利用行為相似性偵測Android平台惡意應用程式

Abstract

隨著行動裝置計算能力的提升與盛行，在手機上提供的應用程式越趨多樣化，但卻同時成為了系統安全上新的攻擊目標。對於目前流行的Android系統平台，攻擊者可以透過再包裝與混淆的技術，將惡意程式碼同時隱藏到多個看似一般的應用程式來進行散佈，使得Android平台上的惡意程式偵測與分析工作更加的費時和困難。然而，被打包惡意程式碼的應用程式即使有了不同的外表，但同樣的惡意程式碼仍然會產生出同樣的行為，因此我們提出了一套利用系統呼叫序列來進行應用程式的行為偵測方法，此方法能夠從多執行緒的惡意程式所產生的系統呼叫序列中找出共同子序列，並且利用貝氏機率模型來過濾出有較高機率出現在惡意應用程式，但較低機率在正常應用程式執行時出現的系統呼叫序列。最後我們能夠利用這些抽取出來的系統呼叫序列，對待檢測的應用程式所執行的系統呼叫序列中進行掃描。我們使用五個種類的被打包惡意程式碼的應用程式與一百正常的應用程式來進行準確率的評估，在所有的種類裡面，我們的方法可以得到97.6%的高準確率，在所有25個被檢測的惡意應用程式中，僅有一個沒有被辨識出來。

As mobile applications become popular, they become the new target of attackers. For Android platforms, adversaries can easily repackage the malicious code into the different benign applications for distribution. The work of detecting and analyzing the malicious application becomes a challenge of Android. Though, the repackaged applications have different outward appearances, the same malicious behaviors still appear during runtime. Therefore, we propose a behavior-based detection mechanism based on system call sequences. We extract the common system call subsequences of malicious applications and purpose a comparison approach to deal with multiple threads produced by the applications. We also utilize the Bayes probability model to filter subsequences which have lower probability of appearance in the repackaged applications. Finally, we can detect repackaged applications by those extracted subsequences. In our experiment, we use five different types of repackaged applications and 100 benign applications to evaluate the accuracy rate. The detection result demonstrates that our approach has 97.6% high accuracy. We evaluate 25 repackaged applications and miss only one evaluated target.