臺灣博碩士論文加值系統

目前行動裝置發展迅速，使用者及APP數量不斷地增加，也因此有越來越多的惡意APP廣為散布。而人們也會使用一些工具去判別程式的好壞，常見的像是Androguard，它是利用一支APK轉出的控制流程圖（Control Flow Graph）特徵碼去做相似度比對。在我們過去的研究裡，單純使用流程控制圖產生出來的特徵碼，能有效判別出95%以上的惡意程式，同時也會有40%以上的正常程式被誤判為惡意程式。
過去對於APP分析主要分為兩類：靜態分析與動態分析。而靜態分析事實上雖說TPR（正確率）可達九成以上，FPR（誤判率）卻也會有15～39％。至於動態分析的作法基本上都是先建立一個沙盒(Sandbox)，讓APP在裡面運行，而後觀察其動作，這類方法的結果並不比靜態分析要好，卻很耗費資源和時間。
所以在這些考量下，我們嘗試使用兩個靜態分析，形成複合式的偵測機制，本論文旨在探討CFG用來判別惡意程式的可行性，並嘗試使用其他方法搭配，看能否使結果變得更好。於此，在這個研究裡的CFG分析結果是TPR為98.8%，FPR為63.2%。而在加入其他靜態分析，形成複合式偵測系統之後，能使得TPR在95.5%的情況下，FPR可以大幅降低至4.8%。希望我們對於CFG的觀察與分析能對未來的研究有所幫助。

The rapid development of mobile devices make it a valuable target for malicious attackers. Therefore, a lot of tools have been developed to detect malicious applications that attempt to compromise mobile devices. In this paper, we discuss the usability of control flow graphs (CFG) on detecting malicious applications. CFG is the representation used by the androguard tool to construct malicious signatures. We first develop an algorithm to automatically generate CFG-based signatures. However, although the resulted signature has a good detection rate (95%+), it also brings approximately 40% of false positive rates.
To maintain both the detection efficiency and accuracy, we choose to adopt another static based mechanism to detect malicious applications by using their requested permissions. By combining the two static-based solutions, we finally achieve the same detection rate (95%+) and reduced the false positive rates to less than 5%.

第一章 前言
第二章 相關研究
2.1 研究動機
2.2 靜態分析
2.3 動態分析
第三章 系統設計
3.1 實驗環境
3.2 Androguard—惡意APK分析工具包
3.3 系統架構
3.3.1 基於CFG的分析方法
3.3.2 基於權限的分析方法
3.3.3 討論
第四章 實驗結果
第五章 結論與未來展望
第六章 參考文獻

[1] Zhou, Yajin, and Xuxian Jiang. "Dissecting android malware: Characterization and evolution." Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 2012.
[2] Shin, Wook, Kwak, S., Kiyomoto, S., Fukushima, K., and Tanaka, T. "A small but non-negligible flaw in the Android permission scheme." Policies for Distributed Systems and Networks (POLICY), 2010 IEEE International Symposium on. IEEE, 2010.
[3] Isohara, Takamasa, Keisuke Takemori, and Ayumu Kubota. "Kernel-based behavior analysis for android malware detection." Computational Intelligence and Security (CIS), 2011 Seventh International Conference on. IEEE, 2011.
[4] Apvrille, Axelle, and Tim Strazzere. "Reducing the Window of Opportunity for Android Malware Gotta catch’em all." Journal in Computer Virology 8.1-2 (2012): 61-71.
[5] Schmidt, A-D.,Bye, R., Schmidt, H. G., Clausen, J., Kiraz, O., Yuksel, K. A, and Albayrak, S. "Static analysis of executables for collaborative malware detection on android." Communications, 2009. ICC'09. IEEE International Conference on. IEEE, 2009.
[6] Cesare, Silvio, and Yang Xiang. "Classification of malware using structured control flow." Proceedings of the Eighth Australasian Symposium on Parallel and Distributed Computing-Volume 107. Australian Computer Society, Inc., 2010.
[7] Shin, Wook, Kiyomoto, S., Fukushima, K., and Tanaka, T. "A formal model to analyze the permission authorization and enforcement in the android framework." Social Computing (SocialCom), 2010 IEEE Second International Conference on. IEEE, 2010.
[8] Tang, Wei, Jin, G., He, J., and Jiang, X. "Extending Android security enforcement with a security distance model." Internet Technology and Applications (iTAP), 2011 International Conference on. IEEE, 2011.
[9] Delac, Goran, Marin Silic, and JakovKrolo. "Emerging security threats for mobile platforms." MIPRO, 2011 Proceedings of the 34th International Convention. IEEE, 2011.
[10] Aswini, A. M., and P. Vinod. "Droid permission miner: Mining prominent permissions for Android malware analysis." Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the. IEEE, 2014.
[11] CA Chang, (2014, January).A Static API Analysis and Installation Advisory System for Android Applications.
[12] Sanz, Borja,Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P. G., and #westeur002#lvarez, G. "Puma: Permission usage to detect malware in android." International Joint Conference CISIS’12-ICEUTE´ 12-SOCO´ 12 Special Sessions. Springer Berlin Heidelberg, 2013.
[13] ZHANG Rui, YANG Jiyun. Android malware detection based on permission correlation. Journal of Computer Applications, 2014.
[14] Felt, Adrienne Porter,Chin, E., Hanna, S., Song, D., and Wagner, D. "Android permissions demystified." Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011.
[15] Rassameero j, Ittipon, and Yuzuru Tanahashi. "Various approaches in analyzing Android applications with its permission-based security models."Electro/Information Technology (EIT), 2011 IEEE International Conference on. IEEE, 2011.
[16] Gascon, Hugo, Yamaguchi, F., Arp, D., and Rieck, K. "Structural detection of android malware using embedded call graphs." Proceedings of the 2013 ACM workshop on Artificial intelligence and security. ACM, 2013.
[17] Roesner, Franziska, Kohno, T., Moshchuk, A., Parno, B., Wang, H. J., and Cowan, C. "User-driven access control: Rethinking permission granting in modern operating systems." Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 2012.
[18] Nauman, Mohammad, Sohail Khan, and Xinwen Zhang. "Apex: extending android permission model and enforcement with user-defined runtime constraints." Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ACM, 2010.
[19] JG,Song (2013). Covert Channel Based Malware Analysis and Detection for Android Systems.
[20] Bonfante, Guillaume, Matthieu Kaczmarek, and Jean-Yves Marion. "Control flow graphs as malware signatures." International Workshop on the Theory of Computer Viruses. 2007.
[21] Wang, Rui, Feng, D. G., Yang, Y., and Su, P. R. "Semantics-based malware behavior signature extraction and detection method." Ruanjian Xuebao/Journal of Software 23.2 (2012): 378-393.
[22] Smith, Ryan W., and Adam Pridgen. "STAAF: Scaling Android Application Analysis with a Modular Framework." System Science (HICSS), 2012 45th Hawaii International Conference on. IEEE, 2012.
[23] Blasing, Thomas,Batyuk, L., Schmidt, A. D., Camtepe, S. A., andAlbayrak, S. "An android application sandbox system for suspicious software detection." Malicious and unwanted software (MALWARE), 2010 5th international conference on. IEEE, 2010.
[24] Reina, Alessandro, Aristide Fattori, and Lorenzo Cavallaro. "A system call-centric analysis and stimulation technique to automatically reconstruct android malware behaviors." EuroSec, April (2013).
[25] YZ,Shen (2013). Improving the Effectiveness of Automatic Dynamic Android Malware Analysis.
[26] Parkour, Milla. "Contagio Mobile. Mobile malware mini dump." (2013).
[27] Wen-Shou Tung, Po-Han Chen, Chao-Chun Huang, and Chun-Ying Huang, (2013). An Android Malware Signature Generator Based on Control Flow Graphs, 2013 Cryptology and Information Security Conference.
[28] Felt, Adrienne Porter, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. "Android permissions: User attention, comprehension, and behavior." Proceedings of the Eighth Symposium on Usable Privacy and Security. ACM, 2012.