針對行動作業系統之異常偵測: 以Firefox OS為例

Abstract

隨著行動作業系統的快速發展，系統安全已成為行動通訊網路中一項重要的議題。行動作業系統大都設計一些安全機制，以預防系統受到攻擊，或是降低受到系統攻擊所帶來的風險。 異常偵測是一種用來判斷資料是否異常的技術，而這項技術可以用來改善系統的動態保護能力。 在本篇論文中，我們提出了一個基於異常偵測技術的架構，以提高行動作業系統的動態安全性。 本架構分為兩個階段：訓練與分析階段。在訓練階段，本架構會蒐集正常應用程式的行為資訊，並產生用於異常偵測的參考用的「閥向量」。 在分析階段，本架構會將執行中的應用程式行為與「閥向量」相比，並於偵測到異常時，發生警告訊息。 透過這兩個階段，本架構能夠偵測出由應用程式所造成的異常系統行為。 最後，我們使用目前最新的行動作業系統 Firefox OS 為例，並套用我們的架構來檢測該系統的安全度。而由我們的實驗結果可以找出測試應用程式中有異常的程式，偵測的陽性誤判率（false positive）為 12.5% 到 50%，陰性誤判率（false negative）為 0% 到 33%。

As the rapid growth of modern mobile operating systems (mobile OS), the mobile OS security has become one of the important issues in a mobile world. To prevent from being attacked, a mobile OS requires one or more protection mechanisms. Anomaly detection, aiming at detecting anomalies in a data set, is one of the protection mechanisms that can be used to improve the runtime security of a mobile OS. In this thesis, we proposed a framework based on the existing anomaly detection technique for a mobile OS. The proposed framework is divided into two phases: training and analyzing phases. In the training phase, the framework collects normal behaviors of applications and generates a throttle vector for detecting anomalies. In the analyzing phase, behaviors of a running application are collected and compared with the throttle vector. Alerts are generated if anomalies are detected. With these phases, the proposed framework can identify anomalous behaviors of a running application on a mobile OS. We then use Firefox OS as a case study and apply the proposed framework to examine the security of the system. Experiment results show the anomalous applications can be identified from the testing applications, with a false positive rate ranging from 12.5% to 50% and a false negative rate ranging from 0 % to 33%.