基於貝氏推論之新型 Android 惡意程式偵測

Che-Hsun Liu; 劉哲勳

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/54891

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	王勝德(Sheng-De Wang)
dc.contributor.author	Che-Hsun Liu	en
dc.contributor.author	劉哲勳	zh_TW
dc.date.accessioned	2021-06-16T03:40:50Z	-
dc.date.available	2017-03-16
dc.date.copyright	2015-03-16
dc.date.issued	2015
dc.date.submitted	2015-02-13
dc.identifier.citation	[1] [Online]. Available: http://www.idc.com/prodserv/smartphone-os-market-share.jsp [2] [Online]. Available: https://www.f-secure.com/documents/996508/1030743/Mobile_Threat_Report_Q1_2014.pdf [3] T. Vidas, N. Christin, and L. Cranor, “Curbing android permission creep,” in Proceedings of the Web, vol. 2, 2011. [4] [Online]. Available: http://officialandroid.blogspot.tw/2012/02/android-and-security.html [5] J. Oberheide and C. Miller, “Dissecting the android bouncer,” SummerCon2012,New York, 2012. [6] L.-K. Yan and H. Yin, “Droidscope: Seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis.” in USENIX Security Symposium, 2012, pp. 569–584. [7] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, ““andromaly”: a behavioral malware detection framework for android devices,” Journal of Intelligent Information Systems, vol. 38, no. 1, pp. 161–190, 2012. [8] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: behavior-based malware detection system for android,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 2011, pp. 15–26. [9] D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, and C. Siemens, “Drebin: Effective and explainable detection of android malware in your pocket,” 2014. [10] H. Peng, C. Gates, B. Sarma, N. Li, Y. Qi, R. Potharaju, C. Nita-Rotaru, and I. Molloy, “Using probabilistic generative models for ranking risks of android apps,” in Proceedings of the 2012 ACM Conference on Computer and Communications Security, 2012, pp. 241–252. [11] S. Yerima, S. Sezer, G. McWilliams, and I. Muttik, “A new android malware detection approach using bayesian classification,” in Advanced Information Networking and Applications (AINA), 2013 IEEE 27th International Conference on, March 2013, pp. 121–128. [12] B. Sanz, I. Santos, C. Laorden, X. Ugarte-Pedrero, J. Nieves, P. G. Bringas, and G. Alvarez Maranon, “Mama: Manifest analysis for malware detection in android,” Cybernetics and Systems, vol. 44, no. 6-7, pp. 469–488, 2013. [13] M. Parkour, “Contagiodump,” 2013. [Online]. Available: http://contagiominidump.blogspot.com [14] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study of android application security.” in USENIX security symposium, vol. 2, 2011, p. 2. [15] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices. ACM, 2011, pp. 3–14. [16] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,” in Security and Privacy (SP), 2012 IEEE Symposium on. IEEE, 2012, pp.95–109. [17] Baksmali. [Online]. Available: https://code.google.com/p/smali/ [18] A. Desnos and G. Gueguen, “Android: From reversing to decompilation,” Proc. of Black Hat Abu Dhabi, 2011. [19] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM conference on Computer and communications security. ACM, 2011, pp. 627–638. [20] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie, “Pscout: analyzing the android permission specification,” in Proceedings of the 2012 ACM conference on Computer and communications security. ACM, 2012, pp. 217–228. [21] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, “Permission evolution in the android ecosystem,” in Proceedings of the 28th Annual Computer Security Applications Conference. ACM, 2012, pp. 31–40. [22] W. Enck, M. Ongtang, and P. McDaniel, “On lightweight mobile phone application certification,” in Proceedings of the 16th ACM conference on Computer and communications security. ACM, 2009, pp. 235–245. [23] Y. Aafer, W. Du, and H. Yin, “Droidapiminer: Mining api-level features for robust malware detection in android,” in Security and Privacy in Communication Networks. Springer, 2013, pp. 86–103. [24] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: an information flow tracking system for real-time privacy monitoring on smartphones,” Communications of the ACM, vol. 57, no. 3, pp. 99–106, 2014. [25] A. Y. Ng and M. I. Jordan, “On discriminative vs. generative classifiers: A comparison of logistic regression and naive bayes,” in Advances in Neural Information Processing Systems 14, T. Dietterich, S. Becker, and Z. Ghahramani, Eds. MIT Press, 2002, pp. 841–848. [26] D. M. Chickering, “Learning bayesian networks is np-complete,” in Learning from data. Springer, 1996, pp. 121–130. [27] L. Jiang, H. Zhang, and Z. Cai, “A novel bayes model: Hidden naive bayes,” Knowledge and Data Engineering, IEEE Transactions on, vol. 21, no. 10, pp. 1361–1371, 2009. [28] I. Jolliffe, Principal component analysis. Wiley Online Library, 2005. [29] J. C. Gower, “Some distance properties of latent root and vector methods used in multivariate analysis,” Biometrika, vol. 53, no. 3-4, pp. 325–338, 1966. [30] M. Nikravesh, I. Guyon, S. Gunn, and L. Zadeh, Feature Extraction: Foundations and Applications. Springer, 2006. [31] S. Liang and X. Du, “Permission-combination-based scheme for android mobile malware detection,” in Communications (ICC), 2014 IEEE International Conference on. IEEE, 2014, pp. 2301–2306. [32] N. Cristianini and J. Shawe-Taylor, An introduction to support vector machines and other kernel-based learning methods. Cambridge university press, 2000. [33] M. Hall, E. Frank, G. Holmes, B. Pfahringer, P. Reutemann, and I. H. Witten, “The weka data mining software: an update,” ACM SIGKDD explorations newsletter, vol. 11, no. 1, pp. 10–18, 2009.
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/54891	-
dc.description.abstract	由於越來越多惡意軟體針對 Android 平台進行攻擊，該平台的惡意軟體偵測已成為一個相當熱門的研究領域。而在許許多多的論文裡，簡單貝氏分類器是相當常見的一項技術，然而我們發現該方法在 Contagio Malware Dump 資料集的表現差強人意，其因可能源自於缺乏考量特徵間的相依性。本論文提出一個針對 Android 平台上應用程式的輕量級惡意軟體偵測方法，用以增進貝氏分類器在 Contagio Malware Dump 資料集的準確性。先藉由靜態分析取得應用程式的相關惡意特徵，再經主成份分析降低特徵間的相依性，並以隱藏式簡單貝氏機率模型推論該應用程式為惡意軟體的可能性。本論文分析了 18,723 個應用程式，其中 3,150 個為惡意軟體，實驗結果得到 94.5% 偵測率及 1.0% 誤報率。在實驗中也展示了該方法在手機平台上的可行性。	zh_TW
dc.description.abstract	Android malware detection has been a popular research topic due to non-negligible amount of malware targeting the Android operating system. In particular, the naive Bayes generative classifier is a common technique widely adopted in many papers. However, we found that the naive Bayes classifier performs badly in Contagio Malware Dump dataset, which could result from the assumption that no feature dependency exists. In this paper, we propose a lightweight method for Android malware detection, which improves the performance of Bayesian classification on the Contagio Malware Dump dataset. It performs static analysis to gather malicious features from an application, and applies principal component analysis to reduce the dependencies among them. With the hidden naive Bayes model, we can infer the identity of the application. In an evaluation with 15,573 normal applications and 3,150 malicious samples, our work detects 94.5% of the malware with a false positive rate of 1.0%. The experiment also shows that our approach is feasible on smartphones.	en
dc.description.provenance	Made available in DSpace on 2021-06-16T03:40:50Z (GMT). No. of bitstreams: 1 ntu-104-R01921044-1.pdf: 537416 bytes, checksum: 07a4c4f654909a4dd0d43717a2b9f4a4 (MD5) Previous issue date: 2015	en
dc.description.tableofcontents	1 Introduction 1 2 Related Work 4 2.1 Static Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.2 Dynamic Analysis Approaches . . . . . . . . . . . . . . . . . . . . . . . 5 3 Classification Models 6 3.1 Problem Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.2 Naive Bayes Models . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.3 Hidden Naive Bayes Models . . . . . . . . . . . . . . . . . . . . . . . . 8 3.4 Principal Component Analysis . . . . . . . . . . . . . . . . . . . . . . . 9 4 Methodology 11 4.1 Feature Extraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.1.1 Parsing Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.1.2 Decompiling Dalvik Executable . . . . . . . . . . . . . . . . . . 13 4.2 Feature Selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 4.2.1 Mutual Information . . . . . . . . . . . . . . . . . . . . . . . . . 15 4.2.2 Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 4.2.3 API Calls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 5 Evaluation 20 5.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 5.2 Evaluation Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 5.3 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 5.3.1 Performance against Related Works . . . . . . . . . . . . . . . . 24 5.3.2 Detection for Malware Families . . . . . . . . . . . . . . . . . . 27 5.3.3 Runtime Performance . . . . . . . . . . . . . . . . . . . . . . . 28 6 Conclusion 31 References 32
dc.language.iso	en
dc.subject	貝氏推論	zh_TW
dc.subject	電腦安全	zh_TW
dc.subject	Android	zh_TW
dc.subject	惡意軟體	zh_TW
dc.subject	靜態分析	zh_TW
dc.subject	機器學習	zh_TW
dc.subject	Bayesian inference	en
dc.subject	computer security	en
dc.subject	Android	en
dc.subject	malware detection	en
dc.subject	static analysis	en
dc.subject	machine learning	en
dc.title	基於貝氏推論之新型 Android 惡意程式偵測	zh_TW
dc.title	A Novel Android Malware Detection Using Bayesian Inference	en
dc.type	Thesis
dc.date.schoolyear	103-1
dc.description.degree	碩士
dc.contributor.oralexamcommittee	雷欽隆(Chin-Laung Lei),陳銘憲(Ming-Syan Chen),于天立(Tian-Li Yu)
dc.subject.keyword	電腦安全,Android,惡意軟體,靜態分析,機器學習,貝氏推論,	zh_TW
dc.subject.keyword	computer security,Android,malware detection,static analysis,machine learning,Bayesian inference,	en
dc.relation.page	35
dc.rights.note	有償授權
dc.date.accepted	2015-02-13
dc.contributor.author-college	電機資訊學院	zh_TW
dc.contributor.author-dept	電機工程學研究所	zh_TW
顯示於系所單位：	電機工程學系

文件中的檔案：

檔案	大小	格式
ntu-104-1.pdf 未授權公開取用	524.82 kB	Adobe PDF

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。