基于日志及组件的安卓软件动态行为检测技术研究
发布时间:2018-12-27 16:17
【摘要】:伴随着Android系统的日益流行,Android应用的层出不穷,给生活带来了极大的便利。但同时Android系统及应用也同样遭受着恶意软件的威胁,使得系统文件被恶意访问、应用出现莫名崩溃、应用被钓鱼攻击等,使用户面临个人信息泄露,甚至出现财产上的损失,因此有必要对Android应用进行安全检测。目前主要有两种应用安全检测方式,即静态行为检测与动态行为检测,与静态行为检测相比,动态行为检测是通过运行应用,找出应用中存在的漏洞,具有针对性强、准确率高等优势,因此本文主要对动态行为检测进行初步的探究。动态行为检测的检测点众多,如网络数据、日志、组件、本地文件、本地数据库及服务器端数据库等,由于Android应用在运行期间,组件是应用最外层的表征,大部分漏洞的产生及利用均发生在组件上;日志则是最能反应应用运行期间,其行为特征的数据,因此本文动态检测的检测点设定为日志及组件,本文具体的研究内容主要包括以下两个方面。为了检测恶意软件,设计并初步实现了一种基于日志的动态行为检测系统。该检测系统主要是通过统计某个Android应用的系统调用函数的频数信息,使用机器学习算法K-Means++对其进行分类处理,从而鉴别应用是否存在恶意行为。据此方案设计的检测系统主要分为客户端与服务器端,客户端运行在Android系统中,主要负责收集系统调用的频数信息;服务器端运行在PC机上,主要完成对数据的提取、过滤及规格化处理,并使用相关算法进行分析。为了对应用组件漏洞进行检测,设计并完善了一种基于组件的动态行为检测系统。该检测主要是通过分析某个Android应用相应组件所接收的参数类型,即所接收Intent对象中所包含的参数类型,并动态构造包含特定参数的Intent对象,传递给该组件并启动。由于组件中存在较多漏洞类型,本文选取危害性较大且普遍存在的三类漏洞:本地拒绝服务漏洞、Intent-based漏洞、文件目录遍历漏洞进行检测。据此方案设计的检测系统分为客户端与服务器端,客户端运行于Android系统中,主要负责向待检测应用的组件传递Intent对象并启动组件;服务器端主要负责组件接收数据类型分析及Intent对象的构造,同时保证与客户端的实时通信。恶意软件对Android系统及应用的攻击主要是基于系统及应用中存在的漏洞,而众多漏洞中,组件的漏洞危害最为直接广泛,因此对组件漏洞进行及时的发掘能够有效的减少恶意软件的危害。两个系统结合使用,一方面对恶意软件进行及时查杀,另一方面对恶意软件的利用途径进行及时封堵,能够更加有效的保障用户的安全。
[Abstract]:With the increasing popularity of Android systems, Android applications emerge in endlessly, bringing great convenience to life. But at the same time, the Android system and application are also threatened by malware, which makes the system file be accessed maliciously, the application appears inexplicable crash, the application is attacked by phishing and so on, which makes the user face the personal information leakage and even the loss of the property. Therefore, it is necessary to carry on the security inspection to the Android application. At present, there are mainly two methods of application security detection, that is, static behavior detection and dynamic behavior detection. Compared with static behavior detection, dynamic behavior detection is to find out the loopholes in the application by running the application, and has strong pertinence. The accuracy is high, so this paper mainly explores the dynamic behavior detection. There are many detection points for dynamic behavior detection, such as network data, log, component, local file, local database and server-side database, etc. Since Android is the outermost representation of application, Most of the vulnerabilities are generated and utilized on the components; Log is the most able to reflect the behavior characteristics of the application during the running period, so the dynamic detection point of this paper is set as log and component. The specific research content of this paper mainly includes the following two aspects. In order to detect malware, a dynamic behavior detection system based on log is designed and implemented. The detection system mainly uses the frequency information of the system call function of a Android application and classifies it by using the machine learning algorithm K-Means to identify the malicious behavior of the application. According to this scheme, the detection system is divided into client and server. The client runs in Android system, which is mainly responsible for collecting the frequency information of system call. The server runs on the PC computer, mainly completes the data extraction, filtering and normalization processing, and uses the related algorithms to analyze. In order to detect the vulnerability of application components, a component-based dynamic behavior detection system is designed and perfected. This detection is mainly by analyzing the parameter type received by the corresponding component of a Android application, that is, the parameter type contained in the received Intent object, and dynamically constructing the Intent object containing a specific parameter, passing it to the component and starting it. Because there are many kinds of vulnerabilities in components, this paper selects three kinds of vulnerabilities that are harmful and common: local denial of service vulnerability, Intent-based vulnerability, file directory traversal vulnerability to detect. According to this scheme, the detection system is divided into client and server. The client runs in the Android system, which is mainly responsible for transferring the Intent object to the component to be detected and starting the component. The server is mainly responsible for the component receiving data type analysis and the construction of the Intent object, and ensures the real-time communication with the client. Malware attacks on Android systems and applications are mainly based on vulnerabilities in systems and applications. Among the many vulnerabilities, the vulnerability of components is the most direct and widespread. Therefore, the timely discovery of component vulnerabilities can effectively reduce the harm of malicious software. The combination of the two systems can, on the one hand, search and kill malware in time, and on the other hand, block the use of malware in a timely manner, which can ensure the safety of users more effectively.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2016
【分类号】:TP316;TP309
本文编号:2393304
[Abstract]:With the increasing popularity of Android systems, Android applications emerge in endlessly, bringing great convenience to life. But at the same time, the Android system and application are also threatened by malware, which makes the system file be accessed maliciously, the application appears inexplicable crash, the application is attacked by phishing and so on, which makes the user face the personal information leakage and even the loss of the property. Therefore, it is necessary to carry on the security inspection to the Android application. At present, there are mainly two methods of application security detection, that is, static behavior detection and dynamic behavior detection. Compared with static behavior detection, dynamic behavior detection is to find out the loopholes in the application by running the application, and has strong pertinence. The accuracy is high, so this paper mainly explores the dynamic behavior detection. There are many detection points for dynamic behavior detection, such as network data, log, component, local file, local database and server-side database, etc. Since Android is the outermost representation of application, Most of the vulnerabilities are generated and utilized on the components; Log is the most able to reflect the behavior characteristics of the application during the running period, so the dynamic detection point of this paper is set as log and component. The specific research content of this paper mainly includes the following two aspects. In order to detect malware, a dynamic behavior detection system based on log is designed and implemented. The detection system mainly uses the frequency information of the system call function of a Android application and classifies it by using the machine learning algorithm K-Means to identify the malicious behavior of the application. According to this scheme, the detection system is divided into client and server. The client runs in Android system, which is mainly responsible for collecting the frequency information of system call. The server runs on the PC computer, mainly completes the data extraction, filtering and normalization processing, and uses the related algorithms to analyze. In order to detect the vulnerability of application components, a component-based dynamic behavior detection system is designed and perfected. This detection is mainly by analyzing the parameter type received by the corresponding component of a Android application, that is, the parameter type contained in the received Intent object, and dynamically constructing the Intent object containing a specific parameter, passing it to the component and starting it. Because there are many kinds of vulnerabilities in components, this paper selects three kinds of vulnerabilities that are harmful and common: local denial of service vulnerability, Intent-based vulnerability, file directory traversal vulnerability to detect. According to this scheme, the detection system is divided into client and server. The client runs in the Android system, which is mainly responsible for transferring the Intent object to the component to be detected and starting the component. The server is mainly responsible for the component receiving data type analysis and the construction of the Intent object, and ensures the real-time communication with the client. Malware attacks on Android systems and applications are mainly based on vulnerabilities in systems and applications. Among the many vulnerabilities, the vulnerability of components is the most direct and widespread. Therefore, the timely discovery of component vulnerabilities can effectively reduce the harm of malicious software. The combination of the two systems can, on the one hand, search and kill malware in time, and on the other hand, block the use of malware in a timely manner, which can ensure the safety of users more effectively.
【学位授予单位】:北京邮电大学
【学位级别】:硕士
【学位授予年份】:2016
【分类号】:TP316;TP309
【参考文献】
相关期刊论文 前5条
1 张锐;杨吉云;;基于权限相关性的Android恶意软件检测[J];计算机应用;2014年05期
2 杨欢;张玉清;胡予濮;刘奇旭;;基于多类特征的Android应用恶意行为检测系统[J];计算机学报;2014年01期
3 梁洪亮;;恶意软件及分析[J];保密科学技术;2010年03期
4 沈俊;周雍恺;桂佳平;蔡继文;刘功申;;智能手机恶意代码防范技术综述[J];信息技术;2009年10期
5 孟岩;;Android组件模型评析(上)[J];程序员;2008年01期
相关硕士学位论文 前6条
1 吕晓庆;Android软件动态行为监测系统的设计和实现[D];北京邮电大学;2013年
2 刘超;Android异常检测系统的研究与实现[D];北京交通大学;2013年
3 张吉;Android平台下恶意软件动态检测技术研究[D];天津大学;2012年
4 曹子良;基于Linux平台Android恶意样本静态检测系统的设计与实现[D];北京交通大学;2013年
5 安立君;Android系统日志存储和查看工具的设计与实现[D];北京邮电大学;2012年
6 李佳;Android平台恶意软件检测评估技术研究[D];北京邮电大学;2012年
,本文编号:2393304
本文链接:https://www.wllwen.com/kejilunwen/ruanjiangongchenglunwen/2393304.html
