Research On Method Of Detection And Risk Measurement For Android Apps Privilege Escalation Attacks

With the rapid development of the mobile Internet and the Internet of Things,Android devices are widely used in people's daily life including their work and study.The attack on Android Apps has evolved from a one-app-oriented attack to a collusion attack between multiple Android Apps.The collusion attack is more concealed,more threatening,and more difficult to detect.The one-app-oriented attack detection is inadaptable for the collusion privilege escalation attacks(the application privilege escalation attack based on component-based indirect communication)detection.The existing collusion privilege escalation attacks detection does not take into account the attack features,attack roles,and the dangerous communication between applications.Its risk measurement cannot effectively evaluate the extent of hazard of the collusion privilege escalation attacks.In response to those problems,the main research of this article is as follows.Firstly,as for the inadequate detection of the existing methods to the feature types of the collusion privilege escalation attacks,the feature of attacks is classified into the following 5 types: dangerous permission application,component Intent communication,sensitive data flow pair,sensitive API call,and Intent-filter by the analysis and induction of attack models and attack case.At the same time,the methods for extracting various attack features from the Apps which offers basic support for establishing attack behavior detection and risk measurement are provided.Secondly,as for the insufficient detection of dangerous communication between apps by existing detection methods,the application behavior feature tree AFT is constructed by the divided attack feature categories.Based on AFT,the behavioral modeling and the determination of Apps are completed by using process algebra and strong equivalent concept,the detection method based on multi-feature is proposed and a detection algorithm for dangerous paths between apps based on multi-feature is constructed.The method has been proved accurate and effective by experimental and method comparison.Thirdly,according to the operation of the Apps on the sensitive data flow,three types of attack roles are defined for information collection,information transmission and information sending,and the behavior feature table BFT based on the attacking features is constructed.Based on BFT and process algebra,the modeling of three types of attacking role behaviors are completed,a detection method based on attacking role is proposed,and a detection algorithm for dangerous paths between Apps based on attacking role is constructed.The effectiveness of the methods is verified through experiments.Afterwards,in response to the ineffectiveness of the existing Apps risk measurement method to the collusion privilege escalation attack,the sensitive data migration is added to the attack feature category to fully consider the dangerous communication between Apps;AHP is used to complete the calculation of attack feature weights from the perspective of the effect of various attack features on the overall attack behavior;process algebra and weak equivalent are used to complete the behavior modeling and judgment of Apps,realizing the distinction of whether the Apps needs risk measurement;a risk measurement function based on feature weight is constructed to find out a risk measurement method based on feature weight and behavior determination.The effectiveness of the method and the importance of the feature weight are verified through experiments.Finally,in view of the inability to measure the degree of danger that Apps belongs to a certain type of attack role,according to the steps of attack implementation and attack features,three types of attack roles are redefined: sensitive information acquisition,attack agent,and attack behavior;the attack features of three types of roles are categorized by combining the optimized 6 attack features;FAHP is used to consider the degree of danger of various attack features from the perspective of three attack roles,to complete the calculation of the weights of attack features;the process algebraic behavior modeling and judgment method is adopted to complete the distinction of whether the Apps may belong to a attack role;a risk measurement function based on attack roles is established and a risk measurement method for attack roles based on FAHP and process algebra is proposed.The effectiveness of the method is verified through experiments and comparison.