Responsive image
博碩士論文 etd-0810113-121716 詳細資訊
Title page for etd-0810113-121716
論文名稱
Title
以汙染傳遞為基礎之行動軟體威脅行為偵測
Detecting Mobile Application Malicious Behavior Based on Taint Propagation
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
71
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2013-07-24
繳交日期
Date of Submission
2013-09-10
關鍵字
Keywords
行動應用程式、程式行為分析、惡意軟體偵測、靜態分析、逆向工程
malicious behavior detection, reversing engineering, source code, static analysis, Android
統計
Statistics
本論文已被瀏覽 5795 次,被下載 0
The thesis/dissertation has been browsed 5795 times, has been downloaded 0 times.
中文摘要
在偵測行動裝置惡意應用程式上,目前主流的偵測手法以動態分析為主。因動態分析可直接從應用程式表現之行為判別是否為惡意程式,但在動態分析過程中是否能成功觸發惡意行為一直是動態分析的難題,而另一方面目前在針對行動應用程式靜態分析的研究上,較多以零碎特徵作為辨識依據,尚未出現能有以應用程式之原始碼進行宏觀而完整的辨識手法。

行動裝置中以Android受到最嚴重的威脅,Android相較其他平台具有逆向工程後訊息保留完整的特性。因此本研究針對Android平台,提出一套由逆向工程後的原始碼資料流為依據之分析方式。本研究之方法除了能克服動態分析無法成功觸發惡意行為之瓶頸外,尚能由原始碼辨識應用程式之行為。並整合前人在Android靜態分析上的成果,將API函式呼叫出現與否的特徵加入資料流辨識。我們以汙染傳播法(Taint Propagation)追蹤程式碼資料流,由已發現之惡意程式家族中歸納出威脅模式,再將追蹤之資料流與威脅模式進行比對,並回報符合之資料傳遞行為。本研究以19個家族252個惡意樣本與50個Google Play上之應用程式進行分析,實驗結果證明本研究之方法能夠成功識別具有惡意行為之應用程式,識別率達91.6%。同時與VirusTotal進行比較,也證明本研究之方法優於目前市面上之惡意程式分析平台。
Abstract
When detecting malicious applications on mobile devices, the current main approach is to apply dynamic analysis detection, since dynamic analysis can be directly used for determining the behavior of the mobile application is malicious or not. However, while using this approach, there is an issue that whether dynamic analysis can trigger malicious behaviors successfully or not. On the other hand, in the study of static analysis in mobile applications, static analysis approach mainly uses fragmented characteristics to identify malicious behaviors, which is not a macro and complete identification method for analyzing source code of mobile applications.
In mobile devices, Android platform is being attacked by malicious applications most. Due to the fact that Android has the feature of keeping the whole intact message after conducting reverse engineering compared to other platforms, in this paper, we present an analyzing method which based on the data flow of the reversed source code of the application. Our method not only overcomes the issue of triggering the malicious behaviors during the analysis but also identifies the behaviors of applications by the source code successfully. Our method improves previous researches of detecting Android malicious application by tracking the data flow of the source code of the applications. We use taint propagation to track the data flow. In this work, we conclude the malicious behavior patterns from the found malware families. After tracking the data flow, we match the data flow with the malicious behavior patterns and report.
In evaluation, we analyzed 252 malicious APPs from 19 families and 50 free APPs from Google Play. The results proved that our method can successfully detecting malicious behaviors of Android APPs with the TPR 91%.
目次 Table of Contents
[論文審定書+i]
[摘要+ii]
[Abstract+iii]
[第1章 緒論+1]
[1.1. 研究背景+1]
[1.2. 研究動機+2]
[1.3. 研究目的+3]
[第2章 文獻探討+4]
[2.1. Android簡介+4]
[2.1.1. Android平台特性+4]
[2.1.2. Android App檔案格式+4]
[2.1.3. 逆向工程工具+5]
[2.2. 手機惡意軟體分析方式+5]
[2.2.1. 現有分析方式+5]
[2.2.2. 動態分析+6]
[2.2.3. 靜態分析+7]
[2.3. 汙染傳播法 Taint Propagation+9]
[2.4. 程式相依性 Program Dependence+10]
[第3章 系統設計+12]
[3.1. 逆向工程模組+12]
[3.2. 結構探詢模組+13]
[3.2.1. Class Property Mapping(CPM)+15]
[3.2.2. Method Variables Mapping(MVM)+19]
[3.2.3. Node Dependence Building(NDB)+20]
[3.3. 汙染傳播模組+25]
[3.3.1. 威脅模式+25]
[3.3.2. 檢驗資料模型+31]
[第4章 系統驗證+33]
[4.1. 惡意樣本行為分析+33]
[4.1.1. 樣本資訊+33]
[4.1.2. 分析結果+34]
[4.2. 市面應用程式行為分析+44]
[4.2.1. 樣本資訊+44]
[4.2.2. 分析結果+44]
[4.3. 與VirusTotal比較+46]
[4.3.1. VirusTotal簡介+46]
[4.3.2. 樣本資訊+46]
[4.3.3. 分析結果+47]
[第5章 系統限制與展望+49]
[5.1. 研究限制+49]
[5.2. 結語+49]
[參考文獻+51]
[附錄一+54]
[附錄二+58]
[附錄三+60]
參考文獻 References
[1] A.D. Schmidt, H.G. Schmidt, L. Batyuk,J.H. Clausen, S.A. Camtepe, S. Albayrak, “Smartphone Malware Evolution Revisited: Android Next Target?” in Proc. Malicious and Unwanted Software (MALWARE) 4th International Conference , 13-14 Oct. 2009, pp.1-7
[2] McAfee, “McAfee Threats Report”
http://www.mcafee.com/
[3] HOT for Security, “Android Mobile Malware Report – 2012”.
http://www.hotforsecurity.com/
[4] M. Nauman, S. Khan, X. Zhang, “Apex: extending Android permission model and enforcement with user-defined runtime constraints” in Proc. ASIACCS '10 Proceedings of the 5th ACM Symposium on Information, 2010,pp.328-332
[5] H. Kim, J. Smith, K. G. Shin, “Detecting Energy-Greedy Anomalies and Mobile Malware Variants” in Proc. Proceedings of the 6th international conference on Mobile systems, 2008, pp.239-252
[6] S. Dai, “Behavior-Based Malware Detection on Mobile Phone”, in Proc. Wireless Communications Networking and Mobile Computing (WiCOM) 6th International Conference , 23-25 Sept 2010, pp.1-4
[7] F-Secure, “Mobile Threat Report”
http://www.f-secure.com/
[8] Androlib, “Number of New Applications in Android Market by month”
http://www.androlib.com/appstats.aspx
[9] Y. Kang, C. Park, C. Wu, “Reverse-engineering 1-n associations from Java bytecode using alias analysis”, in Proc. Journal Information and Software Technology, vol.49, Feb 2007, pp.81-98
[10] F. Ruiz, “‘FakeInstaller’ Leads the Attack on Android Phones”, in McAfee Labs blogs.
http://blogs.mcafee.com/mcafee-labs/fakeinstaller-leads-the-attack-on-android-phones
[11] Symantec Official Blog, “Android.Bmaster: A Million-Dollar Mobile Botnet”
http://www.symantec.com/connect/blogs/androidbmaster-million-dollar-mobile-botnet
[12] M. Spreitzenbarth, “forensic blog, mobile phone forensics and mobile malware”.
http://forensics.spreitzenbarth.de/android-malware/
[13] Brut.alll@gmail.com, “android-apktool”.
http://code.google.com/p/android-apktool/
[14] pxb1988@gmail.com, “dex2jar”.
http://code.google.com/p/dex2jar/
[15] Pavel Kouznetsov, “JAD Java Decompiler”.
http://www.varaneckas.com/jad/
[16] Q. Yan, R.H. Deng, Y. Li, T. Li, “On the potential of limitation-oriented malware detection and prevention techniques on mobile phone”, in Proc. International Journal of Security and Its Applications, vol. 4, no.1 , Jan 2010
[17] A. Shabtai, U. Kanonov, Y. Elovici, “Intrusion detection for mobile devices using the knowledge-based, temporal abstraction method”, in Proc. Journal of Systems and Software, vol. 83, no. 8, 2010, pp. 1524-1537
[18] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, Y. Weiss, “’Andromaly’: a behavioral malware detection framework for android devices”, in Proc. Journal of Intelligent Information Systems, vol.38, no. 1, 2012, pp.161-190
[19] A. Apvrille, T. Strazzere, “Reducing the window of opportunity for Android malware Gotta catch 'em all”, in Proc. Journal in Computer Virology, vol.8, May 2012, pp.61-71
[20] M. Grace, Y. Zhou, Q. Zhang, S. Zou, X. Jiang, “RiskRanker: scalable and accurate zero-day android malware detection”, in Proc. The 10th international conference on Mobile systems, applications, and services, 2012, pp.281-294
[21] D.J. Wu, C.H. Mao, T.E Wei, H.M. Lee, K.P. Wu, “DroidMat: Android Malware Detection through Manifest and API Calls Tracing”, in Proc. 7th Asia Joint Conference on Information Security, 2012.
[22] B. Chess, J. West, Secure Programming with Static Analysis, 1st ed., Addison-Wesley Professional (June 29, 2007)
[23] Y. Zhou, X. Jiang, “Dissecting Android Malware: Characterization and Evolution”, in Proc. 33rd IEEE Symposium on Security and Privacy (Oakland 2012), May 2012.
[24] Symantec, “Security Response”.
http://www.symantec.com/security_response/
[25] Millennialmedia
http://www.millennialmedia.com/
[26] Mobclix
http://www.mobclix.com/
[27] Mobfox
http://www.mobfox.com/
[28] J.J. Huang, “Detecting Drive-by Download Based on Reputation System”, 2012.
[29] Roman Unuchek, “The most sophisticated Android Trojan”,6 June 2013.
http://www.securelist.com/en/blog/8106/The_most_sophisticated_Android_Trojan
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:自定論文開放時間 user define
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code