基于敏感路径识别的安卓应用安全性分析方法

发布时间：2018-08-16 11:45

【摘要】：随着手机硬件的快速提升以及移动网络环境质量的日益改善,手机在日常生活中的应用越来越广泛。手机的高普及率催生了手机应用市场的繁荣,同时也带来了大量的手机恶意应用。在手机端的操作系统中,安卓系统长期占据主导地位。相对于iOS系统,安卓系统更为开放,并且拥有大量审核机制不够严谨的第三方市场,这使得安卓平台受到更多恶意应用的侵扰。安卓系统的安全受到安卓用户的密切关注,安卓恶意应用的检测也成为了当前研究的热点问题。目前关于安卓恶意应用的检测主要有四种方法：基于特征码的方法、静态分析、动态分析和机器学习方法。其中基于特征码的方法较为传统,受制于记录已有恶意应用特征码的库；静态分析方法,覆盖率高,但是无法处理动态加载等技术；动态分析,检测成本较高,对执行路径的覆盖率较低；机器学习方法的检测结果依赖于数据集中应用的选取。四种基本方法都有各自的缺点,结合基本方法进行恶意应用的检测是该研究领域当前的趋势。本文结合静态分析和机器学习方法,将应用中的敏感路径作为特征,提出了基于敏感路径识别的安卓应用安全性分析方法。首先,针对恶意应用中存在的恶意行为以及其触发条件,我们提出敏感路径的概念,敏感路径由敏感触发与敏感行为组成,敏感行为是指在执行时需要进行permission权限检查的API函数以及与动态加载相关的函数,相应的敏感触发则是敏感行为发生的前提动作,在以敏感行为为目标的执行路径中若不存在与用户交互相关的行为,则将执行路径的进入点视为该行为的敏感触发,若存在,则将直接导致敏感行为执行的用户交互函数视为敏感触发,敏感路径能够表明敏感行为以及触发该行为的动作。其次,针对安卓应用中存在大量组件间函数调用关系,我们提出一种基于APK文件生成应用组件间函数调用关系图的方法,使用FlowDroid工具得到应用的函数调用关系图,再结合Manifest文件中的Intent Filter,分析应用程序内所定义的Intent参数,构建应用的组件间函数调用关系,从而完成组件间函数调用关系图的构建。再次,由于提取出的敏感路径信息无法直接作为应用的特征,我们提出一种对敏感路径信息进行抽象的特征提取方法,对于敏感触发,将触发函数分为硬件触发、用户触发、系统触发三大类下的不同行为,对于敏感行为,根据API函数在执行时所需要的permission权限进行划分,由此得到处理过后的敏感路径信息,将应用是否包含某种敏感路径信息作为应用的特征来构建应用特征矩阵。最后,我们从Google Play、豌豆荚、Drebin等来源收集了493个应用的APK文件,在由这些应用组成的数据集上进行了实验,并提出了三个研究问题：该方法的效果、不同敏感级别的敏感路径描述对结果的影响以及数据集中APK文件大小对结果的影响,实验结果表明：本文所提出的方法检测准确率跟传统方法相比较高,高敏感级别的敏感路径描述会提升分析效率但影响检测的准确率,APK文件的大小对检测结果有一定的影响。
[Abstract]:With the rapid improvement of mobile phone hardware and the improvement of mobile network environment quality, mobile phones are widely used in daily life. The high popularity of mobile phones has led to the prosperity of mobile phone application market, but also brought a large number of malicious mobile phone applications. Compared with iOS system, Android system is more open and has a large number of third-party markets with inadequate audit mechanism, which makes Android platform subject to more malicious applications. Android system security is closely watched by Android users, Android malicious application detection has become a hot issue of current research. There are four main methods to detect malicious applications: feature-based methods, static analysis, dynamic analysis and machine learning methods. Among them, the feature-based methods are more traditional, which are restricted by the library which records the malicious applications'signatures; static analysis methods, which have high coverage, but can not handle dynamic loading and other technologies; dynamic analysis methods. Analysis shows that the detection cost is high and the coverage rate of the execution path is low; the detection results of machine learning methods depend on the selection of the application in the data set. Each of the four basic methods has its own shortcomings. Combining the basic methods to detect malicious applications is the current trend in this field. Sensitive paths in applications are the characteristics of security analysis for Android applications based on sensitive path recognition. Firstly, for malicious behaviors and their triggering conditions in malicious applications, we propose the concept of sensitive paths. The API function for permission permission permission checking and the function related to dynamic loading, and the corresponding sensitive trigger are the preconditions for the sensitive behavior to occur. If there is no user interaction-related behavior in the execution path aiming at the sensitive behavior, the entry point of the execution path is regarded as the sensitive trigger of the behavior. Then the user interaction function which directly leads to the execution of the sensitive behavior is regarded as a sensitive trigger, and the sensitive path can indicate the sensitive behavior and the action that triggers the behavior. FlowDroid tool is used to get the function call diagram of the application, and then combined with Intent Filter in Manifest file, the Intent parameters defined in the application are analyzed to build the function call relationship between the components of the application, thus completing the construction of the function call diagram between components. Thirdly, the sensitive path information extracted can not be directly made. In order to extract the characteristics of sensitive paths, we propose an abstract feature extraction method. For sensitive triggers, the trigger functions are divided into three categories: hardware trigger, user trigger and system trigger. For sensitive behaviors, the permission privileges required by the API functions are divided according to the permission privileges. Finally, we collected 493 APK files from Google Play, Peapod, Drebin and other sources, and carried out experiments on the data set composed of these applications, and proposed three research questions. Question: The effect of this method, the influence of different sensitive path descriptions on the results, and the influence of APK file size in the data set on the results. The experimental results show that the detection accuracy of the proposed method is higher than that of traditional methods, and the high sensitive path descriptions can improve the analysis efficiency but affect the detection. Accuracy, APK file size has a certain impact on the detection results.
【学位授予单位】：南京大学
【学位级别】：硕士
【学位授予年份】：2016
【分类号】：TP309;TP316

【相似文献】