基于多层次交叉视图分析的Android系统恶意行为监控方法研究

doi:10.3969/j.issn.1671-1122.2016.07.007

信息网络安全 ›› 2016, Vol. 16 ›› Issue (7): 40-46.doi: 10.3969/j.issn.1671-1122.2016.07.007

基于多层次交叉视图分析的Android系统恶意行为监控方法研究

杨静雅, 罗森林, 朱帅, 曲乐炜

北京理工大学信息系统及安全对抗实验中心,北京 100081

收稿日期:2016-04-05 出版日期:2016-07-20 发布日期:2020-05-13
作者简介:
作者简介：杨静雅（1992—）,女,贵州,硕士研究生,主要研究方向为信息安全;罗森林（1968—）男,河北,教授,博士,主要研究方向为信息安全、数据挖掘、文本安全;朱帅（1993—）,男,湖北,硕士研究生,主要研究方向为信息安全;曲乐炜（1992—）,男,山东,硕士研究生,主要研究方向为信息安全。
基金资助:
国家242信息安全计划[2005C48]

Research on Method of Android System Malware Behavior Monitoring Based on Multi-level and Cross-view Analysis

Jingya YANG, Senlin LUO, Shuai ZHU, Lewei QU

Information System and Security & Countermeasures Experimental Center, Beijing Institute of Technology, Beijing 100081, China

Received:2016-04-05 Online:2016-07-20 Published:2020-05-13

摘要/Abstract

摘要：

现有的Android系统行为监控方法,或需重新编译系统,或需改动被监控软件,且大多数监控不全面,无法识别恶意代码隐藏行为。针对这些问题,文章提出了一种基于多层次交叉视图分析的Android系统恶意行为监控方法。该方法基于进程注入和可加载内核模块技术,在Java层、Native层和Kernel层对恶意行为进行监控,获取行为监控表,并通过交叉视图对比分析,识别恶意代码的隐藏行为。最后,文章在Android模拟器环境下,利用能够覆盖主要恶意行为的12种恶意代码进行实验,结果表明,该方法对恶意行为的监控准确率达到了91.43%,并能有效检测其隐藏行为,监控粒度细、实用性强。

关键词: Android系统, 行为监控, 交叉视图

Abstract:

The existing methods applying to behavior monitoring of Android system need to either recompile the system or alter the applications which is monitored. Most of them are not comprehensive enough and cannot identify the hidden behaviors of malicious codes. According to the problems raised before, this paper proposes a method of Android system malware behavior monitoring which bases on multi-level and cross-view analysis. The paper uses the technology of process injection and loadable kernel, which monitors malware behavior in Java level, Native level and Kernel level. Then this paper obtains the result of behavior monitoring and identifies the hidden behaviors by cross-view analysis. Under Android simulator environment, the experiment uses 12 kinds of malware which can cover most of the malware behaviors. The results shows that the monitoring accuracy rate of malicious behavior reaches to 91.43%, and the method can detect the hidden behaviors effectively. So it has fine audit granularity and strong practicality.

Key words: Android system, behavior monitoring, cross-view

中图分类号:

TP309

杨静雅, 罗森林, 朱帅, 曲乐炜. 基于多层次交叉视图分析的Android系统恶意行为监控方法研究[J]. 信息网络安全, 2016, 16(7): 40-46.

Jingya YANG, Senlin LUO, Shuai ZHU, Lewei QU. Research on Method of Android System Malware Behavior Monitoring Based on Multi-level and Cross-view Analysis[J]. Netinfo Security, 2016, 16(7): 40-46.

图/表 6

参考文献 17

[1]	AVL移动安全. 2014年Android恶意代码发展报告[EB/OL]. .
[2]	360互联网安全中心. 2015年第二季度中国手机安全状况报告[EB/OL]. .
[3]	BURGUERA I, ZURUTUZA U, NADJM-TEHRANI S.Crowdroid: Behavior-based Malware Detection System for Android[C]//ACM. 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, October 17-21, 2011, Chicago, USA. New York: ACM, 2011: 15-25.
[4]	RUSSELLO G, JIMENEZ A B, NADERI H, et al.FireDroid: Hardening Security in Almost-stock Android[C]//ACM. 29th Annual Computer Security Applications Conference, December 9-13, 2013, Louisiana, USA. New York: ACM, 2013: 319-328.
[5]	ENCK W, GIBERT P, HAN S, et al.TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones[J]. ACM Transactions on Computer Systems, 2014, 32(2): 393-407.
[6]	DAVIS B, SANDERS B, KHODAVERDIAN A, et al. I-ARM-Droid: A Rewriting Framework for In-App Reference Monitors for Android Applications[EB/OL]. .
[7]	XU Rubin, SAÏDI H, ANDERSON R. Aurasium: Practical Policy Enforcement for Android Applications[C]//USENIX. 21st USENIX Conference on Security Symposium, August 8-10, 2012, Bellevue, Washington, USA. New York: ACM, 2012: 27.
[8]	PENG Guojun, SHAO Yuru, WANG Taige, et al.Research on Android Malware Detection and Interception Based on Behavior Monitoring[J]. Wuhan University Journal of Natural Sciences, 2012, 17(5): 421-427.
[9]	QIU Lingzhi, ZHANG Zixiong, SHEN Ziyi, et al.AppTrace: Dynamic Trace on Android Devices[C]//IEEE. 2015 IEEE International Conference on Communications (ICC), June 8-12, 2015, London, UK. New Jersey: IEEE, 2015: 7145-7150.
[10]	JEONG Y, LEE H T, CHO S J, et al.A Kernel-based Monitoring Approach for Analyzing Malicious Behavior on Android[C]//ACM. 29th Annual ACM Symposium on Applied Computing, March 24-28, 2014.New York: ACM, 2014: 1737-1738.
[11]	PAN Xuerui, ZHONGYANG Yibin, XIN Zhi, et al.Defensor: Lightweight and Efficient Security-enhanced Framework for Android[C]//IEEE. 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications, September 24-26, 2014, Beijing, China. New Jersey: IEEE, 2015: 260-267.
[12]	YAN L K, YIN Heng.DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis[C]// USENIX. 21st USENIX Conference on Security Symposium, August 8-10, 2012, Bellevue, Washington, USA. New York: ACM, 2012: 29.
[13]	YD/T 2439-2012,移动互联网恶意程序描述格式[S]D/T 2439-2012, 移动互联网恶意程序描述格式[S]. 北京:人民邮电出版社,2012.
[14]	ZHOU Yajian, JIANG Xuxian.Dissecting Android Malware: Characterization and Evolution[C]//IEEE. 2012 IEEE Symposium on Security and Privacy, May 20-23, 2012, San Francisco, USA. New Jersey: IEEE, 2012: 95-109.
[15]	贾同彬,蔡阳,王跃武,等. 一种面向普通用户的Android APP安全性动态分析方法研究[J]. 信息网络安全,2015(9):1-5.
[16]	Google. UI/Application Exerciser Monkey[EB/OL]. .
[17]	朱筱赟,胡爱群,邢月秀,等.基于Android平台的移动办公安全方案综述[J]. 信息网络安全,2015(1):76-83.

基于多层次交叉视图分析的Android系统恶意行为监控方法研究

Research on Method of Android System Malware Behavior Monitoring Based on Multi-level and Cross-view Analysis

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 6

参考文献 17

相关文章 15

编辑推荐

Metrics

本文评价

[1]	陆德冰, 崔浩亮, 张文, 牛少彰. 基于Intent过滤的应用安全加固方案[J]. 信息网络安全, 2017, 17(11): 67-73.
[2]	曲乐炜, 罗森林, 孙志鹏, 朱帅. Android系统数据完整性检测方法研究[J]. 信息网络安全, 2016, 16(8): 61-67.
[3]	李亚萌, 何泾沙. 基于Hash的YAFFS2文件各版本恢复算法研究[J]. 信息网络安全, 2016, 16(5): 51-57.
[4]	丁庸, 曹伟, 罗森林. 基于LKM系统调用劫持的恶意软件行为监控技术研究[J]. 信息网络安全, 2016, 16(4): 1-8.
[5]	李汶洋. Android操作系统恶意软件检测技术研究[J]. 信息网络安全, 2015, 15(9): 62-65.
[6]	叶嘉羲, 张权, 王剑. 基于权限控制和脚本检测的Webview漏洞防护方案研究[J]. 信息网络安全, 2015, 15(3): 38-43.
[7]	郝增帅, 郭荣华, 文伟平, 孟正. 基于特征分析和行为监控的未知木马检测系统研究与实现[J]. 信息网络安全, 2015, 15(2): 57-65.
[8]	黄可臻，李宇翔，林柏钢. 基于Android的隐私数据安全保护系统[J]. 信息网络安全, 2014, 14(9): 54-57.
[9]	. 移动终端数据泄露动态监控系统[J]. , 2014, 14(5): 68-.
[10]	李平;湛家伟;任伟. Android环境下基于分形混沌的语音隐蔽通信系统的实现[J]. , 2013, 13(9): 0-0.
[11]	林佳华;任伟;贾磊雷. Android手机隐私保护系统的设计与实现[J]. , 2013, 13(7): 0-0.
[12]	冯帆;罗森林. 基于VMM的Rootkit检测技术及模型分析[J]. , 2013, 13(6): 0-0.
[13]	张中文;雷灵光;王跃武. Android Permission机制的实现与安全分析[J]. , 2012, 12(8): 0-0.
[14]	毕俊浩;叶翰嘉;王笑臣;孙国梓. 基于语音识别的安全认证系统[J]. , 2012, 12(11): 0-0.
[15]	董蕾;黄淑华;尹浩然;杨晶. 基于Android平台的手机木马关键技术分析[J]. , 2012, 12(11): 0-0.