現今Android智慧行動裝置普及，成為惡意程式開發者的主要攻擊目標，如何將行動惡意程式進行偵測及防範已成為一大資安議題。同時，行動應用程式的網路流量成長快速，使得將網路封包作為資料集來檢測行動惡意軟體的可行性也提高。然而動態分析具有蒐集資料耗時的缺點，且過去文獻僅從網路封包中提取單一種類協定特徵，此外，僅將應用程式判斷是否為惡意是不夠的。基於此，本研究提出一個結合靜態權限及動態封包分析的Android惡意程式分析系統，先以靜態分析方式，透過應用程式的宣告資訊權限過濾掉良性應用程式，避免過多的資料蒐集時間，並從惡意程式網路流量提取多種類特徵，提升偵測效果同時降低誤判率，最後進行惡意程式家族分類，由於同個惡意家族下的應用程式具有類似的惡意行為，此分類方式能提供資安人員足夠資訊來建立防範策略。經實驗證實，靜、動態模型準確度分別為98.96%及95.6%，其中網路封包動態分析，高於惡意家族分類的94.33%準確度。以測試資料驗證系統整體效能上，準確率為89.1%，然而本實驗證實在動態分析的資料蒐集時間上有大幅改善，僅47.5%的應用程式需進行五分鐘的動態網路封包蒐集。

The popularity of Android smart mobile devices has become the main target of malware developers. How to detect and prevent mobile malware has become a major issue. At the same time, the mobile application's network traffic has grown rapidly, making it more feasible to use network packets as a data set to detect malicious applications. However, dynamic analysis has the disadvantage of collecting data and taking time, and the past literature only extracts a single kind of agreement feature from the network packet. In addition, it is not enough to distinguish application into malicious or benign. Based on this, this study proposes an Android malware analysis system combining static permissions and dynamic packet analysis. Firstly, static analysis is used to filter out benign applications through the application's announcement information permission, avoiding excessive data collection time and maliciously. The program network traffic extracts multiple types of features, improves the detection effect and reduces the false positive rate. Finally, the malware family is classified. Since the application under the same malicious family has similar malicious behavior, this classification method can provide sufficient information for the security personnel. To establish a prevention strategy. The experimental results show that the accuracy of static and dynamic models are 98.96% and 95.6%, respectively, and the dynamic analysis of network packets is higher than the accuracy of 94.33% of malicious family classification. Using the test data to verify the overall performance of the system, the accuracy rate was 89.1%. However, this experiment confirmed that the data collection time of the dynamic analysis was greatly improved, and only 47.5% of the applications required a five-minute dynamic network packet collection.

[ 1 ] ”2018 Malware Forecast: the onward march of Android malware”. (Accessed : 20-May-2018)取自: https://nakedsecurity.sophos.com/2017/11/07/2018-malware-forecast-the-onward-march-of-android-malware/。
[ 2 ] Android Developer : “Define a Custom App Permission”. 2018年4月17日(Accessed : 14-Jun-2018)取自: https://developer.android.com/guide/topics/permissions/defining。
[ 3 ] Android Developer : ”Permissions overview”. 2018年6月15日(Accessed : 14-Jun-2018)取自: https://developer.android.com/guide/topics/permissions/overview。
[ 4 ] Android Developer : “Set up Android Emulator Networking”. 2018年6月5日(Accessed : 26-Jun-2018)取自: https://developer.android.com/studio/run/emulator-networking。
[ 5 ] ”Contagio Malware dump”. (Accessed : 1-Mar-2018)取自: http://contagiodump.blogspot.com/。
[ 6 ] ”Forget The Sheeple: Android fans are atually the most loyal.”. (Accessed : 20-Jun-2018)取自: http://bgr.com/2018/03/08/iphone-vs-android-market-share/。
[ 7 ] “Cisco visual networking index: Global mobile data traffic forecast update(2017)”. (Accessed : 20-Jun-2018)取自: https://goo.gl/ylTuVx。
[ 8 ] “Global mobile OS market share in sales to end users from 1st quarter 2009 to 2nd quarter 2017”. (Accessed : 20-Jun-2018)取自: https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/。
[ 9 ] ”Google Play Apps”. (Accessed : 27-May-2018)取自: https://play.google.com/store/apps?hl=zh_TW。
[ 10 ]”Little418:Check APK Permissions with aapt". 2014年7月1日(Accessed : 20-Mar-2018)取自: https://little418.com/2014/07/check-apk-permissions-with-aapt.html。
[ 11 ]”Scapy-Packet crafting for Python2 and Python3”. (Accessed : 20-Fab-2018)取自: https://scapy.net/。
[ 12 ]“WEKA – Performing Attribute Selection”. (Accessed : 1-Jul-2018)取自: https://weka.wikispaces.com/Performing+attribute+selection。
[ 13 ]胡哲君. ”去可識別個人資訊後之 Android 惡意程式動態分析研究; Dynamic Android Malware Analysis with de-identification of personal identifiable information”. 國立中央大學資訊管理學系碩士論文(2017).
[ 14 ]Afonso, V. M., de Amorim, M. F., Grégio, A. R. A., Junquera, G. B., & de Geus, P. L. (2015). Identifying Android malware using dynamically obtained features. Journal of Computer Virology and Hacking Techniques, 11(1), 9-17.
[ 15 ]Aresu, M., Ariu, D., Ahmadi, M., Maiorca, D., & Giacinto, G. (2015, October). Clustering android malware families by http traffic. In Malicious and Unwanted Software (MALWARE), 2015 10th International Conference on (pp. 128-135). IEEE.
[ 16 ]Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., & Siemens, C. E. R. T. (2014, February). DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket. In The Network and Distributed System Security Symposium (NDSS) (Vol. 14, pp. 23-26).
[ 17 ]Bierma, M., Gustafson, E., Erickson, J., Fritz, D., & Choe, Y. R. (2014). Andlantis: Large-scale Android dynamic analysis. arXiv preprint arXiv:1410.7751.
[ 18 ]Blokhin, K., Saxe, J., & Mentis, D. (2013, July). Malware similarity identification using call graph based system call subsequence features. In 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops (pp. 6-10). IEEE.
[ 19 ]Chen, Z., Han, H., Yan, Q., Yang, B., Peng, L., Zhang, L., & Li, J. (2015, August). A first look at android malware traffic in first few minutes. In Trustcom/BigDataSE/ISPA, 2015 IEEE (Vol. 1, pp. 206-213). IEEE.
[ 20 ]Crammer, K., Kulesza, A., & Dredze, M. (2009). Adaptive regularization of weight vectors. In Advances in neural information processing systems (pp. 414-422).
[ 21 ]De la Puerta, J. G., Sanz, B., Grueiro, I. S., & Bringas, P. G. (2015). The Evolution of Permission as Feature for Android Malware Detection. In International Joint Conference (pp. 389-400). Springer, Cham.
[ 22 ]Faruki, P., Ganmoor, V., Laxmi, V., Gaur, M. S., & Bharmal, A. (2013, November). AndroSimilar: robust statistical feature signature for Android malware detection. In Proceedings of the 6th International Conference on Security of Information and Networks (pp. 152-159). ACM.
[ 23 ]Ghaffari, F., Abadi, M., & Tajoddin, A. (2017, May). AMD-EC: Anomaly-based Android malware detection using ensemble classifiers. In Electrical Engineering (ICEE), 2017 Iranian Conference on (pp. 2247-2252). IEEE.
[ 24 ]Hawkins, D. M. (2004). The problem of overfitting. Journal of chemical information and computer sciences, 44(1), 1-12.
[ 25 ]Kandukuru, S., & Sharma, R. M. (2017, April). Android malicious application detection using permission vector and network traffic analysis. In Convergence in Technology (I2CT), 2017 2nd International Conference for (pp. 1126-1132). IEEE.
[ 26 ]Li, D., Wang, Z., Li, L., Wang, Z., Wang, Y., & Xue, Y. (2017, June). FgDetector: Fine-Grained Android Malware Detection. In Data Science in Cyberspace (DSC), 2017 IEEE Second International Conference on (pp. 311-318). IEEE.
[ 27 ]Li, Z., Sun, L., Yan, Q., Srisa-an, W., & Chen, Z. (2016, October). Droidclassifier: Efficient adaptive mining of application-layer header for classifying android malware. In International Conference on Security and Privacy in Communication Systems(pp. 597-616). Springer, Cham.
[ 28 ]Lin, Y. D., Lai, Y. C., Chen, C. H., & Tsai, H. C. (2013). Identifying android malicious repackaged applications by thread-grained system call sequences. computers & security, 39, 340-350.
[ 29 ]Lin, Z., Wang, R., Jia, X., Zhang, S., & Wu, C. (2016, August). Classifying Android malware with dynamic behavior dependency graphs. In Trustcom/BigDataSE/I SPA, 2016 IEEE (pp. 378-385). IEEE.
[ 30 ]Liu, X., & Liu, J. (2014, April). A two-layered permission-based Android malware detection scheme. In Mobile cloud computing, services, and engineering (mobilecloud), 2014 2nd ieee international conference on (pp. 142-148). IEEE.
[ 31 ]Malik, J., & Kaushal, R. (2016, July). CREDROID: Android malware detection by network traffic analysis. In Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile Computing (pp. 28-36). ACM.
[ 32 ]Martín, A., Calleja, A., Menéndez, H. D., Tapiador, J., & Camacho, D. (2016, December). ADROIT: Android malware detection using meta-information. In Computational Intelligence (SSCI), 2016 IEEE Symposium Series on (pp. 1-8). IEEE.
[ 33 ]Narayanan, A., Yang, L., Chen, L., & Jinliang, L. (2016, July). Adaptive and scalable android malware detection through online learning. In Neural Networks (IJCNN), 2016 International Joint Conference on (pp. 2484-2491). IEEE.
[ 34 ]Narudin, F. A., Feizollah, A., Anuar, N. B., & Gani, A. (2016). Evaluation of machine learning classifiers for mobile malware detection. Soft Computing, 20(1), 343-357.
[ 35 ]Pang, Y., Chen, Z., Li, X., Wang, S., Zhao, C., Wang, L, & Li, Z. (2017, July). Finding Android Malware Trace from Highly Imbalanced Network Traffic. In Computational Science and Engineering (CSE) and Embedded and Ubiquitous Computing (EUC), 2017 IEEE International Conference on (Vol. 1, pp. 588-595). IEEE.
[ 36 ]Qiao, M., Sung, A. H., & Liu, Q. (2016, July). Merging permission and api features for android malware detection. In 2016 5th IIAI International Congress on Advanced Applied Informatics (IIAI-AAI) (pp. 566-571). IEEE.
[ 37 ]Sanz, B., Santos, I., Laorden, C., Ugarte-Pedrero, X., Bringas, P. G., & Álvarez, G. (2013). Puma: Permission usage to detect malware in android. In International Joint Conference CISIS’12-ICEUTE 12-SOCO 12 Special Sessions (pp. 289-298). Springer, Berlin, Heidelberg.
[ 38 ]Şahın, D. Ö., Kural, O. E., Akleylek, S., & Kiliç, E. (2018, March). New results on permission based static analysis for Android malware. In Digital Forensic and Security (ISDFS), 2018 6th International Symposium on (pp. 1-4). IEEE.
[ 39 ]Wang, S., Yan, Q., Chen, Z., Yang, B., Zhao, C., & Conti, M. (2018). Detecting android malware leveraging text semantics of network flows. IEEE Transactions on Information Forensics and Security, 13(5), 1096-1109.
[ 40 ]Wang, S., Yan, Q., Chen, Z., Yang, B., Zhao, C., & Conti, M. (2017, May). TextDroid: Semantics-based detection of mobile malware using network flows. In Computer Communications Workshops (INFOCOM WKSHPS), 2017 IEEE Conference on(pp. 18-23). IEEE.
[ 41 ]Wang, S., Chen, Z., Zhang, L., Yan, Q., Yang, B., Peng, L., & Jia, Z. (2016, June). TrafficAV: An effective and explainable detection of mobile malware behavior using network traffic. In Quality of Service (IWQoS), 2016 IEEE/ACM 24th International Symposium on (pp. 1-6). IEEE.
[ 42 ]Wu, D. J., Mao, C. H., Wei, T. E., Lee, H. M., & Wu, K. P. (2012, August). Droidmat: Android malware detection through manifest and api calls tracing. In Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on (pp. 62-69). IEEE.
[ 43 ]Xiao, X., Xiao, X., Jiang, Y., Liu, X., & Ye, R. (2016). Identifying Android malware with system call co‐occurrence matrices. Transactions on Emerging Telecommunications Technologies, 27(5), 675-684.
[ 44 ]Xu, K., Li, Y., & Deng, R. H. (2016). ICCDetector: ICC-based malware detection on Android. IEEE Transactions on Information Forensics and Security, 11(6), 1252-1264.