跳到主要內容

臺灣博碩士論文加值系統

(44.201.97.138) 您好!臺灣時間:2024/09/20 16:32
字體大小: 字級放大   字級縮小   預設字形  
回查詢結果 :::

詳目顯示

我願授權國圖
: 
twitterline
研究生:林劭軒
研究生(外文):Shau-Hsuan Lin
論文名稱:在Android裝置上的動態API側錄與執行序列分析
論文名稱(外文):Dynamic API-based Profiling and Execution Sequence Analysis for Android Devices
指導教授:孫雅麗孫雅麗引用關係
指導教授(外文):Ya-li Sun
口試委員:李漢銘李育杰陳孟彰謝錫堃
口試委員(外文):Hon-Ming LiYuh-Jye LeeMeng-Chang ChenHsi-Kun Hsieh
口試日期:2016-07-28
學位類別:碩士
校院名稱:國立臺灣大學
系所名稱:資訊管理學研究所
學門:電算機學門
學類:電算機一般學類
論文種類:學術論文
論文出版年:2017
畢業學年度:105
語文別:中文
論文頁數:91
中文關鍵詞:Android架構Android安全Android動態分析演化樹序列分析
外文關鍵詞:Android ArchitectureAndroid SecurityAndroid Dynamic AnalysisDendrogramSequence Alignment
相關次數:
  • 被引用被引用:0
  • 點閱點閱:245
  • 評分評分:
  • 下載下載:0
  • 收藏至我的研究室書目清單書目收藏:0
有鑒於智慧型裝置的普及,運行於裝置上的App琳琅滿目,而一般使用者卻難以得知一個App是否在他們不知道的情況下執行惡意行為。因此在這篇論文中,我們希望能夠在虛擬的環境下運行App,並紀錄其行為進行分析。
我們下載Android 4.4版本的原始碼,並修改預設的動態分析工具,使該工具除了可以紀錄API之外,也能夠抓取API的參數和回傳值。在進行動態分析實驗時,透過分析App的AndroidManifest.xml,我們可以得知App的觸發方式,傳送假廣播以觸發App的行為。
透過動態實驗所得到的execution trace中API數量龐大,在研究中我們定義Sensitive API set。其中包括需要permission的API和與App Sensitive Action相關的API,以此過濾execution trace,留下的API序列我們稱其為profile。
對於這些profile,我們希望能夠透過序列分析的方式萃取出相同的序列作為惡意程式的特徵,在做序列分析前我們先將所有profile丟進Dendrogram以建立profile之間的相似關係樹,將統計上較接近的profile分在同一組。之後各組會分別丟入序列分析以產生相同和不同的序列。在論文中以Gone60和ADRD兩個惡意程式家族為例,顯示使用我們的分析方式能夠找到單一惡意程式家族的基本特徵(即每隻樣本都有的行為),或是只屬於部分樣本的特徵。
透過抓取惡意程式家族的特徵,我們能夠更了解這些惡意程式在執行期間的行為。在未來希望透過對更多的惡意程式家族進行分析,以得到更多不同種類的特徵。分析出越多的特徵,我們就能越瞭解惡意程式家族執行的方式,對於後續的偵測能有更大的幫助。
There are many apps for mobile devices nowadays, but it''s hard for a user to know whether an app executes malicious behaviors. This thesis runs apps and record their behaviors. After that, we will extract their features.
We download Android 4.4 OS source code, and modify default profiling tool to get API’s runtime parameter and return value. When profiling malware’s behaviors, we parse AndroidManifest.xml of app to know how it can be triggered, and we can trigger it through sending fake broadcasts.
Since enormous APIs in execution trace is quite annoying for analysis, we defined Sensitive API set, including APIs which need permissions or are related to sensitive actions. After filtering execution traces, the remaining API sequence is regard as profile。
For those profiles, we extract features through sequence alignment. First, we input all profiles to Dendrogram in order to separate those profiles to groups. Each group will be thrown into sequence alignment algorithm and common and different sequence in one malware family can be extracted. We use Gone60 and ADRD to show how our method can find common and different features in one malware family.
Through getting features from malwares, we can understand how they work. We will analyze more malware families in the future to get more kinds of features. With those features, we can classify one malware or detect whether one app have malicious behaviors.
致謝 1
中文摘要 2
ABSTRACT 3
目錄 4
圖目錄 6
表目錄 9
1. Introduction 10
2. Related work 11
3. Background 15
3.1、 Android System Architecture 15
3.1.1、 Android Application 16
3.1.2、 Android Framework 29
3.1.3、 Android Runtime 30
3.1.4、 Android Native Layer 33
3.1.5、 Android Linux Kernel 33
3.2、 IPC mechanism 34
3.2.1、 Binder 34
3.2.2、 AIDL 36
3.2.3、 Intent 36
3.3、 Android Security Model 37
3.3.1、 Authentication 37
3.3.2、 Authorization 45
4. Profiling System Design 50
4.1、 Experiment – Dynamic Analysis 50
4.1.1、 Record APIs, it’s parameters and return value 51
4.1.2、 Assure full coverage of malware behavior 58
4.2、 Preprocessing 65
4.2.1、 Permission API (Ap) 66
4.2.2、 APIs that are related to sensitive actions (AS) 69
5. Malware Behavior Analysis on Feature Profiles 72
5.1、 Profile generation 72
5.2、 Dendrogram 74
5.3、 Alignment 75
6. Case Study 77
6.1、 Gone60 77
6.2、 ADRD 82
7. Limitation and Future work 87
8. Conclusion 88
9. Reference 89
1.Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: IEEE Symposium on Security and Privacy, pp. 95–109. San Francisco, CA (2012)
2.William Enck, Peter Gilbert., et al.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: 9th USENIX Symposium on Operating Systems Design and Implementation (2010)
3.Kimberly Tam, Salahuddin J. Khan., et al.: CopperDroid: Automatic Reconstruction of Android Malware Behaviors. In: The 2015 Network and Distributed System Security Symposium (NDSS 2015)
4.Victor van der Veen: Dynamic Analysis for Android Malware, VU University Amsterdam Faculty of Sciences Department of Computer Sciences (2013)
5.AU, K.W.Y., et al.: Pscout: Analyzing the Android Permission Specification. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 217–228. ACM (2012)
6.Yan, L.-K., Yin, H.: DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis. In: USENIX Security Symposium, pp. 569–584. USENIX (2012)
7.Mu Zhang, Yue Duan, et al.: Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1105-1116. ACM (2014)
8.ANDERSON LUIZ SARTOR: AndroProf: A Profiling tool for the Android platform. In: IEEE Computing Systems Engineering (SBESC), pp. 23-28. IEEE (2013)
9.Cong Zheng, Shixiong Zhu, et al.: SmartDroid: An Automatic System for Revealing UI-based Trigger Conditions in Android Applications. In: Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pp. 93–104. ACM (2012)
10.Wei, X., et al.: ProfileDroid: Multi-layer Profiling of Android Applications. In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking, pp. 137–148. ACM (2012)
11.Yousra Aafer, Wenliang Du, et al.: DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android. In: 9th International Conference on Security and Privacy in Communication Networks, (2013)
12.姜立垣: Malware family motif API sequence analysis on Windows platform (2016)
13.Oscar Somarriba, Urko Zurutuza, et al.: Detection and Visualization of Android Malware Behavior. In: Journal of Electrical and Computer Engineering. (2016)
14.Parvez Faruki, Vijay Laxmi, et al.: AndroSimilar: Robust signature for detecting variants of Android malware. In: journal of information security and applications. (2014)
15.Wei Yang, Xusheng Xiao et al.: AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context. In: Proc. of 37th International Conference on Software Engineering. (2015)
16.Wenjun Hu, Jing Tao et. al.: MIGDroid: Detecting APP-Repackaging Android Malware via Method Invocation Graph. In: IEEE (2014)
17.Lukas Weichselbaum, Matthias Neugschwandtner et al.: ANDRUBIS: Android Malware Under The Magnifying Glass. In: iseclab (2015)
18.Seung-Hyun Seo, Aditi Gupta et al.: Detecting mobile malware threats to homeland security through static analysis. In: Journal of Network and Computer Applications. (2014)
19.Vaibhav Rastogi, Yan Chen., et al.: Appsplayground: Automatic Security Analysis of Smartphone
Applications. In: Proceedings of the third ACM Conference on Data and Application
Security and Privacy, pp. 209–220. ACM (2013)
20.Wu, D.-J., Mao, C.-H., et al.: Droidmat: Android Malware Detection Through Manifest and
API Calls Tracing. In: 2012 IEEE Seventh Asia Joint Conference on Information
Security (Asia JCIS), pp. 62–69. IEEE (2012)
21.Android-x86 - Porting Android to x86, http://www.android-x86.org
22.QEMU Machine Protocol, http://wiki.qemu.org/QMP
23.Android Debug Bridge, http://developer.android.com/tools/help/adb.html
24. Android Developer Website, https://developer.android.com/index.html
QRCODE
 
 
 
 
 
                                                                                                                                                                                                                                                                                                                                                                                                               
第一頁 上一頁 下一頁 最後一頁 top