基于异常加密流量标注的Android恶意进程识别方法研究

doi:10.3969/j.issn.1671-1122.2020.07.004

摘要/Abstract

摘要：

现有Android恶意样本分析方法需要提前获得待检的样本程序,当待检对象是Android智能终端而非一个样本程序时,因无法确定智能终端内哪个进程为待检恶意进程,导致样本分析法无法有效应用。现有针对恶意加密流量的检测方法可以达到较高的识别精度,但无法确定恶意流量与Android终端内恶意进程的映射关系,即无法确定恶意加密流量是由哪个进程产生的,也就不能锁定恶意进程具体位置信息。针对上述问题,文章提出一种基于异常加密流量标注的Android恶意进程识别方法,通过监听待检Android终端产生的网络通信数据,提取TLS加密通信流DNS特征、TLS握手协商特征和流统计特征,采用基于随机森林算法的二元分类器,识别恶意加密通信流;再通过提取流五元组特征值,在恶意加密通信流与Android终端进程之间建立一一映射关系,确定终端内恶意进程的具体位置。实验结果表明,该方法对复杂网络环境下未知恶意加密流量的检测精确度为97.46%,可根据检测出的恶意加密数据流定位Android终端内的恶意进程。

关键词: TLS协议, 加密流量标注, 五元组, 随机森林, 恶意进程识别

Abstract:

Existing Android malicious sample analysis methods need to obtain the sample program to be checked in advance. When the object to be checked is an android smart terminal instead of a sample program, it is impossible to determine which process in the smart terminal is the malicious process to be checked, which affects the effective application of the sample analysis method. Existing detection methods for malicious encrypted traffic can achieve high recognition accuracy, but it is impossible to determine the mapping relationship between malicious traffic and malicious processes in the android terminal, i.e. Which process generates malicious encrypted traffic cannot be determined, and further the specific location information of malicious processes cannot be locked. In order to solve the above problems, this paper proposes an android malicious process identification method based on anomalous encrypted traffic annotation. By monitoring the network communication data generated by android terminals, DNS characteristics, TLS handshake negotiation characteristics and flow statistical characteristics are extracted, and binary classifier based on random forest algorithm is adopted to identify malicious encrypted communication flow. Then, by extracting the characteristics of the flow 5-tuple, a one-to-one mapping is established between the malicious encrypted communication stream and the android terminal process to determine the specific location of the malicious process in the terminal. The experimental results show that the detection accuracy of the proposed method for unknown malicious encrypted traffic in complex network environment is 97.46%, and malicious processes in android terminals can be located according to the detected malicious encrypted data flow.

Key words: TLS protocol, encrypted traffic annotation, 5-tuple, random forest, malicious process identification

中图分类号:

TP309

徐国天. 基于异常加密流量标注的Android恶意进程识别方法研究[J]. 信息网络安全, 2020, 20(7): 30-41.

XU Guotian. Android Malicious Process Identification Method Based on Abnormal Encrypted Traffic Annotation[J]. Netinfo Security, 2020, 20(7): 30-41.

图/表 10

图1

图2

表1

图3

图4

表2

表3

图5

图6

表4

参考文献 25

[1]	CISCO . Cisco Encrypted Traffic Analytics White Paper[EB/OL]. https://www.cisco.com/c/en/us/solutions/enterprise-networks/enterprise-network-security/eta.html, 2019-7-1.
[2]	VINOD P, ZEMMARI A, CONTI M. A Machine Learning Based Approach to Detect Malicious Android Apps Using Discriminant System Calls[J]. Future Generation Computer Systems, 2019,94(6):333-350.
[3]	HAN Weijie, XUE Jingfeng, WANGYong . MalDAE: Detecting and Explaining Malware Based on Correlation and Fusion of Static and Dynamic Characteristics[J]. Computers and Security, 2019,83(3):208-233. doi: 10.1016/j.cose.2019.02.007 URL
[4]	ZHANG M, DUAN Y, YIN H. Semantics-aware Android Malware Classification Using Weighted Contextual API Dependency Graphs[C]// ACM. Conference on Computer and Communications Security, November 3-7, 2014, Scottsdale, Arizona, USA. New York: ACM, 2014: 1105-1116.
[5]	ARORA A, GARG S. Malware Detection Using Network Traffic Analysis in Android Based Mobile Devices[C]// IEEE. 2014 Eighth International Conference on Next Generation Mobile Apps, September 1-4, 2014, Oxford, United Kingdom. New York: IEEE, 2014: 66-71.
[6]	HU Bin, ZHOU Zhihong, YAO Lihong, et al. TLS Malicious Traffic Detection Based on Combined Features of Packet Payload and Stream Fingerprints[J]. Computer Engineering, 2019,20(10):32-41.
	胡斌, 周志洪, 姚立红, 等. 基于报文负载和流指纹联合特征的TLS恶意流量检测[J]. 计算机工程, 2019,20(10):32-41.
[7]	BLAKE A, SUBHARTHI P, DAVID M. Deciphering Malware’s Use of TLS[J]. Journal of Computer Virology & Hacking Techniques, 2017,3(2):30-45.
[8]	XIE N N, WANG X, WANG W. Fingerprinting Android Malware Families[J]. Frontiers of Computer Science, 2019,13(3):637-646. doi: 10.1007/s11704-017-6493-y URL
[9]	LAYA T H, ANDI F A, ARASH H L. Extensible Android Malware Detection and Family Classification Using Network-Flows and API-Calls[J]. The IEEE(53rd) International Carnahan Conference on Security Technology, 2019,4(1):26-30.
[10]	ARASH H L, ANDI F A. Toward Developing A Systematic Approach to Generate Benchmark Android Malware Datasets and Classification[J]. 52nd IEEE International Carnahan Conference on Security Technology(ICCST), 2018,2(1):40-49.
[11]	CAI H, MENG N, RYDER B. Droidcat: Effective Android Malware Detection and Categorization Via App-level Profiling[J]. IEEE Transactions on Information Forensics and Security, 2019,14(6):1455-1470. doi: 10.1109/TIFS.2018.2879302 URL
[12]	NGUYEN , ARMITAGE . A Survey of Techniques for Internet TrafficClassification Using Machine Learning[J]. Communications Surveys & Tutorials, 2008,10(4):56-76.
[13]	ZANDER , NGUYEN , ARMITAGE . Automated Traffic Classificationand Application Identification Using Machine Learning[J]. The 30thIEEE Conference on Local Computer Networks, 2005,12(1):250-257.
[14]	LI Hao, MA Kun, CHEN Zhenxiang, et al. Unknown Malware Detection Based on Network Traffic Analysis[J]. Journal of Jinan University, 2019,33(6):500-505.
	李浩, 马坤, 陈贞翔, 等. 基于网络流量分析的未知恶意软件检测[J]. 济南大学学报, 2019,33(6):500-505.
[15]	LI Hongling, ZHAN Yi. Statistics Analysis and Research on Common Permissions of Android Malwares[J]. Computer Technology and Development, 2017,27(11):132-136.
	李红灵, 詹翊. Android恶意程序常用权限分析及统计研究[J]. 计算机技术与发展, 2017,27(11):132-136.
[16]	MALHOTRA A. Android Malware: Study and Analysis of Malware for Privacy Leak in Ad-hoc Network[J]. International Journal of Computer Science & Network Security, 2013,12(3):39-43.
[17]	LIU Xiaojian, LEI Qian, DU Xi, et al. Static Detection Approach for Android Malware Based on Multi-level Features[J]. Journal of Huazhong University of Science and Technology, 2020,48(2):1-7.
	刘晓建, 雷倩, 杜茜, 等. 多层次特征的Android恶意程序静态检测方法[J]. 华中科技大学学报, 2020,48(2):1-7.
[18]	ENCK W, GILBERT P, HAN S. TaintDroid:An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones[J]. ACM Transactions on Computer Systems, 2014,32(2):99-106.
[19]	ZHANG Xuetao, SUN Meng, WANG Jinshuang. Multi-Granularity Android Malware Fast Detection Based on Opcode[J]. Journal of Network and Information Security, 2019,5(6):85-94.
	张雪涛, 孙蒙, 王金双. 基于操作码的安卓恶意代码多粒度快速检测方法[J]. 网络与信息安全学报, 2019,5(6):85-94.
[20]	WANG Run, TANG Benxiao, WANG Lina. Deeprd: Android Repackaging Application Detection Method Based on Siamese LSTM Network[J]. Journal on Communications, 2018,39(8):69-82.
	汪润, 唐奔宵, 王丽娜. 基于Siamese LSTM网络的Android重打包应用检测方法[J]. 通信学报, 2018,39(8):69-82.
[21]	SHABTAI A, MOSKOVITCH R, FEHER C. Detecting Unknown Malicious Code by Applying Classification Techniques on Opcode Patterns[J]. Security Informatics, 2012,1(1):1-22. doi: 10.1186/2190-8532-1-1 URL
[22]	YERIMA S Y, SEZER S, MUTTIK I. High Accuracy Android Malware Detection Using Ensemble Learning[J]. Information Security, 2016,9(6):313-320.
[23]	XU Yichao, YUAN Qianting, XU Jian. Fine-Grained Android Malware Classification with Behavior Features[J]. Application Research of Computers, 2019,37(10):21-27.
	许逸超, 袁倩婷, 徐建. 基于静态行为特征的细粒度Android恶意软件分类[J]. 计算机应用研究, 2019,37(10):21-27.
[24]	WEI F, LI Y, ROY S. Deep Ground TruthAnalysis of Current Android Malware[J]. International Conference on Detection of Intrusions and Malware, 2017,10(2):252-276.
[25]	ALLIX , BISSYANDE , KLEIN . Androzoo: Collecting Millions of Android Apps for the Research Community[J]. Mining Software Repositories, 2016,20(2):46-53.

root@:~# netstat - anop
Proto	Local Address	Foreign Address	State	PID/Program name
TCP	192.168.137.163:39510	123.126.45.26:443	ESTABLISHED	1384/firefox-esr
TCP	192.168.137.163:41248	117.18.237.29:80	ESTABLISHED	1384/firefox-esr
UDP	0.0.0.0:68	o.o.o.o：*		647/dhclient

Stream Num	Proto	Local Address	Foreign Address	State	PacketNum
1	TCP	192.168.137.163:36570	123.125.31.59:443	ESTABLISHED_1	102.103...
2	TCP	192.168.137.163:53324	218.61.192.227:443	SYN-RCVD-1	204
3	UDP	192.168.137.163:38423	192.168.137.2:53	DNS-RECV	162.164...

Proto	Local Address	Foreign Address	State	PID	Program name	Packet Num
TCP	192.168.137.163:36570	123.125.31.59:443	ESTABLISHED	2910	malware-samp	102.103...
TCP	192.168.337.163:53324	218.61.192.227:443	SYN_SEND	1136	firefox-esr	204
UDP	192.168.137.163:38423	192.168.137.2:53	ESTABLISHED	2910	malware-samp	162.164 …

特征集	数据集	Accuracy	precision	recall	F1_measure
3类特征	数据集1	0.9832	0.9746	0.9923	0.9834
3类特征	数据集2	0.9721	0.9643	0.9862	0.9751
2类特征	数据集1	0.9162	0.9286	0.9042	0.9162
2类特征	数据集2	0.829	0.8672	0.7834	0.8232