Title: 針對行動作業系統之異常偵測: 以Firefox OS為例
Anomaly Detection for Mobile OS: Firefox OS as an Example
Authors: 石銘威
Shih, Ming-Wei
黃育綸
Huang, Yu-Lun
電控工程研究所
Keywords: 行動作業系統;異常偵測;火狐移動作業系統;mobile OS;anomaly detection;firefox OS
Issue Date: 2012
Abstract: 隨著行動作業系統的快速發展,系統安全已成為行動通訊網路中一項重要的議題。行動作業系統大都設計一些安全機制,以預防系統受到攻擊,或是降低受到系統攻擊所帶來的風險。 異常偵測是一種用來判斷資料是否異常的技術,而這項技術可以用來改善系統的動態保護能力。 在本篇論文中,我們提出了一個基於異常偵測技術的架構,以提高行動作業系統的動態安全性。 本架構分為兩個階段:訓練與分析階段。在訓練階段,本架構會蒐集正常應用程式的行為資訊,並產生用於異常偵測的參考用的「閥向量」。 在分析階段,本架構會將執行中的應用程式行為與「閥向量」相比,並於偵測到異常時,發生警告訊息。 透過這兩個階段,本架構能夠偵測出由應用程式所造成的異常系統行為。 最後,我們使用目前最新的行動作業系統 Firefox OS 為例,並套用我們的架構來檢測該系統的安全度。而由我們的實驗結果可以找出測試應用程式中有異常的程式,偵測的陽性誤判率(false positive)為 12.5% 到 50%,陰性誤判率(false negative)為 0% 到 33%。
As the rapid growth of modern mobile operating systems (mobile OS), the mobile OS security has become one of the important issues in a mobile world. To prevent from being attacked, a mobile OS requires one or more protection mechanisms. Anomaly detection, aiming at detecting anomalies in a data set, is one of the protection mechanisms that can be used to improve the runtime security of a mobile OS. In this thesis, we proposed a framework based on the existing anomaly detection technique for a mobile OS. The proposed framework is divided into two phases: training and analyzing phases. In the training phase, the framework collects normal behaviors of applications and generates a throttle vector for detecting anomalies. In the analyzing phase, behaviors of a running application are collected and compared with the throttle vector. Alerts are generated if anomalies are detected. With these phases, the proposed framework can identify anomalous behaviors of a running application on a mobile OS. We then use Firefox OS as a case study and apply the proposed framework to examine the security of the system. Experiment results show the anomalous applications can be identified from the testing applications, with a false positive rate ranging from 12.5% to 50% and a false negative rate ranging from 0 % to 33%.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT070060095
http://hdl.handle.net/11536/72300
Appears in Collections:Thesis