基于网络行为分析的Android恶意软件动态检测

发布时间：2018-04-03 23:20

本文选题：Android安全　切入点：重打包恶意软件　出处：《中国矿业大学》2017年硕士论文

【摘要】：随着智能手机的快速发展,具备各种功能的手机软件几乎覆盖了人们日常生活的方方面面,这使得智能手机已经成为了人们生活中不可或缺的工具。人们在使用这些手机软件的同时,会不可避免地将个人隐私信息储存在手机中,这些隐私信息也就成为了攻击者们所垂涎的目标。近些年来,作为最流行的智能手机操作系统,Android系统已经成为了恶意软件攻击的主要目标。这些恶意软件不仅会盗取用户隐私数据,还会滥用系统资源,扰乱设备的正常使用甚至对设备造成物理损害。而对Android恶意软件检测的研究在近年来成为了信息安全领域的研究热点之一。本文中分析了现有Android恶意软件检测方案的不足,通过对Android安全机制、Android自动化测试、Android软件开发以及Python数据分析的学习与研究,设计了一种新的基于网络行为分析的Android恶意软件动态检测方案。本文的主要成果如下:1.设计了一种Android自动化黑盒测试方法,该方法结合了Robotium和Monkey两种Android自动化测试技术,在应用程序的普通按键和触碰操作中选择Monkey方法用来进行自动化操作,在应用程序的敏感操作中,例如登录账号等,则选择Robotium方法来进行精确的自动化操作。该黑盒测试方法可以满足在动态检测方案的需求,实现了对敏感操作的高度覆盖。2.开发了一个Android网络监听软件,该软件运行在搭载着Android操作系统的终端设备上,软件在执行网络监听操作时可以获取该终端上所有应用程序的网络流量信息,并在监听操作终止时将这些数据信息以CSV的文件格式保存在本地,可以很方便地对这些数据进行后续的操作分析。相比于其他一些获取Android应用程序网络流量的方法,该软件效率更高而且更容易被部署,其只需要操作系统的root权限即可完成所有的网络监听操作。3.提出了一种基于网络行为分析的Android恶意软件检测方案,该方案的原理是在被检测的应用程序上自动化模拟用户的各种操作行为,利用Android网络监听工具获取该过程中的网络行为信息,从中筛选出与被检测程序相关的数据信息并提取出IP地址信息作为检测的特征值,利用所设计的异常检测方法判断出该应用程序的网络行为中是否存在异常,进而判断该程序是否为恶意软件。通过评估实验验证,该方案能够高准确度地检测出Android重打包恶意软件。
[Abstract]:With the rapid development of smart phones, mobile phone software with various functions covers almost every aspect of people's daily life, which makes smartphone has become an indispensable tool in people's life.When people use these mobile phone software, they will inevitably store the personal privacy information in the mobile phone, which will become the target that the attackers coveted.In recent years, Android, the most popular smartphone operating system, has become the main target of malware attacks.These malware will not only steal user privacy data, but also abuse system resources, disturb the normal use of equipment and even cause physical damage to equipment.In recent years, the research on Android malware detection has become one of the hotspots in the field of information security.In this paper, the shortcomings of the existing malware detection schemes are analyzed, and the study and research on the Android security mechanism and the Python data analysis are given.A new dynamic detection scheme for Android malware based on network behavior analysis is designed.The main results of this paper are as follows: 1.A Android automatic black box test method is designed. This method combines Robotium and Monkey with two kinds of Android automatic testing techniques. Monkey method is selected to automate the operation in the common key and touch operation of the application program.In the application of sensitive operations, such as login account, select the Robotium method for accurate automation.The black box test method can meet the requirements of dynamic detection scheme and achieve a high coverage of sensitive operation. 2.A Android network monitoring software is developed. The software runs on terminal devices with Android operating system. The software can obtain network traffic information of all applications on the terminal while performing network monitoring operation.At the end of the listening operation, the data information is saved in the file format of CSV, which can be used to analyze the data conveniently.Compared with other methods to obtain network traffic of Android application, the software is more efficient and easier to deploy. It only needs the root permission of the operating system to complete all network listening operations.In this paper, a Android malware detection scheme based on network behavior analysis is proposed. The principle of this scheme is to simulate the user's operation behavior automatically on the detected application program.The network behavior information in the process is obtained by using the Android network monitoring tool, and the data information related to the detected program is screened out from it, and the IP address information is extracted as the characteristic value of the detection.The proposed anomaly detection method is used to determine whether there is any anomaly in the network behavior of the application, and then to determine whether the program is malware or not.The scheme can detect Android repackaged malware with high accuracy.
【学位授予单位】：中国矿业大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP309;TP316

【参考文献】