使用反規避技術在靜態和動態分析中檢測安卓惡意軟體

Abstract

隨著 Play 商店中有超過 150 萬個應用程式，Android 已成為網路犯罪分子的首要攻擊目標。傳統的惡意軟體檢測方法經常難以應對諸如程式碼混淆、定時炸彈和環境檢查等複雜的檢測規避技術。本論文通過提出靜態和動態分析策略，用以偵測具備規避檢測能力的 Android 惡意軟體，來應對這些挑戰。我們的方法包括使用程式碼反混淆工具、交互項以減少應用程式大小所造成的干擾，以及一個動態反定時炸彈框架。我們的靜態分析方法利用程式碼反混淆工具從混淆過的 API 調用中還原原始 API 調用。實驗結果顯示，部分還原的 API 調用被惡意軟體檢測模型識別為重要特徵。此外，我們提出了幾個對混淆具有不變性的特徵，這些特徵也被識別為重要特徵。我們的靜態惡意軟體檢測模型在 Drebin 資料集上表現優於現有方法，實現了 99.55% 的準確率和 94.61% 的 F1-score。我們的動態分析框架專為對抗與時間相關的觸發機制（通常稱為定時炸彈）而設計，透過攔截時間相關的 API 呼叫進行處理。為了推進該領域的研究，我們提出了一個針對 Android 定時炸彈分析的基準應用數據集，涵蓋八種常見的定時炸彈技術。我們的方法成功解除其中五種技術的影響，其中包括兩種現有方法未能處理的技術。基於 Drebin 數據集的實驗結果顯示，我們的框架顯著提升了動態 Android 惡意軟件檢測系統的性能。

With over 1.5 million applications available on Google Play, Android has become a prime target for cybercriminals. Traditional malware detection methods often fail against sophisticated evasive techniques such as code obfuscation, timebombs, and environment checks. This dissertation addresses these challenges by proposing a static and a dynamic analysis strategy to detect evasive Android malware. Our approach includes the use of code deobfuscation tools, interaction terms to mitigate interference caused by application size, and a dynamic anti-timebomb framework. Our static analysis approach utilizes a code deobfuscation tool to recover original API calls from obfuscated ones. The experimental results show that some recovered API calls are identified as important features by the malware detection models. Additionally, we propose several obfuscation-invariant features, which also have been identified as important features. Our static malware detection model achieves 99.55% accuracy and a 94.61% F1-score on the Drebin dataset, outperforming existing methods. Our dynamic analysis framework is specifically designed to counteract time-related triggers, commonly known as TimeBombs, by intercepting time-related API calls. To advance research in this area, we propose a benchmark application dataset for Android TimeBomb analysis, encompassing eight common TimeBomb techniques. Our approach successfully defuses five out of the eight techniques, including two that previous methods failed to address. Experimental results using the Drebin dataset demonstrate that our framework significantly enhances the performance of dynamic Android malware detection systems.