以共同行為為基礎之三階式Android惡意程式偵測與分類

Abstract

Android 是目前行動裝置上最受歡迎的作業系統之一。其普及性也使得它常常成為攻擊者攻擊的目標。為了偵測和分類惡意程式，我們提出一個高偵測效能和高準確率之三階段行為分析法，前兩階段用於偵測惡意程式，最後階段用於分類惡意程式。較快的第一階段中，我們利用應用程式要求的權限與貝氏定理快速濾掉應用程式，以減少到較慢的第二階段分析的樣本數量。第二階段中，我們利用最長共同子字串和N元產生的系統呼叫序列偵測惡意程式。最後，我們利用行為或權限向量的餘弦相似度將惡意程式分類成已知類型或未知類型。本文顯示在偵測率方面，兩階段比一階段更準確，若第二階採用最長共同子字串產生系統呼叫序列，其偵測率與誤判率分別為97%和3%；若採用權限向量分類，我們能正確辨識98%已知類型的惡意程式或新類型的惡意程式。

Android is one of the most popular operating systems adopted in mobile devices. The popularity also turns it an attractive target for attackers. To detect and classify malicious Android applications, we propose an efficient and accurate behavior-based solution with three phases. The first two phases detects malicious applications and the last phase classifies the detected malware. The “faster” first phase quickly filters out applications with their requested permissions judged by the Bayes model and therefore reduces the number of samples passed to the “slower” second phase which detects malicious applications with their system call sequences matched by the longest common substring (LCS) or N-gram algorithm. Finally, we classify a malware into known or unknown type based on cosine similarity of behavior or permission vectors. Our experiments show that the two-phase detection approach works more accurately than a single phase approach. It has a TP rate and a FP rate of 97% and 3%, respectively, with LCS in the second phase. More than 98% of samples can be classified correctly into known or new types based on permission vectors.