DMFF：利用家族特性進行惡意軟體偵測

Abstract

移動裝置使用族群成長快速，人們已習慣將資訊儲存在手機上面，同時也造成移動裝置遭逢攻擊的可能性日益增加。手機的攻擊手法變化多端，惡意軟體即為其中一種針對移動裝置的攻擊方式。例如惡意軟體可藉由收發 SMS 來攻擊受害者導致其遭遇到資料隱私的洩漏或錢財上的損失。為了提升安全上的保護措施，近年來專家學者提出多種偵測惡意軟體的方法，其中 Datasets 這個網站針對惡意軟體定義出了四種惡意家族，讓專家們更容易偵測惡意軟體。由於 Datasets 並未提供自動化工具以偵測惡意軟體，因此我們在本論文中提出 DMFF ( Detecting Malware by its Family Features ) 框架，提供使用者偵測惡意軟體，並區分其所屬家族。 DMFF 包含了四個階段，分別是抽取階段 ( Extracting ) 、訓練階段 ( Training ) 、測試階段 ( Testing ) 以及更新且重新訓練階段 ( Update \& Retraining ) 。抽取階段從每一軟體中的設定文件取出 Permission 和 Service，並在訓練階段進行統計，以矩陣運算產生出每個惡意家族的模型參數 k 。接著測試階段以參數 k 來判別惡意軟體，並進一步的分類其所屬家族且指出惡意行為表現。而更新且重新訓練階段則產生新的模型參數。我們設計了四個實驗以179隻惡意軟體和200隻正常軟體來驗證此框架的偵測準確度。前三個實驗係針對此框架在惡意家族分類上的準確度，分別以 permission 、 service 以及複合使用來看其效能表現，第四個實驗則著重於 DMFF 在辨識正常軟體上的準確度。實驗結果顯示 DMFF 能以97.42\%的準確度分辨正常軟體與惡意軟體，並能夠以82\%的準確度分類惡意軟體所屬的惡意家族。因此， DMFF 能夠偵測惡意軟體並且根據其行為將其分類到所屬的惡意家族中。

The population of mobile users grows rapidly and people get used to storing information on a mobile device, hence the possibility under attack raises. Among the mobile attacks, malware is the most common attack and cause large damage for mobile users. For example, A victim may suffer from the information leakage or money lost causing by Short Message Service (SMS) attacks. To improve the security of a mobile device, experts have proposed many methods for malware detection. The website, Datasets, defines four malware families to simplify the detection of malware. In this thesis, we design DMFF (Detecting Malware by its Family Features) to provide an automation tool for categorizing them. DMFF comprises four stages, \textit{Extracting Stage}, \textit{Training Stage}, \textit{Testing Stage} and \textit{Update \& Retraining}. \textit{Extracting Stage} extracts Permission and Service from an application configuration file. \textit{Training Stage} applies matrix computation to generate system training model \textbf{k} for each malware family. The value \textbf{k} is used to detect a malware in DMFF to indicate its malicious behavior. The result then are forwarded to update the system model. To evaluate DMFF, four experiments with 179 malware and 200 normal samples involving are designed to test the accuracy on applying only Permission, only Service and the combination of both Permission and Service. The last experiment tests the accuracy on distinguishing benign application from malware. With 97.42\% accuracy on distinguishing benign application from malware and 82\% accuracy on categorizing malwares, DMFF is proved its ability to detect a malware and categorize the malware by its behavior.