Responsive image
博碩士論文 etd-0810113-121716 詳細資訊
Title page for etd-0810113-121716
Detecting Mobile Application Malicious Behavior Based on Taint Propagation
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
malicious behavior detection, reversing engineering, source code, static analysis, Android
本論文已被瀏覽 5821 次,被下載 0
The thesis/dissertation has been browsed 5821 times, has been downloaded 0 times.

行動裝置中以Android受到最嚴重的威脅,Android相較其他平台具有逆向工程後訊息保留完整的特性。因此本研究針對Android平台,提出一套由逆向工程後的原始碼資料流為依據之分析方式。本研究之方法除了能克服動態分析無法成功觸發惡意行為之瓶頸外,尚能由原始碼辨識應用程式之行為。並整合前人在Android靜態分析上的成果,將API函式呼叫出現與否的特徵加入資料流辨識。我們以汙染傳播法(Taint Propagation)追蹤程式碼資料流,由已發現之惡意程式家族中歸納出威脅模式,再將追蹤之資料流與威脅模式進行比對,並回報符合之資料傳遞行為。本研究以19個家族252個惡意樣本與50個Google Play上之應用程式進行分析,實驗結果證明本研究之方法能夠成功識別具有惡意行為之應用程式,識別率達91.6%。同時與VirusTotal進行比較,也證明本研究之方法優於目前市面上之惡意程式分析平台。
When detecting malicious applications on mobile devices, the current main approach is to apply dynamic analysis detection, since dynamic analysis can be directly used for determining the behavior of the mobile application is malicious or not. However, while using this approach, there is an issue that whether dynamic analysis can trigger malicious behaviors successfully or not. On the other hand, in the study of static analysis in mobile applications, static analysis approach mainly uses fragmented characteristics to identify malicious behaviors, which is not a macro and complete identification method for analyzing source code of mobile applications.
In mobile devices, Android platform is being attacked by malicious applications most. Due to the fact that Android has the feature of keeping the whole intact message after conducting reverse engineering compared to other platforms, in this paper, we present an analyzing method which based on the data flow of the reversed source code of the application. Our method not only overcomes the issue of triggering the malicious behaviors during the analysis but also identifies the behaviors of applications by the source code successfully. Our method improves previous researches of detecting Android malicious application by tracking the data flow of the source code of the applications. We use taint propagation to track the data flow. In this work, we conclude the malicious behavior patterns from the found malware families. After tracking the data flow, we match the data flow with the malicious behavior patterns and report.
In evaluation, we analyzed 252 malicious APPs from 19 families and 50 free APPs from Google Play. The results proved that our method can successfully detecting malicious behaviors of Android APPs with the TPR 91%.
目次 Table of Contents
[第1章 緒論+1]
[1.1. 研究背景+1]
[1.2. 研究動機+2]
[1.3. 研究目的+3]
[第2章 文獻探討+4]
[2.1. Android簡介+4]
[2.1.1. Android平台特性+4]
[2.1.2. Android App檔案格式+4]
[2.1.3. 逆向工程工具+5]
[2.2. 手機惡意軟體分析方式+5]
[2.2.1. 現有分析方式+5]
[2.2.2. 動態分析+6]
[2.2.3. 靜態分析+7]
[2.3. 汙染傳播法 Taint Propagation+9]
[2.4. 程式相依性 Program Dependence+10]
[第3章 系統設計+12]
[3.1. 逆向工程模組+12]
[3.2. 結構探詢模組+13]
[3.2.1. Class Property Mapping(CPM)+15]
[3.2.2. Method Variables Mapping(MVM)+19]
[3.2.3. Node Dependence Building(NDB)+20]
[3.3. 汙染傳播模組+25]
[3.3.1. 威脅模式+25]
[3.3.2. 檢驗資料模型+31]
[第4章 系統驗證+33]
[4.1. 惡意樣本行為分析+33]
[4.1.1. 樣本資訊+33]
[4.1.2. 分析結果+34]
[4.2. 市面應用程式行為分析+44]
[4.2.1. 樣本資訊+44]
[4.2.2. 分析結果+44]
[4.3. 與VirusTotal比較+46]
[4.3.1. VirusTotal簡介+46]
[4.3.2. 樣本資訊+46]
[4.3.3. 分析結果+47]
[第5章 系統限制與展望+49]
[5.1. 研究限制+49]
[5.2. 結語+49]
參考文獻 References
[1] A.D. Schmidt, H.G. Schmidt, L. Batyuk,J.H. Clausen, S.A. Camtepe, S. Albayrak, “Smartphone Malware Evolution Revisited: Android Next Target?” in Proc. Malicious and Unwanted Software (MALWARE) 4th International Conference , 13-14 Oct. 2009, pp.1-7
[2] McAfee, “McAfee Threats Report”
[3] HOT for Security, “Android Mobile Malware Report – 2012”.
[4] M. Nauman, S. Khan, X. Zhang, “Apex: extending Android permission model and enforcement with user-defined runtime constraints” in Proc. ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, 2010,pp.328-332
[5] H. Kim, J. Smith, K. G. Shin, “Detecting Energy-Greedy Anomalies and Mobile Malware Variants” in Proc. Proceedings of the 6th international conference on Mobile systems, 2008, pp.239-252
[6] S. Dai, “Behavior-Based Malware Detection on Mobile Phone”, in Proc. Wireless Communications Networking and Mobile Computing (WiCOM) 6th International Conference , 23-25 Sept 2010, pp.1-4
[7] F-Secure, “Mobile Threat Report”
[8] Androlib, “Number of New Applications in Android Market by month”
[9] Y. Kang, C. Park, C. Wu, “Reverse-engineering 1-n associations from Java bytecode using alias analysis”, in Proc. Journal Information and Software Technology, vol.49, Feb 2007, pp.81-98
[10] F. Ruiz, “‘FakeInstaller’ Leads the Attack on Android Phones”, in McAfee Labs blogs.
[11] Symantec Official Blog, “Android.Bmaster: A Million-Dollar Mobile Botnet”
[12] M. Spreitzenbarth, “forensic blog, mobile phone forensics and mobile malware”.
[13], “android-apktool”.
[14], “dex2jar”.
[15] Pavel Kouznetsov, “JAD Java Decompiler”.
[16] Q. Yan, R.H. Deng, Y. Li, T. Li, “On the potential of limitation-oriented malware detection and prevention techniques on mobile phone”, in Proc. International Journal of Security and Its Applications, vol. 4, no.1 , Jan 2010
[17] A. Shabtai, U. Kanonov, Y. Elovici, “Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method”, in Proc. Journal of Systems and Software, vol. 83, no. 8, 2010, pp. 1524-1537
[18] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, Y. Weiss, “’Andromaly’: a behavioral malware detection framework for android devices”, in Proc. Journal of Intelligent Information Systems, vol.38, no. 1, 2012, pp.161-190
[19] A. Apvrille, T. Strazzere, “Reducing the window of opportunity for Android malware Gotta catch 'em all”, in Proc. Journal in Computer Virology, vol.8, May 2012, pp.61-71
[20] M. Grace, Y. Zhou, Q. Zhang, S. Zou, X. Jiang, “RiskRanker: scalable and accurate zero-day android malware detection”, in Proc. The 10th international conference on Mobile systems, applications, and services, 2012, pp.281-294
[21] D.J. Wu, C.H. Mao, T.E Wei, H.M. Lee, K.P. Wu, “DroidMat: Android Malware Detection through Manifest and API Calls Tracing”, in Proc. 7th Asia Joint Conference on Information Security, 2012.
[22] B. Chess, J. West, Secure Programming with Static Analysis, 1st ed., Addison-Wesley Professional (June 29, 2007)
[23] Y. Zhou, X. Jiang, “Dissecting Android Malware: Characterization and Evolution”, in Proc. 33rd IEEE Symposium on Security and Privacy (Oakland 2012), May 2012.
[24] Symantec, “Security Response”.
[25] Millennialmedia
[26] Mobclix
[27] Mobfox
[28] J.J. Huang, “Detecting Drive-by Download Based on Reputation System”, 2012.
[29] Roman Unuchek, “The most sophisticated Android Trojan”,6 June 2013.
電子全文 Fulltext
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是
論文開放下載的時間是 校外不公開

Your IP address is
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
開放時間 available 已公開 available

QR Code