Malicious Code Detection And Defense Based On Intention Perception

With the development of computer technologies and applications of the Internet, malicious codes have become a common problem for all computer users. Existing software behavior analysis techniques and tools do not meet the requirements of malicious code and software security flaw detection. In this study, the intention of terminal user, attacker and software developer were perceived by program behavior analysis, so as to reveal the forth reasons, full course and final results of security sensitive behavior, to increase the understanding of the program behaviors. Then, new methodes of abnormal behavior detection, new malicious code detection, new security defects detection are proposed. The main points of this study are list as follows:1. Security-sensitive behaviors in Android applications (apps for short) may or may not be malicious. We propose that a fundamental difference between malicious and benign behaviors is that their corresponding user intentions are different, i.e., whether there is an association between the app behavior and user intention. Based on this discovery, we first design and realize IBdroid, which can precisely monitor user inter-faces, user actions and security-sensitive behaviors of apps. Then the user intention features, which can perceive the correlations between user intention and app behavior from time, process, semantic and data perspectives, are extracted from the records obtained by IBdroid. Finally, an approach using user intention features is proposed to differentiate be-nign and malicious behaviors. In our evaluations, we correctly identify 333 out of 354 security-sensitive behaviors, achieving 96.43% precision and 91.53% recall, the experimental result demonstrates that our approach can effectively and accurately detect and block malicious behaviors of Android apps. For Windows operating system, a method to identify window relevant with system resource access automatically is proposed, which can provide support to the detection of abnormal access to system resources.2. It is a difficult task to differentiate between malicious and benign operations during Android app analysis. Firstly, the characteristics of malicious operations, such as spontaneity, independence, stealthiness and continuity have been figured out. Secondly, according to these characteristics, attack intention features (AIFs for short) have been presented, including topology features (e.g., in-degree and out-degree of nodes in the ICFG) and API features (e.g., the number of GUI APIs, data-save APIs). Thirdly, an analysis prototype, SSdroid, has been implemented to automatically extract SSBFs of security-sensitive operations. Finally four different types of machine learning based classifiers with leveraging SSBFs are employed to identify malicious operations in 6730 security-sensitive operations, and our experimental results demonstrate that SSBFs can differentiate malicious and benign operations with high accuracy.3. One of the main source of system and software security defects the developer failed to achieve their protective intention. Firstly, the sensitive objects and corresponding requirements of protection was discovered by defense intention awareness. Then, the lifecycle models of sensitive objects were established, and defense integrity and strength analysis, attack surface analysis were performed to evaluate the defense method of developer. Finally, security defects detection was achieved. Follow this approach, a method of security defects detection between inter-components' communication has been presented, which can find security defects between inter-components' communication:the use of implicit intents leads to component hijacking and information leakage; risk of permission leakage exists in public components. Based on the awareness of deveper intention and the lifecycle models of keyboard input informaion, many different kinds of defects of sensitive information input protection and soft keyboard were found. Besides, a soft keyboard layout randomization method based on cellular automata was proposed, which have good performance in both security and availability.4. Elastic mobile cloud computing (EMCC) enables seamless and transparent use of cloud resource to augment the capability of mobile devices by off-load part of mobile devices' tasks to cloud according to the real-time user requirement. At first, based on the summary of existing EMCC programs, a common EMCC framework was build; then we pointed out that the execution of EMCC applications may lead to privacy leakage and information flow hijack. Then an EMCC framework was proposed in which security risks were seen as costs of EMCC, this framework can ensure the use of EMCC makes benefits for the mobile device user. Since the major difficulties of the implement of this framework are risk quantification and security-sensitive methods annotation, at last, a risk quantification method was designed and a tool which can annotate security-sensitive methods automatically was implemented. The validity of this tool was proved by experiments.