Responsive image
博碩士論文 etd-0522114-000113 詳細資訊
Title page for etd-0522114-000113
論文名稱
Title
以混合式分析方法為基礎之行動惡意軟體快速偵測
Fast Mobile Malware Detection Based on Hybrid Analysis Method
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
48
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2014-07-14
繳交日期
Date of Submission
2016-03-21
關鍵字
Keywords
靜態分析、基因演算法、惡意軟體、安卓、逆向工程
Android, malware, genetic algorithm, static analysis, reverse engineering
統計
Statistics
本論文已被瀏覽 5928 次,被下載 31
The thesis/dissertation has been browsed 5928 times, has been downloaded 31 times.
中文摘要
行動裝置普及率越來越高,惡意軟體的數量也隨之增加,如何保障行動裝置用戶的裝置安全成為重要的議題。
目前主流的行動裝置惡意軟體偵測方式主要分為動態跟靜態兩種方式,動態分析方法透過行動裝置實際的行為來判斷應用程式是否為惡意,但如何處發惡意行為以及偵測效率是動態分析的一大難處,而靜態分析則多無法確認惡意軟體的惡意行為為何。
Android 是行動裝置作業系統的主流,也是惡意軟體主要針對的目標,Android應用程式是利用Java開發,因此較容易進行逆向工程。本研究對逆向工程後的原始碼進行資料流程分析,並從中擷取特徵值,再透過基因演算法(Genetic algorithm)找出能辨識出惡意行為的特徵用以偵測惡意軟體,在1,259個惡意軟體及Google Play下載的1,259個善意軟體中,本研究的實驗中可以偵測出96.5%的惡意軟體並且有90%的精確度。
Abstract
More and more people nowadays use mobile devices. Mobile malwares are also increase very quickly. How to protect mobile devices become an important issue.
The two main kinds of approaches to detect mobile malwares are static approaches and dynamic approaches. Dynamic approaches detect malware base on the actual behaviors of applications but how to trigger malicious behavior and the efficient of dynamic approaches are the difficulties of this kind of approaches. Most of the static approaches cannot know what malicious behaviors malwares will conduct.
Android is the most popular mobile platform and the main target of malwares. Because Android applications are developed using Java programing language, it’s easier to get application source codes using reverse engineering techniques. The proposed system using data flow analysis on source codes reverse from applications to extract feature. Then using genetic algorithm to obtain features which are helpful to distinguish malicious behaviors. We conduct an experiment on 1,259 malwares and 1,259 benign applications downloaded from Google Play. We can detect 96.5% of the malwares and have precision with 90%.
目次 Table of Contents
[I. INTRODUCTION 1]
[1.1 Purpose 3]
[II. RELATED WORK 5]
[2.1 Comparison to mainstream mobile malware analysis approach 5]
[2.1.1 Analysis based on permission 5]
[2.1.2 Dynamic analysis 6]
[2.1.3 Static analysis 7]
[2.2 Introducing to Android platform 9]
[2.2.1 Android APK file 9]
[2.2.2 Reverse engineering tools 9]
[2.3 Feature selection 10]
[2.3.1 Mutual information 10]
[2.4 Genetic algorithm 10]
[III. Proposed System 11]
[3.1 System architecture 11]
[3.1.1 De-compilation component 12]
[3.1.2 Threat pattern building component 12]
[IV. System Evaluation 32]
[4.1 Malware samples 32]
[4.2 Evaluation 34]
[V. Conclusion and System limitations 40]
[References 41]
參考文獻 References
[1] Juniper networks, “Juniper networks Mobile threat Center third annual Mobile threats report: MarCh 2012 through MarCh 2013”. Retrieved March 1, 2015, from http://www.juniper.net/us/en/local/pdf/additional-resources/3rd-jnpr-mobile-threats-report-exec-summary.pdf
[2] Dai, S., Liu, Y., Wang, T., Wei, T., & Zou, W. (2010). Behavior-based malware detection on mobile phone. In 2010 6th International Conference on Wireless Communications Networking and Mobile Computing (WiCOM) (pp. 1-4).
[3] TrendMicro, “Android Malware: How Worried Should You Be?” Retrieved March 1, 2015, from
http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-how-worried-should-you-be/
[4] McAfee, “McAfee Threats Report: Second Quarter 2013” Retrieved March 1, 2015, from http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q2-2013-summary.pdf
[5] TrendMicro, “Android Malware: How Worried Should You Be?” Retrieved March 1, 2015, from
http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-how-worried-should-you-be/
[6] F-Security, ”MOBILE THREAT REPORT Q4 2012” Retrieved March 1, 2015, from
http://www.f-secure.com/static/doc/labs_global/Research/Mobile Threat Report Q4 2012.pdf
[7] Yerima, S. Y., Sezer, S., McWilliams, G., & Muttik, I. (2013, March). A new android malware detection approach using bayesian classification. In Advanced Information Networking and Applications (AINA), 2013 IEEE 27th International Conference on (pp. 121-128). IEEE.
[8] Morris, G. M., Goodsell, D. S., Halliday, R. S., Huey, R., Hart, W. E., Belew, R. K., & Olson, A. J. (1998). Automated docking using a Lamarckian genetic algorithm and an empirical binding free energy function. Journal of computational chemistry, 19(14), 1639-1662.
[9] Sarma, B. P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., & Molloy, I. (2012, June). Android permissions: a perspective combining risks and benefits. In Proceedings of the 17th ACM symposium on Access Control Models and Technologies (pp. 13-22). ACM.
[10] Wu, D. J., Mao, C. H., Wei, T. E., Lee, H. M., & Wu, K. P. (2012, August). Droidmat: Android malware detection through manifest and api calls tracing. In Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on (pp. 62-69). IEEE.
[11] Di Cerbo, F., Girardello, A., Michahelles, F., & Voronkova, S. (2011). Detection of malicious applications on android os. In Computational Forensics (pp. 138-149). Springer Berlin Heidelberg.
[12] Enck, W., Ongtang, M., & McDaniel, P. (2009, November). On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 235-245). ACM.
[13] Chiang, W. C. (2013). Behavior Analysis of Mobile Malware Based on Information Leakage.
[14] Shabtai, A., Kanonov, U., & Elovici, Y. (2010). Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method. Journal of Systems and Software, 83(8), 1524-1537.
[15] Cover, T. M., & Thomas, J. A. (1991). Entropy, relative entropy and mutual information. Elements of Information Theory, 12-49.
[16] Brut.alll@gmail.com, “android-apktool”. Retrieved March 1, 2015, from
http://code.google.com/p/android-apktool/
[17] pxb1988@gmail.com, “dex2jar”. Retrieved March 1, 2015, from
http://code.google.com/p/dex2jar/
[18] Pavel Kouznetsov, “JAD Java Decompiler”. Retrieved March 1, 2015, from
http://www.varaneckas.com/jad/
[19] Lin, J. M. (2013). Detecting Mobile Application Malicious Behavior Based on Taint Propagation.
[20] Aafer, Y., Du, W., & Yin, H. (2013). DroidAPIMiner: Mining API-level features for robust malware detection in android. In Security and Privacy in Communication Networks (pp. 86-103). Springer International Publishing.
[21] Blasing, T., Batyuk, L., Schmidt, A. D., Camtepe, S. A., & Albayrak, S. (2010, October). An android application sandbox system for suspicious software detection. In Malicious and unwanted software (MALWARE), 2010 5th international conference on (pp. 55-62). IEEE.
[22] McAfee Lab , 2012, FakeInstaller’ Leads the Attack on Android Phones, Retrieved March 1, 2015, from https://blogs.mcafee.com/mcafee-labs/fakeinstaller-leads-the-attack-on-android-phones
[23] Leonard Richardson, “BeautifulSoup” Retrieved March 1, 2015, from
http://www.crummy.com/software/BeautifulSoup/ Retrieved March 1, 2015, from
[24] Michael Neumann, “Mechanize” Retrieved March 1, 2015, from
http://wwwsearch.sourceforge.net/mechanize/
[25] An A-Z Index of the Bash command line for Linux. Retrieved March 1, 2015, from
http://ss64.com/bash/
[26] Android Malware Genome Project. Retrieved March 1, 2015, from
http://www.malgenomeproject.org/
[27] Felt, A. P., Greenwood, K., & Wagner, D. (2011, June). The effectiveness of application permissions. In Proceedings of the 2nd USENIX conference on Web application development (pp. 7-7).
[28] Wei, X., Gomez, L., Neamtiu, I., & Faloutsos, M. (2012, December). Permission evolution in the android ecosystem. In Proceedings of the 28th Annual Computer Security Applications Conference (pp. 31-40). ACM.
[29] Grace, M. C., Zhou, Y., Wang, Z., & Jiang, X. (2012, February). Systematic Detection of Capability Leaks in Stock Android Smartphones. In NDSS.
[30] Enck, W., Gilbert, P., Han, S., Tendulkar, V., Chun, B. G., Cox, L. P., ... & Sheth, A. N. (2014). TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2), 5.
Bergeron, J., Debbabi, M., Desharnais, J., Erhioui, M. M., Lavoie, Y., & Tawbi, N. (2001). Static detection of malicious code in executable programs. Int. J. of Req. Eng, 2001(184-189), 79.
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus: 已公開 available
校外 Off-campus: 已公開 available


紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code