- 學位論文
在Android裝置上的動態API側錄與執行序列分析
Dynamic API-based Profiling and Execution Sequence Analysis for Android Devices
若您是本文的作者,可授權文章由華藝線上圖書館中協助推廣。
摘要
有鑒於智慧型裝置的普及,運行於裝置上的App琳琅滿目,而一般使用者卻難以得知一個App是否在他們不知道的情況下執行惡意行為。因此在這篇論文中,我們希望能夠在虛擬的環境下運行App,並紀錄其行為進行分析。 我們下載Android 4.4版本的原始碼,並修改預設的動態分析工具,使該工具除了可以紀錄API之外,也能夠抓取API的參數和回傳值。在進行動態分析實驗時,透過分析App的AndroidManifest.xml,我們可以得知App的觸發方式,傳送假廣播以觸發App的行為。 透過動態實驗所得到的execution trace中API數量龐大,在研究中我們定義Sensitive API set。其中包括需要permission的API和與App Sensitive Action相關的API,以此過濾execution trace,留下的API序列我們稱其為profile。 對於這些profile,我們希望能夠透過序列分析的方式萃取出相同的序列作為惡意程式的特徵,在做序列分析前我們先將所有profile丟進Dendrogram以建立profile之間的相似關係樹,將統計上較接近的profile分在同一組。之後各組會分別丟入序列分析以產生相同和不同的序列。在論文中以Gone60和ADRD兩個惡意程式家族為例,顯示使用我們的分析方式能夠找到單一惡意程式家族的基本特徵(即每隻樣本都有的行為),或是只屬於部分樣本的特徵。 透過抓取惡意程式家族的特徵,我們能夠更了解這些惡意程式在執行期間的行為。在未來希望透過對更多的惡意程式家族進行分析,以得到更多不同種類的特徵。分析出越多的特徵,我們就能越瞭解惡意程式家族執行的方式,對於後續的偵測能有更大的幫助。
並列摘要
There are many apps for mobile devices nowadays, but it's hard for a user to know whether an app executes malicious behaviors. This thesis runs apps and record their behaviors. After that, we will extract their features. We download Android 4.4 OS source code, and modify default profiling tool to get API’s runtime parameter and return value. When profiling malware’s behaviors, we parse AndroidManifest.xml of app to know how it can be triggered, and we can trigger it through sending fake broadcasts. Since enormous APIs in execution trace is quite annoying for analysis, we defined Sensitive API set, including APIs which need permissions or are related to sensitive actions. After filtering execution traces, the remaining API sequence is regard as profile。 For those profiles, we extract features through sequence alignment. First, we input all profiles to Dendrogram in order to separate those profiles to groups. Each group will be thrown into sequence alignment algorithm and common and different sequence in one malware family can be extracted. We use Gone60 and ADRD to show how our method can find common and different features in one malware family. Through getting features from malwares, we can understand how they work. We will analyze more malware families in the future to get more kinds of features. With those features, we can classify one malware or detect whether one app have malicious behaviors.
參考文獻
13. Oscar Somarriba, Urko Zurutuza, et al.: Detection and Visualization of Android Malware Behavior. In: Journal of Electrical and Computer Engineering. (2016)
1. Zhou, Y., Jiang, X.: Dissecting Android Malware: Characterization and Evolution. In: IEEE Symposium on Security and Privacy, pp. 95–109. San Francisco, CA (2012)
2. William Enck, Peter Gilbert., et al.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: 9th USENIX Symposium on Operating Systems Design and Implementation (2010)
4. Victor van der Veen: Dynamic Analysis for Android Malware, VU University Amsterdam Faculty of Sciences Department of Computer Sciences (2013)
7. Mu Zhang, Yue Duan, et al.: Semantics-Aware Android Malware Classification Using Weighted Contextual API Dependency Graphs. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pp. 1105-1116. ACM (2014)
延伸閱讀
- Chang, C. A. (2014). Android應用程式靜態API分析以及安裝建議系統 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2014.01245
- 陳皇各(2014)。Android關鍵字驅動測試函式庫與工具之設計與開發〔碩士論文,國立臺北科技大學〕。華藝線上圖書館。https://doi.org/10.6841/NTUT.2014.00627
- 楊國斌(2011)。應用服務導向架構規劃與設計行動化憑證簽核平台-以Android手機為例〔碩士論文,國立中央大學〕。華藝線上圖書館。https://www.airitilibrary.com/Article/Detail?DocID=U0031-1903201314414087
- Chen, P. H. (2014). 自動化測試Android應用程式與藉線性時序邏輯之模型檢查 [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2014.00870
- Chen, Y. W. (2012). A Profile-Driven Dynamic Application Offloading Scheme for Android Systems [master's thesis, National Taiwan University]. Airiti Library. https://doi.org/10.6342/NTU.2012.01956