. Netw. Secur., vol. 19, no. 5, pp. 727-733, 2017.
[17] A. N. Jahromi, S. Hashemi, A. Dehghantanha, R. M. Parizi, and K.-K. R. Choo, "An enhanced stacked LSTM method with no random initialization for malware threat hunting in safety and time-critical systems," IEEE Transactions on
Emerging Topics in Computational Intelligence, vol. 4, no. 5, pp. 630-640, 2020.
[18] W. Xie, S. Xu, S. Zou, and J. Xi, "A system-call behavior language system for malware detection using a sensitivity-based LSTM model," in Proceedings of the
2020 3rd International Conference on Computer Science and Software Engineering, 2020, pp. 112-118.
[19] K. Al-Thelaya and E.-S. M. El-Alfy, "Android Malware Detector Based on Sequences of System Calls and Bidirectional Recurrent Networks," in International Symposium on Security in Computing and Communication, 2019:
Springer, pp. 309-321.
[20] Y. M. Chen, C. H. Hsu, and K. C. K. Chung, "A novel preprocessing method for solving long sequence problem in android malware detection," in 2019 Twelfth International Conference on Ubi-Media Computing (Ubi-Media), 2019: IEEE, pp. 12-17.
[21] Y.M. Chen, A.C. He, G.C. Chen, and Y.C. Liu, "Android malware detection system integrating block feature extraction and multi-head attention mechanism," in 2020
International Computer Symposium (ICS), 2020: IEEE, pp. 408-413.
[22] A. Vaswani et al., "Attention is all you need," Advances in neural information processing systems , vol. 30, 2017.
[23] A. Graves, "Supervised Sequence Labelling," in Supervised Sequence Labelling with Recurrent Neural Networks. Studies in Computational Intelligence, vol 385.,
2012 Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24797-2_2
[24] X. Xiao, S. Zhang, F. Mercaldo, G. Hu, and A. K. Sangaiah, "Android malware detection based on system call sequences and LSTM," Multimedia Tools and Applications, vol. 78, no. 4, pp. 3979-3999, 2019.
[25] Y. Yu, X. Si, C. Hu, and J. Zhang, "A Review of Recurrent Neural Networks: LSTM Cells and Network Architectures, " Neural computation , vol. 31, no. 7, pp.
1235-1270, 2019.
[26] S. Mahdavifar, A. F. A. Kadir, R. Fatemi, D. Alhadidi, and A. A. Ghorbani, "Dynamic Android Malware Category Classification using Semi-Supervised Deep Learning," in 2020 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on
Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech), 2020: IEEE, pp. 515-522.
[27] D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, "Drebin: Effective and explainable detection of android malware in your pocket," in Ndss, 2014, vol. 14, pp. 23-26.
[28] K. Allix, T. F. Bissyandé, J. Klein, and Y. Le Traon, "Androzoo: Collecting millions of android apps for the research community," in 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR), 2016: IEEE, pp. 468-471.
[29] H. Sistemas. "VirusTotal." https://www.virustotal.com/gui/ (accessed 2022).

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2022-7-28

推文