攻擊情境之概念及其在Android惡意程式偵測之應用

Abstract

本論文提出攻擊情境之概念。攻擊情境自惡意程式中學習及選擇並且以AndroidAPI來描述，藉此表示Android惡意程式特性。由於攻擊情境幾乎不產生偽陽性的特徵，使其適合作為機器學習方法的前過濾器，以此來提升在偽陽性率低情況下的惡意程式偵測率。藉由搭配不同的機器學習方法，我們展示提出方法在提升偵測率上的效果。為了驗證本方法，本論文分析20,914個應用程式，其中含有3,145個惡意程式，並實驗在KNN與SVM這兩種靜態分析偵測效果良好的機器學習法上。實驗結果顯示本論文之方法搭配不同的分類方法均有效增加惡意程式偵測率，在搭配KNN及SVM分別可以達到95.9%偵測率在1%誤報率下以及95.9%偵測率在0.1%誤報率。

In this paper, we proposed the concept of attack scenarios, learned and selected from a set of malicious applications and described by sets of Android APIs, to characterize Android malware. Because of its characteristics that produce almost no false-positive, attack scenarios can be used as a pre-filter of machine-learning based detectors to enhance the detection performance at low false-positive rate. By combining different machine learning techniques, we demonstrate that the proposed approach can increase the detection rates. To evaluate our approach, we analyze 20,914 Android application containing 3,145 malicious samples on two different machine learning techniques, KNN and SVM. The experiment results show that the proposed approach can raise the detection rate up to 95.9% malware at 1% false positive rate and 95.9% malware at 0.1% false positive rate respectively.