攻擊情境之概念及其在Android惡意程式偵測之應用

Yu-Chen Chang; 張宇丞

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/54349

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王勝德(Sheng-De Wang)
dc.contributor.author	Yu-Chen Chang	en
dc.contributor.author	張宇丞	zh_TW
dc.date.accessioned	2021-06-16T02:51:52Z	-
dc.date.available	2017-07-20
dc.date.copyright	2015-07-20
dc.date.issued	2015
dc.date.submitted	2015-07-13
dc.identifier.citation	[1] Felt, A. P., Chin, E., Hanna, S., Song, D., & Wagner, D. (2011, October). Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security (pp. 627-638). ACM. [2] Peiravian, N., & Zhu, X. (2013, November). Machine Learning for Android Malware Detection Using Permission and API Calls. In Tools with Artificial Intelligence (ICTAI), 2013 IEEE 25th International Conference on (pp. 300-305). IEEE. [3] Shin, W., Kiyomoto, S., Fukushima, K., & Tanaka, T. (2009, August). Towards formal analysis of the permission-based security model for android. In Wireless and Mobile Communications, 2009. ICWMC'09. Fifth International Conference on (pp. 87-92). IEEE. [4] Shin, W., Kiyomoto, S., Fukushima, K., & Tanaka, T. (2010, August). A formal model to analyze the permission authorization and enforcement in the android framework. In Social Computing (SocialCom), 2010 IEEE Second International Conference on (pp. 944-951). IEEE. [5] Christodorescu, M., & Jha, S. (2006). Static analysis of executables to detect malicious patterns. WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES. [6] Aafer, Y., Du, W., & Yin, H. (2013). DroidAPIMiner: Mining API-level features for robust malware detection in android. In Security and Privacy in Communication Networks (pp. 86-103). Springer International Publishing. [7] Zhou, Y., & Jiang, X. (2012, May). Dissecting android malware: Characterization and evolution. In Security and Privacy (SP), 2012 IEEE Symposium on (pp. 95-109). IEEE. [8] Zheng, M., Sun, M., & Lui, J. C. (2013, July). Droid analytics: A signature based analytic system to collect, extract, analyze and associate android malware. In Trust, Security and Privacy in Computing and Communications (TrustCom), 2013 12th IEEE International Conference on (pp. 163-171). IEEE. [9] Grace, M., Zhou, Y., Zhang, Q., Zou, S., & Jiang, X. (2012, June). Riskranker: scalable and accurate zero-day android malware detection. In Proceedings of the 10th international conference on Mobile systems, applications, and services (pp. 281-294). ACM. [10] Enck, W., Ongtang, M., & McDaniel, P. (2009, November). On lightweight mobile phone application certification. In Proceedings of the 16th ACM conference on Computer and communications security (pp. 235-245). ACM. [11] Barrera, D., Kayacik, H. G., van Oorschot, P. C., & Somayaji, A. (2010, October). A methodology for empirical analysis of permission-based security models and its application to android. In Proceedings of the 17th ACM conference on Computer and communications security (pp. 73-84). ACM. [12] Poeplau, S., Fratantonio, Y., Bianchi, A., Kruegel, C., & Vigna, G. (2014, February). Execute this! analyzing unsafe and malicious dynamic code loading in android applications. In NDSS (Vol. 14, pp. 23-26). [13] Grace, M. C., Zhou, Y., Wang, Z., & Jiang, X. (2012, February). Systematic Detection of Capability Leaks in Stock Android Smartphones. In NDSS. [14] Felt, A. P., Chin, E., Hanna, S., Song, D., & Wagner, D. (2011, October). Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security (pp. 627-638). ACM. [15] Wu, D. J., Mao, C. H., Wei, T. E., Lee, H. M., & Wu, K. P. (2012, August). Droidmat: Android malware detection through manifest and API calls tracing. In Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on (pp. 62-69). IEEE. [16] Arp, D., Spreitzenbarth, M., Hübner, M., Gascon, H., Rieck, K., & Siemens, C. E. R. T. (2014). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. [17] Zhou, Y., Wang, Z., Zhou, W., & Jiang, X. (2012, February). Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In NDSS. [18] Wu, W. C., & Hung, S. H. (2014, October). DroidDolphin: a dynamic Android malware detection framework using big data and machine learning. InProceedings of the 2014 Conference on Research in Adaptive and Convergent Systems (pp. 247-252). ACM. [19] Nauman, M., Khan, S., & Zhang, X. (2010, April). Apex: extending android permission model and enforcement with user-defined runtime constraints. InProceedings of the 5th ACM Symposium on Information, Computer and Communications Security (pp. 328-332). ACM. [20] Ongtang, M., McLaughlin, S., Enck, W., & McDaniel, P. (2012). Semantically rich application‐centric security in Android. Security and Communication Networks, 5(6), 658-673. [21] Burguera, I., Zurutuza, U., & Nadjm-Tehrani, S. (2011, October). Crowdroid: behavior-based malware detection system for android. In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices(pp. 15-26). ACM. [22] Xu, R., Saïdi, H., & Anderson, R. (2012, August). Aurasium: Practical Policy Enforcement for Android Applications. In USENIX Security Symposium (pp. 539-552). [23] “Androguard,” [Online]. Available: https://code.google.com/p/androguard/. [24] Guyon, I. (Ed.). (2006). Feature extraction: foundations and applications (Vol. 207). Springer Science & Business Media. [25] Peng, H., Gates, C., Sarma, B., Li, N., Qi, Y., Potharaju, R., ... & Molloy, I. (2012, October). Using probabilistic generative models for ranking risks of android apps. In Proceedings of the 2012 ACM conference on Computer and communications security (pp. 241-252). ACM. [26] Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Nieves, J., Bringas, P. G., & Álvarez Marañón, G. (2013). MAMA: manifest analysis for malware detection in android. Cybernetics and Systems, 44(6-7), 469-488. [27] Wei, X., Gomez, L., Neamtiu, I., & Faloutsos, M. (2012, December). Permission evolution in the android ecosystem. In Proceedings of the 28th Annual Computer Security Applications Conference (pp. 31-40). ACM. [28] D. W. Aha, D. Kibler, and M. K. Albert. Instance-Based Learning Algorithms. Machine Learning, 6:3766, 1991. [29] N. Cristianini and J. Shawe-Taylor. An Introduction to Support Vector Machines. Cambridge University Press, Cambridge, UK, 2000. [30] M. Parkour, “Contagiodump,” 2013. [Online]. Available: http://contagiominidump.blogspot.tw/. [31] C.-C. Chang and C.-J. Lin. Libsvm: A library for support vector machines. ACM Trans. Intell. Syst. Technol., 2(3):27:1–27:27, May 2011. [32] Mark Hall, Eibe Frank, Geoffrey Holmes, Bernhard Pfahringer, Peter Reutemann, Ian H. Witten (2009); The WEKA Data Mining Software: An Update; SIGKDD Explorations, Volume 11, Issue 1. [33] “VirusTotal” [Online]. Available: https://www.virustotal.com/zh-tw/.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/54349	-
dc.description.abstract	本論文提出攻擊情境之概念。攻擊情境自惡意程式中學習及選擇並且以AndroidAPI來描述，藉此表示Android惡意程式特性。由於攻擊情境幾乎不產生偽陽性的特徵，使其適合作為機器學習方法的前過濾器，以此來提升在偽陽性率低情況下的惡意程式偵測率。藉由搭配不同的機器學習方法，我們展示提出方法在提升偵測率上的效果。為了驗證本方法，本論文分析20,914個應用程式，其中含有3,145個惡意程式，並實驗在KNN與SVM這兩種靜態分析偵測效果良好的機器學習法上。實驗結果顯示本論文之方法搭配不同的分類方法均有效增加惡意程式偵測率，在搭配KNN及SVM分別可以達到95.9%偵測率在1%誤報率下以及95.9%偵測率在0.1%誤報率。	zh_TW
dc.description.abstract	In this paper, we proposed the concept of attack scenarios, learned and selected from a set of malicious applications and described by sets of Android APIs, to characterize Android malware. Because of its characteristics that produce almost no false-positive, attack scenarios can be used as a pre-filter of machine-learning based detectors to enhance the detection performance at low false-positive rate. By combining different machine learning techniques, we demonstrate that the proposed approach can increase the detection rates. To evaluate our approach, we analyze 20,914 Android application containing 3,145 malicious samples on two different machine learning techniques, KNN and SVM. The experiment results show that the proposed approach can raise the detection rate up to 95.9% malware at 1% false positive rate and 95.9% malware at 0.1% false positive rate respectively.	en
dc.description.provenance	Made available in DSpace on 2021-06-16T02:51:52Z (GMT). No. of bitstreams: 1 ntu-104-R02921033-1.pdf: 1086408 bytes, checksum: 79b1a3a36cb7a246deb66225317fe250 (MD5) Previous issue date: 2015	en
dc.description.tableofcontents	口試委員會審定書 # 摘要 ii ABSTRACT iii CONTENTS iv LIST OF FIGURES vi LIST OF TABLES vii Chapter 1 Introduction 1 1.1 Motivation 2 1.2 Approach Overview 3 1.3 Contribution 4 1.4 Thesis Organization 5 Chapter 2 Related Works 6 2.1 Static Analysis 6 2.2 Dynamic Analysis 7 Chapter 3 Framework 9 3.1 Preprocessing 11 3.1.1 Parsing Manifest File 11 3.1.2 Decompiling DEX File 12 3.2 Feature Selection 12 3.2.1 Critical Permissions and APIs 13 3.3 Attack Scenario 18 3.3.1 Extraction 18 3.3.2 Validation 19 3.3.3 Matching 19 3.4 Learning Algorithm and Classification Model 20 3.4.1 K-nearest Neighbors Algorithm 21 3.4.2 Support Vector Machine 21 Chapter 4 Experiment 23 4.1 Implementation 23 4.1.1 Dataset 23 4.1.2 Tools 25 4.2 Evaluation Metrics 25 4.3 Experiment Result 26 4.3.1 Attack Scenario for Malware Families 30 4.3.2 Attack Scenarios in Different Scales of Dataset 31 4.3.3 Attack Scenarios as Features in Detection Model 32 4.3.4 Runtime Performance 33 Chapter 5 Discussion 34 5.1 Other Features 34 5.2 Malware Evasion Techniques 36 5.3 Future Work 37 Chapter 6 Conclusion 39 REFERENCE 40
dc.language.iso	en
dc.subject	機器學習	zh_TW
dc.subject	Android	zh_TW
dc.subject	惡意程式	zh_TW
dc.subject	靜態分析	zh_TW
dc.subject	攻擊情境	zh_TW
dc.subject	Android	zh_TW
dc.subject	惡意程式	zh_TW
dc.subject	靜態分析	zh_TW
dc.subject	攻擊情境	zh_TW
dc.subject	機器學習	zh_TW
dc.subject	Android	en
dc.subject	Android	en
dc.subject	malware detection	en
dc.subject	static analysis	en
dc.subject	attack scenario	en
dc.subject	machine learning	en
dc.subject	malware detection	en
dc.subject	static analysis	en
dc.subject	attack scenario	en
dc.subject	machine learning	en
dc.title	攻擊情境之概念及其在Android惡意程式偵測之應用	zh_TW
dc.title	The Concept of Attack Scenarios and its Applications in Android Malware Detection	en
dc.type	Thesis
dc.date.schoolyear	103-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	雷欽隆(Chin-Laung Lei),陳銘憲(Ming-Syan Chen),于天立(Tian-Li Yu)
dc.subject.keyword	Android,惡意程式,靜態分析,攻擊情境,機器學習,	zh_TW
dc.subject.keyword	Android,malware detection,static analysis,attack scenario,machine learning,	en
dc.relation.page	44
dc.rights.note	有償授權
dc.date.accepted	2015-07-14
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-104-1.pdf 未授權公開取用	1.06 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。