標題: | 整合靜態分析及動態分析結果 作為機器學習標準的 Android惡意程式偵測系統 An Android Machine Learning Malware Detection System Using the Result of Static Analysis and Dynamic Analysis as the Features |
作者: | 蔡立倫 Tsai, Li-Liuen 曾文貴 Tzeng, Wen-Guey 網路工程研究所 |
關鍵字: | 惡意程式偵測;機器學習;靜態分析;動態分析;行為觸發;Android;Malware Detection;Machine Learning;Static Analysis;Dynamic Analysis;Behavior Trigger |
公開日期: | 2014 |
摘要: | 現在的智慧型手機具有各式各樣強大的功能,因此有越來越多的人將智慧型手機當成隨身的個人電腦來使用。其中Android是一個擁有相當多使用者的智慧型手機系統,許多使用者都喜歡其開放性,然而惡意程式開發者也藉由其開放性,來危害使用者。
因為目前防毒軟體偵測惡意程式的方法,是藉由辨認特徵碼來判別惡意程式,然而目前Android手機惡意程式發展相當迅速,取得特徵碼的辨識方式過於緩不濟急,使用者無法藉由安裝防毒軟體以獲得真正的保障。
因此本論文提出一套結合靜態分析與動態分析的系統,藉由實行這兩種分析以取得應用程式多面相的特徵屬性,並且藉由機器學習演算法,將這些特徵屬性進行分類,以分辨該應用程式是否為惡意程式。
本論文於動態分析部分,實作一個可辨識使用者介面之自動行為觸發程式,以更擬真的模擬使用者操作應用程式之動作,以確實激發應用程式功能;並且提出一種新的特徵屬性,以利用應用程式執行期間所使用之system call順序,提升惡意程式分辨率。本論文也取得大量應用程式樣本,並且證實使用這種行為觸發程式和這些特徵屬性,可以準確地判斷惡意程式。 Nowadays, there are a lot of functions on the smart phone, so more and more people take their smart phone like a portable personal computer. Android is one kind of smart phone system with a lot of users. Many users like its ability of installing apps from unverified sources, but attackers also use this ability to harm the users. Antivirus usually use signatures to detect malware, but Android malware develop too fast. This method is too slow, so users can not protect themselves with installing antivirus on their smart phone. In this paper, we present an Android machine learning malware detection system. This system uses the result of static analysis and dynamic analysis as its features to do machine learning, and determine whether this application is malware or not. In the part of the dynamic analysis, we propose an automatic behavior trigger which can identify the user interface on the screen. This behavior trigger simulates events from a user's interaction with this app to trigger the functions of this app. We also propose a new feature set, and this kind of feature set can record the sequence of the system calls to elevate the detection rate. We have got a lot of samples to prove our system can use this behavior trigger and this kind of feature set to distinguish malware from normal apps. |
URI: | http://140.113.39.130/cdrfb3/record/nctu/#GT070156536 http://hdl.handle.net/11536/76166 |
顯示於類別: | 畢業論文 |