基于日志及組件的安卓軟件動態(tài)行為檢測技術(shù)研究
發(fā)布時間:2018-12-27 16:17
【摘要】:伴隨著Android系統(tǒng)的日益流行,Android應用的層出不窮,給生活帶來了極大的便利。但同時Android系統(tǒng)及應用也同樣遭受著惡意軟件的威脅,使得系統(tǒng)文件被惡意訪問、應用出現(xiàn)莫名崩潰、應用被釣魚攻擊等,使用戶面臨個人信息泄露,甚至出現(xiàn)財產(chǎn)上的損失,因此有必要對Android應用進行安全檢測。目前主要有兩種應用安全檢測方式,即靜態(tài)行為檢測與動態(tài)行為檢測,與靜態(tài)行為檢測相比,動態(tài)行為檢測是通過運行應用,找出應用中存在的漏洞,具有針對性強、準確率高等優(yōu)勢,因此本文主要對動態(tài)行為檢測進行初步的探究。動態(tài)行為檢測的檢測點眾多,如網(wǎng)絡數(shù)據(jù)、日志、組件、本地文件、本地數(shù)據(jù)庫及服務器端數(shù)據(jù)庫等,由于Android應用在運行期間,組件是應用最外層的表征,大部分漏洞的產(chǎn)生及利用均發(fā)生在組件上;日志則是最能反應應用運行期間,其行為特征的數(shù)據(jù),因此本文動態(tài)檢測的檢測點設定為日志及組件,本文具體的研究內(nèi)容主要包括以下兩個方面。為了檢測惡意軟件,設計并初步實現(xiàn)了一種基于日志的動態(tài)行為檢測系統(tǒng)。該檢測系統(tǒng)主要是通過統(tǒng)計某個Android應用的系統(tǒng)調(diào)用函數(shù)的頻數(shù)信息,使用機器學習算法K-Means++對其進行分類處理,從而鑒別應用是否存在惡意行為。據(jù)此方案設計的檢測系統(tǒng)主要分為客戶端與服務器端,客戶端運行在Android系統(tǒng)中,主要負責收集系統(tǒng)調(diào)用的頻數(shù)信息;服務器端運行在PC機上,主要完成對數(shù)據(jù)的提取、過濾及規(guī)格化處理,并使用相關(guān)算法進行分析。為了對應用組件漏洞進行檢測,設計并完善了一種基于組件的動態(tài)行為檢測系統(tǒng)。該檢測主要是通過分析某個Android應用相應組件所接收的參數(shù)類型,即所接收Intent對象中所包含的參數(shù)類型,并動態(tài)構(gòu)造包含特定參數(shù)的Intent對象,傳遞給該組件并啟動。由于組件中存在較多漏洞類型,本文選取危害性較大且普遍存在的三類漏洞:本地拒絕服務漏洞、Intent-based漏洞、文件目錄遍歷漏洞進行檢測。據(jù)此方案設計的檢測系統(tǒng)分為客戶端與服務器端,客戶端運行于Android系統(tǒng)中,主要負責向待檢測應用的組件傳遞Intent對象并啟動組件;服務器端主要負責組件接收數(shù)據(jù)類型分析及Intent對象的構(gòu)造,同時保證與客戶端的實時通信。惡意軟件對Android系統(tǒng)及應用的攻擊主要是基于系統(tǒng)及應用中存在的漏洞,而眾多漏洞中,組件的漏洞危害最為直接廣泛,因此對組件漏洞進行及時的發(fā)掘能夠有效的減少惡意軟件的危害。兩個系統(tǒng)結(jié)合使用,一方面對惡意軟件進行及時查殺,另一方面對惡意軟件的利用途徑進行及時封堵,能夠更加有效的保障用戶的安全。
[Abstract]:With the increasing popularity of Android systems, Android applications emerge in endlessly, bringing great convenience to life. But at the same time, the Android system and application are also threatened by malware, which makes the system file be accessed maliciously, the application appears inexplicable crash, the application is attacked by phishing and so on, which makes the user face the personal information leakage and even the loss of the property. Therefore, it is necessary to carry on the security inspection to the Android application. At present, there are mainly two methods of application security detection, that is, static behavior detection and dynamic behavior detection. Compared with static behavior detection, dynamic behavior detection is to find out the loopholes in the application by running the application, and has strong pertinence. The accuracy is high, so this paper mainly explores the dynamic behavior detection. There are many detection points for dynamic behavior detection, such as network data, log, component, local file, local database and server-side database, etc. Since Android is the outermost representation of application, Most of the vulnerabilities are generated and utilized on the components; Log is the most able to reflect the behavior characteristics of the application during the running period, so the dynamic detection point of this paper is set as log and component. The specific research content of this paper mainly includes the following two aspects. In order to detect malware, a dynamic behavior detection system based on log is designed and implemented. The detection system mainly uses the frequency information of the system call function of a Android application and classifies it by using the machine learning algorithm K-Means to identify the malicious behavior of the application. According to this scheme, the detection system is divided into client and server. The client runs in Android system, which is mainly responsible for collecting the frequency information of system call. The server runs on the PC computer, mainly completes the data extraction, filtering and normalization processing, and uses the related algorithms to analyze. In order to detect the vulnerability of application components, a component-based dynamic behavior detection system is designed and perfected. This detection is mainly by analyzing the parameter type received by the corresponding component of a Android application, that is, the parameter type contained in the received Intent object, and dynamically constructing the Intent object containing a specific parameter, passing it to the component and starting it. Because there are many kinds of vulnerabilities in components, this paper selects three kinds of vulnerabilities that are harmful and common: local denial of service vulnerability, Intent-based vulnerability, file directory traversal vulnerability to detect. According to this scheme, the detection system is divided into client and server. The client runs in the Android system, which is mainly responsible for transferring the Intent object to the component to be detected and starting the component. The server is mainly responsible for the component receiving data type analysis and the construction of the Intent object, and ensures the real-time communication with the client. Malware attacks on Android systems and applications are mainly based on vulnerabilities in systems and applications. Among the many vulnerabilities, the vulnerability of components is the most direct and widespread. Therefore, the timely discovery of component vulnerabilities can effectively reduce the harm of malicious software. The combination of the two systems can, on the one hand, search and kill malware in time, and on the other hand, block the use of malware in a timely manner, which can ensure the safety of users more effectively.
【學位授予單位】:北京郵電大學
【學位級別】:碩士
【學位授予年份】:2016
【分類號】:TP316;TP309
本文編號:2393304
[Abstract]:With the increasing popularity of Android systems, Android applications emerge in endlessly, bringing great convenience to life. But at the same time, the Android system and application are also threatened by malware, which makes the system file be accessed maliciously, the application appears inexplicable crash, the application is attacked by phishing and so on, which makes the user face the personal information leakage and even the loss of the property. Therefore, it is necessary to carry on the security inspection to the Android application. At present, there are mainly two methods of application security detection, that is, static behavior detection and dynamic behavior detection. Compared with static behavior detection, dynamic behavior detection is to find out the loopholes in the application by running the application, and has strong pertinence. The accuracy is high, so this paper mainly explores the dynamic behavior detection. There are many detection points for dynamic behavior detection, such as network data, log, component, local file, local database and server-side database, etc. Since Android is the outermost representation of application, Most of the vulnerabilities are generated and utilized on the components; Log is the most able to reflect the behavior characteristics of the application during the running period, so the dynamic detection point of this paper is set as log and component. The specific research content of this paper mainly includes the following two aspects. In order to detect malware, a dynamic behavior detection system based on log is designed and implemented. The detection system mainly uses the frequency information of the system call function of a Android application and classifies it by using the machine learning algorithm K-Means to identify the malicious behavior of the application. According to this scheme, the detection system is divided into client and server. The client runs in Android system, which is mainly responsible for collecting the frequency information of system call. The server runs on the PC computer, mainly completes the data extraction, filtering and normalization processing, and uses the related algorithms to analyze. In order to detect the vulnerability of application components, a component-based dynamic behavior detection system is designed and perfected. This detection is mainly by analyzing the parameter type received by the corresponding component of a Android application, that is, the parameter type contained in the received Intent object, and dynamically constructing the Intent object containing a specific parameter, passing it to the component and starting it. Because there are many kinds of vulnerabilities in components, this paper selects three kinds of vulnerabilities that are harmful and common: local denial of service vulnerability, Intent-based vulnerability, file directory traversal vulnerability to detect. According to this scheme, the detection system is divided into client and server. The client runs in the Android system, which is mainly responsible for transferring the Intent object to the component to be detected and starting the component. The server is mainly responsible for the component receiving data type analysis and the construction of the Intent object, and ensures the real-time communication with the client. Malware attacks on Android systems and applications are mainly based on vulnerabilities in systems and applications. Among the many vulnerabilities, the vulnerability of components is the most direct and widespread. Therefore, the timely discovery of component vulnerabilities can effectively reduce the harm of malicious software. The combination of the two systems can, on the one hand, search and kill malware in time, and on the other hand, block the use of malware in a timely manner, which can ensure the safety of users more effectively.
【學位授予單位】:北京郵電大學
【學位級別】:碩士
【學位授予年份】:2016
【分類號】:TP316;TP309
【參考文獻】
相關(guān)期刊論文 前5條
1 張銳;楊吉云;;基于權(quán)限相關(guān)性的Android惡意軟件檢測[J];計算機應用;2014年05期
2 楊歡;張玉清;胡予濮;劉奇旭;;基于多類特征的Android應用惡意行為檢測系統(tǒng)[J];計算機學報;2014年01期
3 梁洪亮;;惡意軟件及分析[J];保密科學技術(shù);2010年03期
4 沈俊;周雍愷;桂佳平;蔡繼文;劉功申;;智能手機惡意代碼防范技術(shù)綜述[J];信息技術(shù);2009年10期
5 孟巖;;Android組件模型評析(上)[J];程序員;2008年01期
相關(guān)碩士學位論文 前6條
1 呂曉慶;Android軟件動態(tài)行為監(jiān)測系統(tǒng)的設計和實現(xiàn)[D];北京郵電大學;2013年
2 劉超;Android異常檢測系統(tǒng)的研究與實現(xiàn)[D];北京交通大學;2013年
3 張吉;Android平臺下惡意軟件動態(tài)檢測技術(shù)研究[D];天津大學;2012年
4 曹子良;基于Linux平臺Android惡意樣本靜態(tài)檢測系統(tǒng)的設計與實現(xiàn)[D];北京交通大學;2013年
5 安立君;Android系統(tǒng)日志存儲和查看工具的設計與實現(xiàn)[D];北京郵電大學;2012年
6 李佳;Android平臺惡意軟件檢測評估技術(shù)研究[D];北京郵電大學;2012年
,本文編號:2393304
本文鏈接:http://sikaile.net/kejilunwen/ruanjiangongchenglunwen/2393304.html
最近更新
教材專著
