近年來,許多智慧型手機和物聯網設備皆採用 Android 作業系統,然而,在此基 礎上不僅開發出許多實用之應用程式,也同時成為攻擊者所瞄準之標的。因此,本研 究以 Android 應用程式中的資訊為基礎,藉由收集 Android 應用程式中的權限要求、
Android API 函式呼叫以及 Android API 函式呼叫先後順序之特徵組合,並以資料探勘 中的分類分析技術,提出了 Android 惡意程式偵測模型之研究。改善了傳統使用特徵 碼進行偵測惡意程式之方法,能夠偵測未知的惡意程式且能克服程式碼混淆技術所帶 來之困擾。此外,本研究利用資料探勘技術中的分類分析技術,我們不須再逐行比對 惡意程式中之程式碼,而是透過本研究之系統所建立之分類模型,快速提供程式分類 結果。
在本研究分別使用了梯度提升、極限提度提升、決策樹、支援向量機以及單純貝 氏分類五種演算法作為本研究的分類分析模組,以此建構惡意程式分類預測系統,並 使用盧森堡大學所提供之 Android 應用程式樣本資料庫 (Androzoo) ,從中隨機挑選 2019 年裡各 500 隻正常及惡意程式作為資料分析樣本。並從樣本中,蒐集上述三種特 徵類別資訊之組合,最後以資訊獲利、獲利比率以及單一規則來篩選對於分類 Android 惡意程式效果較好之特徵。實驗結果顯示,決策樹之分類演算法有最佳的分類效果。
且在所有特徵分類之組合中,我們發現特徵中,結合三種特徵分類資訊,分別為應用 程式權限要求、Android API 函式呼叫以及 Android API 函式呼叫順序,將能得到最佳 分類效果,顯示特徵種類越多樣,越能增加分類模型偵測率。其中,若再使用資訊獲 利篩選特徵數量,我們發現當資訊獲利特徵排名前十個與前二十個時,準確度皆低於 比值排名前三十,然而若採用特徵排名前四十個參數以上時,準確度便無大幅提升,
顯示在此情況下決策樹模型開始產生過度擬合 (over-fitting) 狀態。因此,本研究建議,
在結合上述三種特徵分類資訊的情況下,可採用資訊獲利前三十名為特徵。
為使本研究之 Android 惡意程式偵測系統,能因應惡意程式變種加速及未來 Android 官方 API 函式常態性維護。因此,我們提出兩種重新訓練 Android 惡意程式偵 測系統分類模組的時機。兩種時機分別為 (1) 事件性重新訓練與 (2) 常態性重新訓練。
事件性重新訓練之時機為動態的,若有新型態惡意程式出現,並產生大範圍危害時,
則為事件性重新訓練之時機。舉例來說,勒索軟體 (Ransomware) 在 2017 年開始浮現 並產生危害。此時,便是重新訓練分類模型之時機。另一方面,常態性重新訓練之時
38
機則為定期性,舉例來說,Android 官方定期推出新版本 Android 作業系統,隨之也會 新增、修改、或廢除部分 Android 系統之 API 函式。因此,常態性重新訓練之頻率,
也將隨著 Android 官方推出新版本作業系統之頻率連動。重新訓練後,將可使 Android 惡意程式偵測系統分類模組偵測到目標為新 Android 作業系統之惡意程式。
本研究之實驗資料雖為真實樣本,但為單一來源且限制在 2019 年分,未來之研究 將嘗試擴大我們的樣本來源以及數量,以便獲得更廣泛的惡意程式樣本和驗證結果。
此外,本研究僅針對 Android 應用程式進行探究,未來可嘗試以本研究所提出之框架,
對於不同格式之二進制檔,例如:PE (Portable Executable), ELF (Executable and Linkable) 等進行偵測,藉以驗證本研究所提出之偵測系統架構,對於不同格式之二進制檔是否 仍具有偵測效果。
39
參考文獻
[1] “IDC - Smartphone Market Share - OS.” https://www.idc.com/promo/smartphone-market-share/os.
[2] “McAfee Mobile Threat Report.” [Online]. Available:
https://www.mcafee.com/content/dam/consumer/en-us/docs/2020-Mobile-Threat-Report.pdf.
[3] C.Cortes and V.Vapnik, “Support-Vector Networks,” Machine Learning, vol. 20, no.
3, pp. 273–297, 1995.
[4] Q.John Ross, “C4.5: Programs for Machine Learning,” Morgan Kaufmann, 1993.
[5] J. M.Bernardo and Adrian F M Smith, “Bayesian Theory,” Measurement Science and
Technology, 2001.
[6] J. H.Friedman, “Greedy Function Approximation: A Gradient Boosting Machine,” The
Annals of Statistics 29, vol. 29, no. 5, pp. 1189–1232, 2001.
[7] T.Chen and C.Guestrin, “XGBoost: A Scalable Tree Boosting System,” in
Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 785–794, 2016.
[8] B.Baskaran and A.Ralescu, “A study of Android malware detection techniques and machine learning,” MAICS, pp. 15-23, 2016.
[9] M.Zheng, M.Sun, and J. C. S.Lui, “Droid analytics: A signature based analytic system to collect, extract, analyze and associate android malware,” 12th IEEE International
Conference on Trust, Security and Privacy in Computing and Communications,
Melbourne, VIC, pp. 163-171, 2013.[10] “Runtime Overview.” https://source.android.com/devices/tech/dalvik/index.html.
[11] P.Faruki, V.Laxmi, A.Bharmal, M. S.Gaur, and V.Ganmoor, “AndroSimilar: Robust signature for detecting variants of Android malware,” Journal of Information Security
and Applications, vol. 22, pp. 66–80, 2015.
[12] “Permissions overview,” 2018.
https://developer.android.com/guide/topics/permissions/overview (accessed Nov. 22, 2019).
[13] R.Sato, D.Chiba, and S.Goto, Detecting Android Malware by Analyzing Manifest
Files, vol. 36. 2013.
40
[14] W.Enck, M.Ongtang, and P.McDaniel, “On lightweight mobile phone application certification,” Proceedings of the 16th ACM Conference on Computer and
Communications Security, pp. 235–245, 2009.
[15] W.Tang, G.Jin, J.He, and X.Jiang, “Extending android security enforcement with a security distance model,” International Conference on Internet Technology and
Applications, Wuhan, pp. 1-4, 2011.
[16] Z.Wang, K.Li, Y.Hu, A.Fukuda, and W.Kong, “Multilevel permission extraction in android applications for malware detection,” International Conference on Computer,
Information and Telecommunication Systems (CITS), Beijing, China, pp. 1-5, 2019.
[17] S.Liang and X.Du, “Permission-combination-based scheme for Android mobile malware detection,” IEEE International Conference on Communications (ICC), Sydney, NSW, pp. 2301-2306, 2014.
[18] X.Liu and J.Liu, “A two-layered permission-based android malware detection
scheme,” 2nd IEEE International Conference on Mobile Cloud Computing, Services, and Engineering, Oxford, pp. 142-148, 2014.
[19] D. J.Wu, C. H.Mao, T. E.Wei, H. M.Lee, and K. P.Wu, “DroidMat: Android malware detection through manifest and API calls tracing,” Seventh Asia Joint Conference on
Information Security, Tokyo, pp. 62-69, 2012.
[20] Y.Aafer, W.Du, and H.Yin, “DroidAPIMiner: Mining API-Level Features for Robust Malware Detection in Android,” Security and Privacy in Communication Networks, pp. 86–103, 2013.
[21] N.Peiravian and X.Zhu, “Machine learning for Android malware detection using permission and API calls,” IEEE 25th International Conference on Tools with
Artificial Intelligence, Herndon, VA, pp. 300-305, 2013.
[22] J.Zhu, Z.Wu, Z.Guan, and Z.Chen, “API sequences based malware detection for android,” IEEE 12th Intl Conf on Ubiquitous Intelligence and Computing and IEEE
12th Intl Conf on Autonomic and Trusted Computing and IEEE 15th Intl Conf on Scalable Computing and Communications and Its Associated Workshops (UIC-ATC-ScalCom), Beijing, pp. 673-676, 2015.
[23] A.Aiken, “Apposcopy : Semantics-Based Detection of Android Malware through Static Analysis,” Proceedings of the 22nd ACM SIGSOFT International Symposium on
Foundations of Software Engineering, pp. 576–587, 2014.
41
[24] I.Burguera, U.Zurutuza, and S.Nadjm-Tehrani, “Crowdroid: Behavior-Based Malware
Detection System for Android,” Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26, 2011.
[25] “strace.” https://github.com/strace/strace.
[26] T.Isohara, K.Takemori, and A.Kubota, “Kernel-based behavior analysis for android malware detection,” Seventh International Conference on Computational Intelligence
and Security, Hainan, pp. 1011-1015, 2011.
[27] G.Canfora, E.Medvet, F.Mercaldo, and C. A.Visaggio, “Detecting Android Malware Using Sequences of System Calls,” Proceedings of the 3rd International Workshop on
Software Development Lifecycle for Mobile, pp. 13–20, 2015.
[28] K.Allix, T. F.Bissyandé, J.Klein, and Y.LeTraon, “AndroZoo: Collecting millions of Android apps for the research community,” IEEE/ACM 13th Working Conference on
Mining Software Repositories, pp. 468–471, 2016.
[29] “VirusTotal.” https://www.virustotal.com/.