摘要: | 近年來,智慧型手機因為普及和承載更多個人資訊而成為駭客的目標。安全防護工具會蒐集手機內大量資訊,當資訊上傳雲端平台進行惡意程式分析時,可能造成使用者隱私洩漏。本研究針對Android平台的間諜軟體、殭屍網路、勒索軟體三類惡意程式,提出ShadowDroid系統,採用動態分析技術。在手機端蒐集分析所需資料時,在手機上建立VPN截取所有網路流量,並透過字串比對方法從中找出隱私資訊,接著將其去識別化,確保上傳的分析資料不包含任何隱私資料。 目前許多惡意程式分類相關研究是將惡意程式分類到家族,但惡意家族是惡意程式作者為了規避檢測或加強功能而不斷使惡意程式演化變種,惡意家族並不代表某一行為特徵。本研究將惡意程式依其行為分類為木馬、勒索軟體等。以方便使用者針對該特徵尋找合適對策,同前分類是根據某一種行為特徵所定義,而某些惡意程式可能混合多種惡意種類行為,例如Xbot包含網路釣魚、加密勒索等惡意行為,因此本研究將手機端上傳的資料和各類別的標準特徵集合進行相似度計算,其中分析所用的特徵不需要任何隱私資料,我們的分析結果可顯示其與各惡意類別的相似度,由此判斷該惡意程式可能包含哪些惡意行為。經實驗證實,本研究在沒有隱私洩漏的情況下,以相似度最高為分類結果,良性程式及三種類惡意程式的分類結果有90%準確度,只略低於惡意家族分類的92%準確度。;In recent years, smart phones become the target of hackers, because of the popularity and the store of more personal information. Information security tools will collect a lot of information from user′s smart phone and may cause privacy information leakage when it uploads to cloud server for malware analysis. In order to protect user′s privacy information, information security tools need to remove the privacy information from uploading data. Our study aims for spyware, botware, ransomware these three kinds of malware on the Android platform. And proposed a dynamic malware classification system, named ShadowDroid. ShadowDroid will establish a VPN to intercept all network packets to the phone. ShadowDroid collecting all network packets that be detected app and use string matching method to find the privacy information, then de-Identify it to make sure that the uploaded classify data doesn′t contain any personal identifiable information. At present, malware classification research is classified malware in the malicious family. But the malicious family is malware continue to make the evolution, in order to circumvent the detection or enhance the function. This research will be classified malware, according to their behavioral feature, like ransomware, botware, spyware. To facilitate the user to find suitable measures for the behavior feature. Our classification is based on a certain behavioral feature of the definition. And some malware may be mixed with a malicious behavior of variety malicious types. For example, Xbot contains malicious behavior, such as phishing, and encrypt file to extortion. Therefore, this research will calculate the similarity between the data uploaded from the user′s mobile and the standard feature set of each category. And the classification features do not need any privacy information. Our classification results can be shown similarities between its with each malicious category, thus judging the malicious program may contain malicious behavior. The results show that the classification of the benign app and the three categories of malware is 90% accurate, which is only slightly lower than the 92% accuracy of the malicious family classification. |