近年來,隨著行動應用日益普及,行動APP的安全檢測研究也受到極大重視。雖然現在無論是商業產品或是學術研究都在這方面投入大量心力且有不錯成果,但是各種新型態的攻擊或是零時差漏洞攻擊仍讓人防不勝防,而因為惡意程式家族樣本數目不均衡產生偵測模型失准也是仍待克服的重要問題。有鑑於此,本計畫針對目前市面上最普及的Android手機提出一個創新性的具使用者環境感知與自動進化能力之深度學習惡意行動程式檢測平台系統(簡稱 DEA-Droid 系統)。此系統將採用深度學習技術來建立分析引擎,除了可以省去機器學習模型建立過程中的人工挑選重要參數步驟外,還可以利用最新的GAN (Generative Adversarial Network)技術來產生更多新樣本以解決惡意家族樣本數量不足問題。DEA-Droid系統將分成手機端以及雲端伺服器兩部分,在雲端又採取兩階段(APP 與User level)偵測方式。在手機端,我們除了蒐集APP的動靜態特徵外,還蒐集使用者使用手機時的環境資訊,如使用者常用哪些APP以及這些APP執行時所耗用的CPU及記憶體等,這些資訊都會送到雲端伺服器上分析。由於特徵的多樣化,我們擬綜合採用LSTM (長短期記憶神經網路) 及CNN(捲積神經網路)來處理有/無時序關係的APP特徵資料,除了白名單內的良性APP或確定為惡意程式的APP之外,其餘APP會進入第二階段,此時使用者環境資訊會被深度學習引擎分析以判斷使用者是否受到新型態攻擊。由於深度學習模型的計算非常耗時,所以本計畫也擬開發參數微調(Fine tune)技術並設計模型進化管理資料庫以對深度學習運算作最佳的後台支援。本計畫將分三年執行,第一年將先探討深度學習在惡意APP偵測上的應用,以便知道手機該提供哪些資訊可取得較佳分析結果。第二年設計與開發手機端的使用者環境感知模組並持續優化第一年的模組,第三年則開發伺服器端的分析結果推播模組以及手機端的告警與反應模組,最後將系統整合測試並發表研究成果。 ;As the popular of mobile applications in recent years, the research of malicious APP detection receives much attention. Though the commercial product or academic community has provided some solutions to this end, there still exist two important problems: how to detect zero-day attacks and the malware family population imbalance problem. Therefore, this project proposes a deep learning (DL) system with Environment awareness and Auto evolution capabilities for mobile malware detection, named DEA-Droid in short. DEA-Droid adopts DL technologies for the following two reasons: (1) to save the overhead of feature selection stage in conventional machine learning approach, (2) can use the GAN (Generative Adversarial Network) to solve the malware family population imbalance problem. DEA-Droid adopts two-level (APP and user) detection approach. In APP level, the DEA-Droid analysis engine will use both LSTM and CNN to analyze the dynamic/static APP attributes. The user environment data will be analyzed by another set of DL model in the user level detection. Because the DL analysis requires huge computing power, this project plan to develop a ‘fine tune’ method to reuse some trained DL parameters when new malware samples arrive. So we will design an evolutionary database to manage these parameters. This project will span three years. In the first year, we focus on the investigation of how the DL technologies can be applied in malicious APP detection. Our purposes are to find out what the parameters the Mobile phone should send to the server and what kind of DL model can get the best results. In the second year, we will design and implement the user environment awareness module and continue to tune the DL analysis engine developed in the first year. In the third year, we implement the other module, such as the results push module, and integrate all the modules to do the system test. Finally, we do a set of experiments and publish our findings.
