跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 游子慧
ZIH-HUEI YOU
論文名稱: 基於靜態特徵與機器學習之Android惡意程式分類研究
Android Malware Classifier based on Static Feature and Machine Learning
指導教授: 陳奕明
Yi-Ming Chen
口試委員:
學位類別: 碩士
Master
系所名稱: 管理學院 - 資訊管理學系
Department of Information Management
論文出版年: 2017
畢業學年度: 105
語文別: 中文
論文頁數: 67
中文關鍵詞: Android靜態分析機器學習opcode sequence惡意程式分類相似度計算
外文關鍵詞: opcode sequence, similarity calculation
相關次數: 點閱:22下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 針對每一特定類型的惡意程式進行分類是很重要的,以便得知每一種類的惡意程式特性,如此才能作相對應的防護措施。現今的惡意程式數量不僅逐漸上升,還不斷的變種,使得單一一個惡意程式的特性不只一個可能性,還可能包含了其他惡意程式類別的特性,故本研究除了將檢測惡意程式進行分類,還會檢測其是否包含其他類別的風險值。本研究採用省時且覆蓋率高的靜態分析深入研究,在特徵提取的部分,以往文獻幾乎都採用permissions, API calls, components等等來檢測惡意程式,但這些特徵都需仰賴專家分析來過濾這些特徵,才可進行使用,而opcode不需仰賴專家分析,可直接使用原始資料來進行分析,且和應用程式的程式碼密切相關。本研究提出一個應用程式檢測平台,採用opcode sequence與機器學習來分類其檢測應用程式,我們採用靜態分析文獻常用的J48、RandomForest(RF)、NaiveBayes、LibSVM與Partial Decision Tree(PART)五種分類演算法來進行訓練與10折交叉驗證,其RandomForest 搭配4gram opcode sequence的F-Measure最高擁有97.5%。分類後再進行風險值計算,計算其檢測應用程式是否包含其他種類的惡意程式特性,給予其百分比做為判斷依據。

    It is important to classify each particular type of malware in order to know the malware features of each class, so that the corresponding protective measures can be made. The number of malware is not only gradually rising and constantly variants. Making a malware features more than one possibility class, but also may contain other malware class characteristics. In this study have to detection of malware for classification and in addition to check whether it contains other classes of risk values, the use of time-saving and high coverage of the static analysis. The static analysis past literature extraction feature almost all use permissions, API calls, components and so on to detect malicious programs, but these features need to rely on expert analysis to filter these features before they can be used, and opcode do not need to rely on expert analysis, Directly using raw data for analysis, and is closely related to the application code, this study uses opcode as a static analysis feature as a study. In this study, we propose an application detection platform, which uses opcode sequence and machine learning to classify. We use J48, RandomForest (RF), NaiveBayes, LibSVM and Partial Decision Tree (PART), which are commonly used in static analysis literature. We use 10-fold cross validation to training and testing. The result is the RandomForest with 4gram opcode sequence of F-Measure has of 97.5%. After classification we can calculate risk value of application that whether contains other class of malware features and given the percentage as a basis for judging.

    論文摘要 i Abstract ii 誌謝 iii 目錄 iv 圖目錄 vi 表目錄 viii 第一章 緒論 …………………………………………………………………………….. 1 1-1 研究背景 1 1-2 研究動機 5 1-3 研究目的 6 1-4 論文架構 7 第二章 相關研究 ……………………………………………………………………….. 8 2-1 靜態分析近期使用的方法與趨勢 8 2-2 使用權限做為靜態特徵之相關文獻 9 2-3 使用API Call做為靜態特徵之相關文獻 10 2-4 使用結合兩種或兩種以上不同特徵做為靜態特徵之相關文獻 12 2-5 使用操作指令碼(opcode)做為靜態特徵之相關文獻 13 2-6 小結 16 第三章 研究方法 ……………………………………………………………………… 17 3-1 分析工具 17 3-2 系統架構 19 3-2-1 ShadowDroid App中的模組 20 3-2-2 ShadowDroid Server中的模組 21 3-3 系統運作流程 33 第四章 實驗結果 ……………………………………………………………………… 35 4-1 實驗環境 35 4-2 實驗一:應用程式檢測分類之功能驗證 36 4-2-1 實驗目的 36 4-2-2 實驗環境 36 4-2-3 實驗結果 37 4-3 實驗二:檢測應用程式之風險值計算 38 4-3-1 實驗目的 38 4-3-2 實驗環境 38 4-3-3 實驗結果 38 第五章 結論與未來研究 ……………………………………………………………… 40 5-1 結論與貢獻 40 5-2 研究限制 41 5-3 未來研究 42 參考文獻 43 附錄一:惡意程式樣本 …………………………………………………………………… 46 附錄二:分類器參數…………………………………………………………………….…. 54

     網站文獻
    [1] 8,400 new Android malware samples every day. https://www.gdatasoftware.com/blog/2017/04/29712-8-400-new-android-malware-samples-every-day (Accessed: 20-Jun-2017)
    [2] Contagio Blog. http://contagiominidump.blogspot.tw/ (Accessed: 20-Jun-2017)
    [3] Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 1st quarter 2017. https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/ (Accessed: 20-Jun-2017)
    [4] SLocker malware is back: over 400 new variants detected by MI:RIAM. https://www.wandera.com/blog/miriam-detects-slocker-malware/ (Accessed: 20-Jun-2017)
    [5] 用機器學習檢測Android惡意代碼並分類_Dalvik虛擬機&Opcode. https://kknews.cc/zh-tw/tech/n2gv8.html (Accessed: 20-Jun-2017)
    [6] 惡意軟體分類. http://www.jadespring.com.tw/internet-security-center/threats/malware-classifications.html (Accessed: 20-Jun-2017)
    [7] APK Extractor. https://play.google.com/store/apps/details?id=com.ext.ui&hl=zh_TW (Accessed: 20-Jun-2017)
     中文文獻
    [8] 楊豐盛,(2011) “Android技術內幕:探索Android核心原理與系統開發” 碁峰資訊,ISBN:9789862763407
    [9] 許珈榮、林盈達、蔡濠全、李佳穎. (2012). “Android惡意程式收集,分析與評估.” 國立交通大學資訊工程系,碩士論文
     英文文獻
    [10] Aafer, Y., Du, W., & Yin, H. (2013, September). “Droidapiminer: Mining api-level features for robust malware detection in android.” In International Conference on Security and Privacy in Communication Systems (pp. 86-103). Springer, Cham.
    [11] Arp, D., Spreitzenbarth, M., Hubner, M., Gascon, H., Rieck, K., & Siemens, C. E. R. T. (2014, February). “DREBIN: Effective and Explainable Detection of Android Malware in Your Pocket.” In National Diabetes Services Scheme(NDSS).
    [12] Baskaran, B., & Ralescu, A. (2016). “A Study of Android Malware Detection Tech-niques and Machine Learning.” In Modern Artificial Intelligence and Cognitive Science Conference. eCommence.
    [13] Canfora, G., De Lorenzo, A., Medvet, E., Mercaldo, F., & Visaggio, C. A. (2015, August). “Effectiveness of opcode ngram for detection of multi family android malware.” In Availability, Reliability and Security (ARES), 2015 10th International Conference on (pp. 333-340) IEEE.
    [14] Jerome, Q., Allix, K., State, R., & Engel, T. (2014, June). “Using opcode-sequences to detect malicious Android applications.” In Communications (ICC), 2014 IEEE International Conference on (pp. 914-919).
    [15] Kang, B., Yerima, S. Y., McLaughlin, K., & Sezer, S. (2016, June). “N-opcode analysis for android malware classification and categorization.” In Cyber Security And Protection Of Digital Services (Cyber Security), 2016 International Conference On (pp. 1-7) IEEE.
    [16] Niall McLaughlin et al. (2017, March). “Deep Android Malware Detection.” In Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy (pp. 301-308).
    [17] Moonsamy, V., Rong, J., Liu, S., Li, G., & Batten, L. M. (2013, September). “Con-trasting Permission Patterns between Clean and Malicious Android Applications.” In SecureComm (pp. 69-85).
    [18] Ping, X., Xiaofeng, W., Wenjia, N., Tianqing, Z., & Gang, L. (2014). “Android malware detection with contrasting permission patterns.” China Communications, IEEE
    [19] B.B. Rad and M. Masrom. (2010) “Metamorphic Virus Variants Classification Using Opcode Frequency Histogram.” Latest Trends on Computers (Volume I).
    [20] Wang, Xiaoqing, Junfeng Wang, and Xiaolan Zhu. (2016) “A Static Android Mal-ware Detection Based on Actual Used Permissions Combination and API Calls.” World Academy of Science, Engineering and Technology, International Journal of Computer, Electrical, Automation, Control and Information Engineering 10.9 : 1630-1637.
    [21] Wang, Z., Li, C., Guan, Y., & Xue, Y. (2015, September). “Droidchain: A novel malware detection method for android based on behavior chain.” In Communica-tions and Network Security (CNS), 2015 IEEE Conference on (pp. 727-728).
    [22] Yang, C., Xu, Z., Gu, G., Yegneswaran, V., & Porras, P. (2014, September). “Droidminer: Automated mining and characterization of fine-grained malicious be-haviors in android applications.” In European Symposium on Research in Computer Security (pp. 163-182). Springer, Cham.
    [23] Yerima, Suleiman Y., Sakir Sezer, and Igor Muttik. (2015) “Android malware de-tection: An eigenspace analysis approach.” Science and Information Conference (SAI), 2015. IEEE.
    [24] Yuhui, Fan, and Xu Ning. (2015) “The Analysis of Android Malware Behaviors.” International Journal of Security and Its Applications, pp.335-346.

    QR CODE
    :::