- 學位論文
利用即時人為操作事件與行為特徵分析於沙箱系統檢測手機惡意程式
Mobile Malware Detection in Sandbox with Live Event Feeding and Log Pattern Analysis
摘要
近年來智慧型裝置的使用越來越普及化,各式的行動應用應運而生,除了官方商城之外,也有許多途徑能夠讓使用者下載行動應用程式,未知的惡意程式也逐漸增加,現有的病毒檢測技術主要依靠已知的特徵程式碼來識別惡意程式,能有效的識別已知的惡意程式,但是無法快速發現新的惡意程式,如果在病毒庫中沒有惡意程式樣本以及最新的特徵程式碼,將無法阻止惡意程式的運作,並且對於行動裝置而言,在裝置上進行掃描是非常耗費資源與電力。因此,本論文提出在沙箱中進行APP的動態分析,並且能夠有地效識別未知的惡意程式檢測方法。本論文提出一種新的動態分析方法,利用沙箱的環境來實際運作APP,並且加入模擬使用者行為來提高分析的準確度,利用這種方式盡可能地降低誤判的機率,提升偵測惡意程式的效果,達到檢測未知APP的目的。本論文也使用近幾年實際的惡意程式及良性程式進行實驗,並與國外論文驗證方法的有效性,實驗結果也顯示了本論文提出的方法能夠有效地偵測出惡意程式。
並列摘要
In recent years, the use of smart devices is becoming increasingly popular. All kinds of mobile applications are emerging. In addition to the official market, there are also many ways to allow users to download the mobile app. As unidentified instances of malware grow day by day, off-the-shelf malware detection methods identify malicious programs mainly with extracted signatures of codes, which only can effectively identify already known malwares, but not new malwares in initial spread. If no samples of these malwares are reported and the virus code library is not patched, users won’t be alerted to the malwares. Meanwhile, scanning each running programs on the mobile device is a very resource-consuming and power-consuming job. A detection method that can save resources and power as well as effectively identify unknown malware in time is essential. Therefore, this paper proposes a new detection method by live log analysis. A sandbox is conducted to mimic human operations and monitor responses from APPs. Feeding these manual events can excite deactivated malwares and improve the accuracy of log analysis, even though these malware are unknown yet. This study takes recent malwares and benign programs to conduct experiments, and then verifies the effectiveness of the proposed method comparing with those in other papers. The experimental results show that the proposed method outperforms in both hit rate and pass rate.