基於系統呼叫序列與注意力LSTM模型偵測Android惡意軟體之研究

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：117

、訪客IP：18.116.14.71

姓名

曾博彥(Po-Yen Tseng) 查詢紙本館藏

畢業系所

資訊管理學系

論文名稱

基於系統呼叫序列與注意力LSTM模型偵測Android惡意軟體之研究
(Android Malware Analysis Based on System Call sequences and Attention-LSTM)

相關論文

★ 應用數位版權管理機制於數位影音光碟內容保護之研究	★ 以應用程式虛擬化技術達成企業軟體版權管理之研究
★ 以IAX2為基礎之網頁電話架構設計	★ 應用機器學習技術協助警察偵辦詐騙案件之研究
★ 擴充防止詐欺及保護隱私功能之帳戶式票務系統研究-以大眾運輸為例	★ 網際網路半結構化資料之蒐集與整合研究
★ 電子商務環境下網路購物幫手之研究	★ 網路安全縱深防護機制之研究
★ 國家寬頻實驗網路上資源預先保留與資源衝突之研究	★ 以樹狀關聯式架構偵測電子郵件病毒之研究
★ 考量地區差異性之隨選視訊系統影片配置研究	★ 不信任區域網路中數位證據保留之研究
★ 入侵偵測系統事件說明暨自動增加偵測規則之整合性輔助系統研發	★ 利用程序追蹤方法關聯分散式入侵偵測系統之入侵警示研究
★ 一種網頁資訊擷取程式之自動化產生技術研發	★ 應用XML/XACML於工作流程管理系統之授權管制研究

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

行動裝置的普及與Android作業系統的開放性，使得層出不窮的惡意軟體嚴重影響使用者資訊安全，面對變化多端的攻擊手法與躲避偵測方法，如何更準確的偵測出惡意軟體並加以防護已成為重要議題。雖然目前已有研究提出透過分析應用程式實際執行過程，能有效避免程式碼混淆等躲避偵測問題。但是面對此方法所提取的序列型特徵，如何更詳細地得知特徵之間的關聯性，藉以提升分類模型的分辨準確率，為許多研究所努力的方向。基於應用程式執行過程所呼叫的系統呼叫序列(System Call Sequence)，具有可以真實呈現應用程式實際執行為的特性。本研究提取系統呼叫序列作為特徵，並透過長短期記憶(Long Short-Term Memory, LSTM)深度學習模型架構提取系統呼叫前後相互關聯。然而，為了避免隨著系統調用序列的長度增長，降低模型分類準確率，於分類模型中加入注意力機制(Attention)，透過計算LSTM神經元的短期記憶專注分數並加權平均於分類決策演算法中，達到增強分類不同惡意攻擊類型的判斷能力。經實驗結果證實，通過兩層的雙向LSTM架構並加入Attention機制的深度神經網路，在分類良性與惡意程式的分辨能力達93.5%，而在詳細分類良性程式與另外兩種惡意種類程式的分類結果則具有93.1%的準確率，展現優良的分類能力。

摘要(英)

With the popularity of Android mobile devices, detecting and protecting malicious software has become an important issue. Although there have been studies proposed that dynamic analysis can overcome the shortcomings of avoidance detection problems such as code obfuscated. However, how to learn more detail of correlation between the sequence-type features extracted by dynamic analysis to improve the resolution accuracy of the classification model is the direction of many research efforts. This study extracts the system call sequence as a feature, and extracts the system call correlation through the Long Short-Term Memory (LSTM) deep learning model. In addition, in order to avoid the increase of the length of the system call sequence and reduce the accuracy of the model classification, the attention mechanism is added to the classification model. The experimental results show that through the two-layer of Bi- LSTM architecture and the deep neural network of the Attention mechanism, the resolution of benign and malicious programs is 93.5%, and the classification of benign programs and two other malicious types is detailed. The result is an accuracy of 93.1%, showing excellent classification ability.

關鍵字(中)

★ 深度學習
★ 注意力LSTM
★ Android
★ 惡意程式分類
★ 系統呼叫序列

關鍵字(英)

★ Deep Learning
★ Attention-LSTM
★ Android
★ Malware Classification
★ System Call Sequence

論文目次

論文摘要 i
Abstract ii
誌謝 ii
目錄 iii
圖目錄 v
表目錄 viii
第1章緒論 1
1-1研究背景 1
1-2研究動機與目的 4
1-3研究貢獻 7
1-4章節架構 8
第2章相關文獻 9
2-1系統呼叫序列提取方式 9
2-2處理序列型特徵之深度學習模型 10
2-2-1 遞歸神經網路 10
2-2-2 長短期記憶 11
2-2-3 雙向遞歸神經網路 12
2-2-3 注意力機制 13
2-3 以Android系統呼叫序列為特徵之分類方法 16
2-3-1 採用傳統機器學習偵測 16
2-3-2 採用深度學習之偵測 17
2-4 小結 20
第3章系統設計 23
3-1系統架構 23
3-1-1動態特徵蒐集模組(DFCM) 24
3-1-2樣本/特徵資料庫(Samples/Features Database) 26
3-1-3分類模型訓練器(Model Trainer) 27
3-1-4分類模型資料庫(Model Database) 30
3-1-5分類模組(Deep Learning Classifier Module) 31
3-2系統流程 31
第4章實驗與討論 32
4-1實驗環境 32
4-2 : 實驗樣本與評估方式 33
4-3實驗一 : 動態特徵蒐集模組功能驗證 33
4-3-1 實驗目的 33
4-3-2 實驗方法 34
4-3-3 實驗結果 34
4-4實驗二 :系統呼叫序列輸入長度評估 35
4-4-1 實驗目的 35
4-4-2 實驗方法 35
4-4-3 實驗結果 36
4-5實驗三 : bi-LSTM神經網路參數評估 37
4-5-1 實驗目的 37
4-5-2 實驗方法 37
4-5-3 實驗結果 37
4-6實驗四 : 注意力機制參數評估 38
4-6-1 實驗目的 38
4-6-2 實驗方法 38
4-6-3 實驗結果 38
-4-7實驗五 :相關深度神經網路模型辨識能力比對 39
4-7-1 實驗目的 39
4-7-2 實驗方法 39
4-7-3 實驗結果 39
4-8 結果與討論 41
第五章結論與未來研究 43
5-1研究結論 43
5-2未來研究 44
參考文獻 46

參考文獻

[參考網站]
[1] anzhi. (2019). 安智市場. Available: http://dev.anzhi.com/
[2] Apple. (2019). App Store. Available: https://www.apple.com/tw/ios/app-store/
[3] DATA, G. (2018). Cyber attacks on Android devices on the rise. Available: https://www.gdatasoftware.com/blog/2018/11/31255-cyber-attacks-on-android-devices-on-the-rise
[4] Google. (2019). Google Play. Available: https://play.google.com/store?hl=zh-TW
[5] imdb. (2019). IMDB Dataset. Available: https://www.imdb.com/
[6] INRIA. (2019). scikit-learn Machine Learning in Python. Available: https://scikit-learn.org/stable/
[7] Lab, A. C. S. (2019). Android Malware Dataset. Available: http://amd.arguslab.org/
[8] Sheridan, K. Kaspersky Security Bulletin 2018. Story of the year: miners. Available: https://www.darkreading.com/threat-intelligence/backdoors-up-44--ransomware-up-43--from-2017/d/d-id/1333399
[9] StatCounter. (2019). Desktop vs Mobile vs Tablet Market Share Worldwide. Available: http://gs.statcounter.com/platform-market-share/desktop-mobile-tablet
[10] StatCounter. (2019). Mobile Operating System Market Share Worldwide. Available: http://gs.statcounter.com/os-market-share/mobile/worldwide/2019
[11] sureshmca. (2014). Android and Java Programming. Available: http://www.onsandroid.com/2014/10/in-depth-android-boot-sequence-process.html
[12] zhushou360. (2019). 360手机助手. Available: https://zhushou.360.cn/

[中文文獻]
[13] 胡哲君, "去可識別個人資訊後之 Android惡意程式動態分析研究," 碩士論文, 資訊管理學系, 國立中央大學, 2017.
[14] 熊永菁, "結合靜態權限及動態封包分析以提升Android惡意程式偵測效能之研究," 碩士論文, 資訊管理學系, 國立中央大學, 2018.
[英文文獻]
[15] Alshahrani, H., Mansourt, H., Thorn, S., Alshehri, A., Alzahrani, A., and Fu, H., "DDefender: Android application threat detection using static and dynamic analysis," in 2018 IEEE International Conference on Consumer Electronics (ICCE), 2018, pp. 1-6: IEEE.
[16] Bahdanau, D., Cho, K., and Bengio, Y., "Neural machine translation by jointly learning to align and translate," International Conference on Learning Representations, 2015.
[17] Bengio, Y., "Learning deep architectures for AI," Foundations and trends® in Machine Learning, vol. 2, no. 1, pp. 1-127, 2009.
[18] Chau, N.-T. and Jung, S., "Dynamic analysis with Android container: Challenges and opportunities," Digital Investigation, vol. 27, pp. 38-46, 2018.
[19] Chen, Y., Ghorbanzadeh, M., Ma, K., Clancy, C., and McGwier, R., "A hidden markov model detection of malicious android applications at runtime," in 2014 23rd Wireless and Optical Communication Conference (WOCC), 2014, pp. 1-6: IEEE.
[20] Dimjašević, M., Atzeni, S., Ugrina, I., and Rakamaric, Z., "Evaluation of android malware detection based on system calls," in Proceedings of the 2016 ACM on International Workshop on Security And Privacy Analytics, 2016, pp. 1-8: ACM.
[21] Elman, J. L., "Finding structure in time," Cognitive science, vol. 14, no. 2, pp. 179-211, 1990.
[22] Ghaffari, F., Abadi, M., and Tajoddin, A., "AMD-EC: Anomaly-based Android malware detection using ensemble classifiers," in 2017 Iranian Conference on Electrical Engineering (ICEE), 2017, pp. 2247-2252: IEEE.
[23] Graves, A., Jaitly, N., and Mohamed, A.-r., "Hybrid speech recognition with deep bidirectional LSTM," in 2013 IEEE workshop on automatic speech recognition and understanding, 2013, pp. 273-278: IEEE.
[24] Hasegawa, C. and Iyatomi, H., "One-dimensional convolutional neural networks for Android malware detection," in 2018 IEEE 14th International Colloquium on Signal Processing & Its Applications (CSPA), 2018, pp. 99-102: IEEE.
[25] Hou, S., Saas, A., Chen, L., and Ye, Y., "Deep4maldroid: A deep learning framework for android malware detection based on linux kernel system call graphs," in 2016 IEEE/WIC/ACM International Conference on Web Intelligence Workshops (WIW), 2016, pp. 104-111: IEEE.
[26] Isohara, T., Takemori, K., and Kubota, A., "Kernel-based behavior analysis for android malware detection," in 2011 Seventh International Conference on Computational Intelligence and Security, 2011, pp. 1011-1015: IEEE.
[27] Kaushik, P. and Yadav, P. K., "A Novel approach for detecting malware in Android applications using Deep learning," in 2018 Eleventh International Conference on Contemporary Computing (IC3), 2018, pp. 1-4: IEEE.
[28] Kolosnjaji, B., Zarras, A., Webster, G., and Eckert, C., "Deep learning for classification of malware system call sequences," in Australasian Joint Conference on Artificial Intelligence, 2016, pp. 137-149: Springer.
[29] Krizhevsky, A., Sutskever, I., and Hinton, G. E., "Imagenet classification with deep convolutional neural networks," in Advances in neural information processing systems, 2012, pp. 1097-1105.
[30] Liang, H., Song, Y., and Xiao, D., "An end-To-end model for Android malware detection," in 2017 IEEE International Conference on Intelligence and Security Informatics (ISI), 2017, pp. 140-142: IEEE.
[31] Lin, Y.-D., Lai, Y.-C., Chen, C.-H., Tsai, H.-C. J. c., and security, "Identifying android malicious repackaged applications by thread-grained system call sequences," vol. 39, pp. 340-350, 2013.
[32] Malik, S. and Khatter, K., "System call analysis of android malware families," Indian Journal of Science and Technology, vol. 9, no. 21, 2016.
[33] Mariconti, E., Onwuzurike, L., Andriotis, P., De Cristofaro, E., Ross, G., and Stringhini, G. J. a. p. a., "Mamadroid: Detecting android malware by building markov chains of behavioral models," 2016.
[34] Martinelli, F., Marulli, F., and Mercaldo, F., "Evaluating convolutional neural network for effective mobile malware detection," Procedia computer science, vol. 112, pp. 2372-2381, 2017.
[35] Martín, A., Lara-Cabrera, R., Camacho, D. J. D. S., and Support, K. E. f. S. D., "A new tool for static and dynamic android malware analysis," pp. 509-516, 2018.
[36] Martín, A., Rodríguez-Fernández, V., and Camacho, D., "CANDYMAN: Classifying Android malware families by modelling dynamic traces with Markov chains," Engineering Applications of Artificial Intelligence, vol. 74, pp. 121-133, 2018.
[37] Naway, A. and LI, Y., "A Review on The Use of Deep Learning in Android Malware Detection," International Journal of Computer Science and Mobile Computing, , vol. 7 no. 12, pp. 42-58, 2018.
[38] Reina, A., Fattori, A., and Cavallaro, L., "A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors," EuroSec, April, 2013.
[39] Schuster, M. and Paliwal, K. K., "Bidirectional recurrent neural networks," IEEE Transactions on Signal Processing, vol. 45, no. 11, pp. 2673-2681, 1997.
[40] Silver, D. et al., "Mastering the game of go without human knowledge," Nature, vol. 550, no. 7676, p. 354, 2017.
[41] Sundermeyer, M., Schlüter, R., and Ney, H., "LSTM neural networks for language modeling," in Thirteenth annual conference of the international speech communication association, 2012.
[42] Thon, J., "Predictive Identification of Android Malware through Hybrid Analysis," Master′s Thesis, Fakultät IV Elektrotechnik und Informatik, Technische Universität, 2018.
[43] Vinayakumar, R., Soman, K., Poornachandran, P., and Sachin Kumar, S., "Detecting Android malware using long short-term memory (LSTM)," Journal of Intelligent & Fuzzy Systems, vol. 34, no. 3, pp. 1277-1288, 2018.
[44] Xiao, X., Wang, Z., Li, Q., Xia, S., and Jiang, Y., "Back-propagation neural network on Markov chains from system call sequences: a new approach for detecting Android malware with system call sequences," IET Information Security, vol. 11, no. 1, pp. 8-15, 2016.
[45] Xiao, X., Zhang, S., Mercaldo, F., Hu, G., and Sangaiah, A. K., "Android malware detection based on system call sequences and LSTM," Multimedia Tools and Applications, vol. 78, no. 4, pp. 3979-3999, 2019.
[46] Zhou, P. et al., "Attention-based bidirectional long short-term memory networks for relation classification," in Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), 2016, vol. 2, pp. 207-212.

指導教授

陳奕明(Yi-Ming Chen)

審核日期

2019-7-27

推文