混合式Android應用程式安全機制之研究

Wei Chang; 張崴

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/51982

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王勝德
dc.contributor.author	Wei Chang	en
dc.contributor.author	張崴	zh_TW
dc.date.accessioned	2021-06-15T14:01:07Z	-
dc.date.available	2017-08-21
dc.date.copyright	2015-08-21
dc.date.issued	2015
dc.date.submitted	2015-08-20
dc.identifier.citation	[1] T. Luo, H. Hao, W. Du, Y. Wang, and H. Yin, Attacks on webview in the android system, in Proceedings of the 27th Annual Computer Security Applications Conference, ACSAC, 2011. [2] L. Breiman, J. Friedman, R. Olshen, and C. Stone, Classification and regression trees, Calif.: Wadsworth, 1984. [3] M. L. Polla, F. Martinelli, and D. Sgandurra, A Survey on Security for Mobile Devices, in IEEE Commun. Surveys & Tutorials, 2012. [4] X. Jin, T. Luo, D. G. Tsui, and W. Du, Code Injection Attacks on HTML5-based Mobile Apps, in Mobile Security Technologies (MoST), 2014. [5] X. Jin, X. Hu, K. Ying, W. Du, Y. Heng, and G. Peri, Code injection attacks on HTML5-based mobile apps: Characterization, detection and mitigation, in Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, 2014. [6] M. Georgiev, S. Jana, and V. Shmatikov., Breaking and Fixing Origin-Based Access Control in Hybrid Web/Mobile Application Frameworks, in Proceeding of the Network and Distributed System Security Symposium (NDSS), 2014. [7] M.C. Grace , W. Zhou , X. Jiang and A.R. Sadeghi, Unsafe exposure analysis of mobile in-app advertisements, in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, 2012. [8] D. Jaramillo, R. Smart, B. Furht, A. Agarwal, A secure extensible container for hybrid mobile applications, in Proceedings of IEEE.pp.1,5, 2013. [9] X. Jin, L. Wang, T. Luo, and W. Du, Fine-Grained Access Control for HTML5-Based Mobile Applications in Android, in Proceedings of the 16th Information Security Conference (ISC), 2013. [10] R. Wang, L. Xing , X.F. Wang and S. Chen, Unauthorized origin crossing on mobile platforms: Threats and Mitigation, in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013. [11] J. Yu and T. Yamauchi, Access control to prevent attacks exploiting vulnerabilities of WebView in android OS, in Proceedings of the IEEE International Conference on High Performance Computing and Communications, 2013. [12] B. Settles, Active Learning Literature Survey, in Computer Sciences Technical Report 1648, University of Wisconsin-Madison, 2010. [13] A. Ghasemi, H. R. Rabiee, M. Fadaee, M. T. Manzuri and M. H. Rohban, 'Active learning from positive and unlabeled data,' in 11th IEEE International Conference on Data Mining Workshops, pp. 244-250, 2011. [14] B. Miller, A. Kantchelian, S. Afroz, R. Bachwani, E. Dauber, L. Huang and M. Carl, 'Adversarial Active Learning,' in Proceeding of the 2014 Workshop on Artificial Intelligent and Security Workshop AI, pp. 3-14, 2014. [15] Ghasemi. A, M.T. Manzuri, H.R. Rabiee, M.H. Rohban and S. Haghiri, ACTIVE ONE-CLASS LEARNING BY KERNEL DENSITY ESTIMATION, in Proceedings of IEEE International Workshop on Machine Learning for Signal Processing (MLSP), 2011. [16] L. Zhang, Y. Sun, D. Meng and X. Li, Anomaly Detection for Hyperspectral Imagery Based on Incremental Support Vector Data Description, in Proceedings of International Conference on Multimedia Technology (ICMT), 2010. [17] C.H. Ho, M.H. Tsai and C.J. Lin, Active Learning and Experimental Design with SVMs, in Journal of Machine Learning Research - Proceedings Track 16, 71-84., 2011. [18] N. Görnitz, M. Kloft, K. Rieck and U. Brefeld, Active Learning for Network Intrusion Detection, in Proceedings of the 2nd ACM workshop on Security and artificial intelligence(AIsec), 2009. [19] Y. Gu and Z. Zydek, Active Learning for Intrusion Detection, in Proceedings of Wireless Research Collaboration Symposium (NWRCS), 2014. [20] 'Abusing WebView JavaScript Bridges,' [Online]. Available: http://d3adend.org/blog/?p=314. [21] 'Genymotion,' [Online]. Available: https://www.genymotion.com/#!/. [22] 'VirtualBox,' [Online]. Available: https://www.virtualbox.org/. [23] 'Android Debug Bridge,' [Online]. Available: http://developer.android.com/tools/help/adb.html.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/51982	-
dc.description.abstract	現今混合式的手機應用程式已經被大量地在智慧型手機中使用，這些應用程式已經是使用HTML5與手機作業系統的原生語言來設計的。這些程式設計師利用WebView這一個元件載入HTML5的網頁並且利用addJavavscriptInterface這一個API註冊WebView與原生語言的溝通管道。然而，這些溝通管道有可能發生安全性的危害。惡意網頁有可能會被WebView載入並且利用這些溝通管道攻擊手機。在這一篇論文中，我們提出了一個framework來保護這一個溝通管道。這個framework包含了兩個部分，第一部分利用fined-grained access control來防止惡意網頁存取這個溝通管道，第二部分利用機器學習來偵測溝通管道的使用是否正常。根據實驗結果，這一個framework可以有效的防止溝通管道的惡意存取。	zh_TW
dc.description.abstract	Hybrid mobile applications have been widely used in the modern smartphones. These applications are implemented in HTML5 and the native language of the operating system. The developers use WebView components to wrap the part of HTML5 and register the communication channel between WebView and the part of native language. However, the communication channel is vulnerable. Malicious web pages may be loaded in the WebView and attack the device through the communication channel. In this thesis, we proposed a framework to protect the communication channel. This framework includes two parts. The first one is fined-grained access control which protects the communication channel. The second is malicious bridge API call detection which detects the malicious usage of the communication channel. According to the experimental result, the proposed framework blocks malicious access efficiently. Moreover, the second approach achieves high accuracy and reduces the labeled training data at the same time.	en
dc.description.provenance	Made available in DSpace on 2021-06-15T14:01:07Z (GMT). No. of bitstreams: 1 ntu-104-R02921028-1.pdf: 1167928 bytes, checksum: 0c49014e5c0bd6b637bcadcf02bea82b (MD5) Previous issue date: 2015	en
dc.description.tableofcontents	CONTENTS 中文摘要 i ABSTRACT ii CONTENTS iii LIST OF FIGURES v Chapter 1 Introduction 1 1.1 Background 1 1.2 The Problem 1 1.3 Goal 3 1.4 Thesis Organization 4 Chapter 2 Related Work 5 Chapter 3 Methodology 9 3.1 Fine-grained Access Control 10 3.1.1 Permission Configuration File of Bridge API 10 3.1.2 Tokenization 11 3.1.3 Attack Scenario 13 3.1.4 Limitation of FAC 14 3.2 Bridge API Anomaly Detection 14 3.2.1 Active Learning 15 3.2.2 Features 16 3.2.3 Classification and sampling strategy 17 3.3 The Framework 18 Chapter 4 Experiment 20 4.1 Environment 20 4.2 Evaluation of Fine-Grained Access Control 20 4.3 Evaluation of Bridge API Access Anomaly Detection 24 Chapter 5 Conclusion and Future Work 28 REFERENCE 30
dc.language.iso	en
dc.subject	機器學習	zh_TW
dc.subject	智慧型手機	zh_TW
dc.subject	資訊安全	zh_TW
dc.subject	Security	en
dc.subject	Machine Learning	en
dc.subject	Active Learning	en
dc.subject	Tokenization	en
dc.subject	WebView	en
dc.subject	HTML5	en
dc.subject	Android	en
dc.title	混合式Android應用程式安全機制之研究	zh_TW
dc.title	A Security Mechanism for Android HTML5 Web Applications	en
dc.type	Thesis
dc.date.schoolyear	103-2
dc.description.degree	碩士
dc.contributor.oralexamcommittee	于天立,鄧惟中
dc.subject.keyword	智慧型手機,資訊安全,機器學習,	zh_TW
dc.subject.keyword	Android,Security,HTML5,WebView,Tokenization,Active Learning,Machine Learning,	en
dc.relation.page	32
dc.rights.note	有償授權
dc.date.accepted	2015-08-20
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-104-1.pdf 未授權公開取用	1.14 MB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。