臺灣博碩士論文加值系統

惡意APK數量日益增加且相關技術的演化與攻擊手法的進步，衍生出許多種類的惡意行為，例如：木馬、SMS、廣告軟體…等等，對行動裝置使用者造成嚴重的威脅。根據德國資安業者GDATA調查[22]，2017年則發現新的Android惡意APK數量則為300 萬個； 2018年統計到第三季為止，發現新的Android惡意APK數量318萬個。當務之急是要檢測出APK是否包含惡意行為。本篇論文檢測的方法主要為靜態分析，使用靜態分析提取惡意APK與良性APK的所有API(Application Programming Interface)以及APK所宣告的Permission，並將APK所執行的API進行比對是否存在APK所宣告的Permission內可執行之API。進行比對完後，將保留的API以及Permission作為特徵篩選的輸入。經由本篇論文提出的特徵篩選公式經由惡意APK資料集與良性APK資料集兩者之間的API總次數以及Permission總次數的差異性，差異性越大則保留差異性越小則去除。經由特徵篩選後的API與Permission作為特徵向量後，在進行機器學習演算法來訓練分類模型(Random Forest、SVM)。我們透過實驗分析26389筆惡意APK與良性APK，實驗結果顯示本論文使用的特徵篩選方法準確率為95.03%，與其他論文[6,17]比較，本論文準確率分別增加約1~3%以及0.1~0.3%準確度。

The increasing number of malicious APKs and the evolution of related technologies and advances in attack techniques have led to many types of malicious behaviors, such as Trojans, SMS, advertising software, etc., bring about a serious threat to mobile device users. According to the GDATA survey of German security operators [22], the number of new Android malicious APKs was 3 million in 2017； and the number of new Android malicious APKs found was 3.18 million until the third quarter in 2018. It is imperative to detect if the APK contains malicious behavior. The method of detection in this paper is mainly static analysis. It uses static analysis to extract all the APIs of the malicious APK and the benign APK and the Permission declared by the APK, and compares the APIs executed by the APK with executable APIs in the declared Permission. After the comparison, the reserved API and Permission are used as the input of the feature filtering. The feature screening formula proposed in this paper is computing the difference of total number of APIs and the difference of total number of Permissions between the malicious APK data set and the benign APK data set. The larger differences are reserved, but the smaller difference are removed. After the feature-filtered API and Permission are used as feature vectors which the machine learning algorithm is used to train the classification model (Random Forest, SVM). We analyzed 26389 malicious APKs and benign APKs through experiments. The experimental results show that the accuracy of the feature screening method used in this paper is 95.03%. Compared with other papers [6,17], the accuracy of this paper increases by about 1~3%. 0.1 to 0.3% accuracy.

摘要 i
ABSTRACT ii
誌謝 iii
目錄 iv
表目錄 vi
圖目錄 vii
一、 緒論 1
1.1 研究動機 1
1.2 研究目的 2
1.3 論文架構 3
二、 相關研究 4
2.1. 分析方法 4
2.2. Permission 4
2.2.1. Permission 與 API 架構 6
2.2.2. Permission 與 API 關係 7
2.3 Machine Learning 7
2.3.1 機器學習流程 8
2.3.2 機器學習分類 9
2.4 Support Vector Machine 10
2.5 Random Forest 12
2.6 Şahın等人提出的方法 18
2.7 Jung等人提出的方法 20
2.8 章節討論 21
三、 使用API Call和Permission進行Android惡意程式檢測 22
3.1 系統架構 22
3.2 靜態分析 23
3.2.1. 使用aapt工具提取Permissions 24
3.2.2. Apktool Decompile 24
3.2.3. 保留APK有包含在Permission內的API範例 25
3.2.4. 演算法符號說明 26
3.3 特徵篩選 27
3.3.1. 演算法符號說明 28
3.3.2. 特徵篩選範例 30
3.4 章節討論 31
四、 實驗結果分析與討論 32
4.1 實驗環境 32
4.2 實驗結果與比較 33
4.2.1. APK樣本及之實驗結果 33
4.2.2. 針對特徵篩選的θ進行測試 33
4.2.3. Random Forest模擬結果 35
4.2.4. SVM模擬結果 36
五、 結論與未來研究方向 37
5.1 結論 37
5.2 未來研究方向 38
參考文獻 39

[1]J. Akram, Z. Shi, M. Mumtaz, and P. Luo, “DroidCC: A Scalable Clone Detection Approach for Android Applications to Detect Similarity at Source Code Level,” 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), pp. 100-105, 2018.
[2]M. S. Alam and S. T. Vuong, “Random Forest Classification for Detecting Android Malware,” 2013 IEEE International Conference on Green Computing and Communications and IEEE Internet of Things and IEEE Cyber, Physical and Social Computing, pp. 663-669, 2013.
[3]T. Cho, H. Kim, and J. H. Yi, “Security Assessment of Code Obfuscation Based on Dynamic Monitoring in Android Things,” IEEE Access, Vol. 5, pp. 6361-6371, 2017.
[4]Z. Fang, W. Han, and Y. Li, “Permission based Android security: Issues and countermeasures,” Computers & Security, Vol. 43, pp. 205-218, 2014.
[5]A. Feizollah, N. B. Anuar, R. Salleh, and A. W. A. Wahab, “A review on feature selection in mobile malware detection,” Digital Investigation, Vol. 13, pp. 22-37, 2015.
[6]J. Jung, H. Kim, D. Shin, M. Lee, H. Lee, S. Cho, and K. Suhet , “Android Malware Detection Based on Useful API Calls and Machine Learning,” 2018 IEEE First International Conference on Artificial Intelligence and Knowledge Engineering (AIKE), pp. 175-178 , 2018.
[7]E. B. Karbab, M. Debbabi, A. Derhab, and D. Mouheb, “MalDozer: Automatic framework for android malware detection using deep learning,” Digital Investigation, Vol. 24, pp. S48-S59, 2018.
[8]J. Lee, S. Lee, and H. Lee, “Screening smartphone applications using malware family signatures,” Computers & Security, Vol. 52, pp. 234-249, 2015.
[9]J. Li, L. Sun, Q. Yan, Z. Li, W. Srisa-an, and H. Ye, “Significant Permission Identification for Machine-Learning-Based Android Malware Detection,” IEEE Transactions on Industrial Informatics, Vol. 14, No. 7, pp. 3216-3225, 2018.
[10]L. Li, T. F. Bissyandé, Y. L. Traon, and J. Klein, “Accessing Inaccessible Android APIs: An Empirical Study,” 2016 IEEE International Conference on Software Maintenance and Evolution (ICSME), pp. 411-422, 2016
[11]J. Milosevic, M. Malek, and A. Ferrante, “Time, accuracy and power consumption tradeoff in mobile malware detection systems,” Computers & Security, Vol. 82, pp. 314-328, 2019.
[12]N. Milosevic, A. Dehghantanha, and K.-K. R. Choo, “Machine learning aided Android malware classification,” Computers & Electrical Engineering, Vol. 61, pp. 266-274, 2017.
[13]V. Moonsamy, J. Rong, and S. Liu, “Mining permission patterns for contrasting clean and malicious android applications,” Future Generation Computer Systems, Vol. 36, pp. 122-132, 2014.
[14]M. Nezhadkamali, S. Soltani, and S. A. H. Seno, “Android malware detection based on overlapping of static features,” 2017 7th International Conference on Computer and Knowledge Engineering (ICCKE), 2017, pp. 319-325.
[15]V. P, A. Zemmari, and M. Conti, “A machine learning based approach to detect malicious android apps using discriminant system calls,” Future Generation Computer Systems, Vol. 94, pp. 333-350, 2019.
[16]P. Palumbo, L. Sayfullina, D. Komashinskiy, E. Eirola, and J. Karhunen, “A pragmatic android malware detection procedure,” Computers & Security, Vol. 70, pp. 689-701, 2017.
[17]D. Ö. Şahın, O. E. Kural, S. Akleylek, and E. Kiliç, “New results on permission based static analysis for Android malware,” 2018 6th International Symposium on Digital Forensic and Security (ISDFS), pp. 1-4, 2018.
[18]A. Saracino, D. Sgandurra, G. Dini, and F. Martinelli, “MADAM: Effective and Efficient Behavior-based Android Malware Detection and Prevention,” IEEE Transactions on Dependable and Secure Computing, Vol. 15, No. 1, pp. 83-97, 2018.
[19]G. Tao, Z. Zheng, Z. Guo, and M. R. Lyu, “MalPat: Mining Patterns of Malicious and Benign Android Apps via Permission-Related APIs,” IEEE Transactions on Reliability, Vol. 67, No. 1, pp. 355-369, 2018.
[20]S. Y. Yerima and S. Sezer, “DroidFusion: A Novel Multilevel Classifier Fusion Approach for Android Malware Detection,” IEEE Transactions on Cybernetics, Vol. 49, No. 2, pp. 453-466, 2019.
[21]S. Y. Yerima, S. Sezer, and I. Muttik, “High accuracy android malware detection using ensemble learning,” IET Information Security, Vol. 9, No. 6, pp. 313-320, 2015.
[22]Mobile Malware Report - no let-up with Android malware：https://www.gdatasoftware.com/news/2019/07/35228-mobile-malware-report-no-let-up-with-android-malware
[23]R语言︱决策树族——随机森林算法： https://blog.csdn.net/sinat_26917383/article/details/51308061
[24]如何辨別機器學習模型的好壞？秒懂Confusion Matrix：https://www.ycc.idv.tw/confusion-matrix.html
[25]惡意APK資料集：https://virusshare.com/
[26]良性APK資料集：https://archive.org/details/playdrone-apks
[27]SVM介紹：https://rpubs.com/skydome20/R-Note14-SVM-SVR
[28]Permissions overview：https://developer.android.com/guide/topics/permissions/overview