计算机科学

计算机科学 ›› 2017, Vol. 44 ›› Issue (6): 161-167.doi: 10.11896/j.issn.1002-137X.2017.06.027

• 信息安全 • 上一篇    下一篇

一种基于双层语义的Android原生库安全性检测方法

叶益林,吴礼发,颜慧颖   

  1. 解放军理工大学指挥信息系统学院 南京210007,解放军理工大学指挥信息系统学院 南京210007,解放军理工大学指挥信息系统学院 南京210007
  • 出版日期:2018-11-13 发布日期:2018-11-13
  • 基金资助:
    本文受江苏省自然科学基金项目(BK20131069)资助

Two-layer Semantics-based Security Detection Approach for Android Native Libraries

YE Yi-lin, WU Li-fa and YAN Hui-ying   

  • Online:2018-11-13 Published:2018-11-13

PDF (PC)

646

摘要: 原生代码已在Android应用中广泛使用,为恶意攻击者提供了新的攻击途径,其安全问题不容忽视。当前已有Android恶意应用检测方案,主要以Java代码或由Java代码编译得到的Dalvik字节码为分析对象,忽略了对原生代码的分析。针对这一不足,提出了一种基于双层语义的原生库安全性检测方法。首先分析原生方法Java层语义,提取原生方法函数调用路径,分析原生方法与Java层的数据流依赖关系以及原生方法函数调用路径的入口点。对于原生代码语义,定义了数据上传、下载、敏感路径读写、敏感字符串、可疑方法调用5类可疑行为,基于IDA Pro和IDA Python对原生代码内部行为进行自动分析。使用开源机器学习工具Weka,以两层语义作为数据特征,对5336个普通应用和3426个恶意应用进行了分析,最佳检测率达到92.4%,表明所提方法能够有效检测原生库的安全性。

关键词: Android应用,恶意应用检测,语义,原生库,机器学习

Abstract: Native code has been widely used in Android applications,providing a new attack vector for attackers,which raises increasing security concerns.Existing Android malware detection approaches mainly focus on the analysis of Java code or the Dalvik code compiled from Java code,ignoring the native code used in Android applications.To combat this emerging threat,this paper proposed a novel two-layer semantics-based security detection method for Android native libraries.To begin with,on the base of native method call paths,the semantics of native method in Java layer is extracted by analyzing the data dependence between native methods and Java methods and the type of the entry points of native method call paths.For semantics of native code in native layer,five kinds of suspicious behaviors are defined,including data uploading,data downloading,reading or writing in sensitive system paths,sensitive strings,suspicious calling of Java methods.More specifically,IDA Pro and IDA Python are utilized to analyze the behaviors of native code mentioned above.Experiments are evaluated using the open source machine learning tool Weka with 5336 benign Android applications and 3426 Android malware,the results of which show that the best accuracy achieves 92.4%.It proves that our method can effectively detect the security of native libraries used in Android applications.

Key words: Android application,Malware detection,Semantics,Native library,Machine learning

[1] 360:2015年度中国手机安全状况报告[EB/OL].http://useit.baijia.baidu.com/article/313267.
[2] ENCK W,ONGTANG M,MCDANIEL P,et al.On lightweight mobile phone application certification[C]∥Computer and Communications Security.2009:235-245.
[3] CHAN P P,HUI L C,YIU S M,et al.DroidChecker:analyzing android applications for capability leak[C]∥Wireless Network Security.2012:125-136.
[4] FENG Y,ANAND S,DILLIG I,et al.Apposcopy:semantics-based detection of Android malware through static analysis[C]∥Foundations of Software Engineering.2014:576-587.
[5] AAFER Y,DU W,YIN H.DroidAPIMiner Mining API-Level Features for Robust Malware Detection in Android[M]∥Security and Privacy in Communication Networks.Springer International Publishing,2013:86-103.
[6] ARP D M,SPREITZENBARTH M,HUBNER M.Drebin:Effective and explainable detection of android malware in your pocket [C]∥ Network and Distributed System Security Symposium,NDSS 2014.San Diego,USA.
[7] KWONGYAN L,YIN H.DroidScope:Seamlessly Reconstruc-ting the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis [C]∥Proceedings of the 21st USENIX Conference on Security Symposium.2012:29.
[8] RASTOGI V,CHEN Y,ENCK W.AppsPlayground:AutomaticSecurity Analysis of Smartphone Applications [C]∥Conference on Data and Application Security and Privacy.ACM,2013:209-220.
[9] BLASING T,BATYUK L,SCHMIDT A.An Android Application Sandbox System for Suspicious software Detection [C]∥5th International Conference on Malicious and Unwanted Software.2010.
[10] Android NDK [EB/OL].https://developer.android.com/tools/sdk/ndk/index.html.
[11] 盘点2015年度10大安卓手机系统级病毒[EB/OL].(2016-2-19).http://bobao.360.cn/learning/detail/2750.html.
[12] Androguard [EB/OL].https://github.com/androguard/androguard.
[13] ZHANG M,DUAN Y,YIN H,et al.Semantics-aware android malware classification using weighted contextual api dependency graphs[C]∥Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security.ACM,2014:1105-1116.
[14] AU K W Y,ZHOU Y F,HUANG Z,et al.Pscout:analyzing the android permission specification[C]∥Proceedings of the 2012 ACM Conference on Computer and Communications Security.ACM,2012:217-228.
[15] Weka [EB/OL].http://www.cs.waikato.ac.nz/ml/weka.
[16] Appchina [EB/OL].http://www.appchina.com.
[17] Anzhi [EB/OL].http://www.anzhi.com.
[18] Virus share [EB/OL].http://www.virusshare.com.
[19] SIEFERS J,TAN G,MORRISETT G.Robusta:Taming the native beast of the JVM[C]∥Proceedings of the 17th ACM Conference on Computer and Communications Security.ACM,2010:201-211.
[20] SUN M,TAN G.Nativeguard:Protecting android applicationsfrom third-party native libraries[C]∥Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks.ACM,2014:165-176.
[21] VITOR A,ANOTONIO B,YANICK F,et al.Going Native:Using a Large-Scale Analysis of Android Apps to Create a Practical Native-Code Sandboxing Policy[C]∥Symposium on Network and Distributed System Security(NDSS 2016).Diego CA,USA.
No related articles found!
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发