基於程式碼語意模型之安卓惡意程式偵測

Abstract

近年來，由於Android平台的快速發展，吸引大量攻擊者撰寫惡意程式以獲取非法利益，而這些惡意程式經常被嵌入在合法應用程式中，誘騙使用者下載。對於市場管理者而言，如何儘早偵測惡意程式，保護市場產品的安全，是非常重要的。因此，為了提升分析大量應用程式的效率，一套自動化系統協助分析人員判定待測程式之潛在風險，將能舒緩人力分析的負擔。此外，根據統計顯示，現今大多數惡意程式都是突變來自已偵測的樣本，這些突變種與舊的世代間通常會共享相似的程式結構，或是某些重要惡意行為。基於這個原因，自動化的偵測工具可以採取從已知惡意程式中抽取特徵，建立能描述已知程式特徵的模型，並利用該模型來分析未知程式。然而，現有的方法並沒有考慮到惡意程式中會影響偵測準確性的雜質，特別是Android惡意程式大量重包裝自合法程式，將涵蓋大量與惡意程式碼無關的雜質，因此習知技術將無法有效偵測Android惡意程式。在本文中，我們提出一套系統，嘗試萃取出能逼近惡意程式核心特徵的語意模型，並以此模型提高偵測Android惡意程式的準確性。具體而言，我們首先分別從已知惡意程式與良性程式中抽取一組具備高風險的程式碼語意特徵，接著，進一步使用演化計算過濾出能描述已知惡意程式共有核心特徵的語意片段，將之建立成模型。萃取出來的模型，對於變種惡意程式可以達到88%的偵測率，而對於良性程式則僅有1.7%的錯誤率。

The prevalence of Android platform has attracted adversaries to craft malicious payloads for illegal profit. Such malicious artifacts are frequently embedded in legitimate applications to lure victims. To ensure the health of market ecosystem, automated scanning process is required for market administrator to ease the effort of manual analysis and thus can scale to sheer volume of pending samples. Due to the fact that new variants often share similar functionalities with the known species, such process can be designed by applying the models summarizing the characteristics of known malware to detect unknown subjects. However, conventional approaches cannot be directly applied to Android since they did not address the noisy features in malware programs that will hinder the scanning process. In this paper, we propose Petridish, a system which generates discriminative models for Android malware detection. That is, Petridish first extracts a set of security-relevant semantics from a corpus of malware and benign samples. Then it applies the evolutionary computation to distill the semantics models close to the core malicious activities. In the evaluation, we demonstrate the power of these models by using the samples covering primary malware families and the benign programs crawled from GooglePlay. The result shows the 88% true positive rate and the 1.7% false positive rate, respectively.