| With Mobile Internet becoming increasingly mature,people's lifestyles have changed dramatically.As the enormous boost in hardware performance and increasingly rich in software functions of mobile devices,people are more inclined to use a variety of services provided by the Internet via smart phones and other mobile devices,such as social networking,entertainment,payments,and so on.However,the surging in the number of mobile applications makes network management more challenging.In addition,the users are also facing more mobile internet security threats when enjoying mobile network resources.The behavior of application may be normal behavior or malicious behavior,the application which has malicious behavior is called malware.An endless stream of mobile malwares has been emerged,such as Trojans,Viruses,Bot,etc.These malwares perform a variety of malicious behaviors on mobile device,such as malicious charge,privacy theft,remote control,etc.These malicious behaviors pose a serious threat to users.Therefore,mobile application identification and mobile malware behavior detection are of great importance to mobile network security and network management.On one hand,identifying network traffic corresponding to the mobile application can help network administrators effectively perform network management,such as allocation of network resources,network traffic accounting,and the like,which enhance the quality of network service and the user experience.On the other hand,identifying the malicious behavior in network traffic can achieve effective early-warning to malicious network attacks for the protection of user's network security.As a result,for the above two aspects,namely,mobile application identification and mobile malware behavior detection are studied in this thesis.In existing mobile application identification technologies,the identification method based on payload features can't identify the application program using encrypted protocols communication patterns,and mobile application identification technology focusing on encrypting traffic identification has poor extensibility.Faced up with the two problems,we present the mobile application identification method based on Hidden Markov Model.We extract defined statistical characteristics from different network flows which generated by each unknown application when they have been initiated,and we get the corresponding timeseries depending on time stamp information of different network flows.Then for each application to be identified,we train the HMM classifier corresponding to each application respectively.After that,we use 10 common applications to conduct verification and validation of the method presented in this thesis,and the average precision is 97.9%.In addition,we test our model by using test data obtained from different devices,and the average precision is 96.8%,which show our proposed method has high accuracy and a good generalization.The existing mobile malware behavior detection technologies based on network traffic features have poor real-time performance,as well as incapable of dealing with encrypted traffic.We have proposed mobile malware behavior detection method based on decision tree and random forests.According to network traffic is encrypted or not,we extract different types of features(field features and statistical features),then we use decision tree algorithm and random forests algorithm to build models respectively.Meanwhile,in this thesis,we present a feature selection algorithm based on multi-features ranking.At last,we use 5,560 open malware samples for network traffic data collection,and collect 26,769 pcap files of application samples(both benign and malware).We use 12 kinds of malware families to test the detection model,and the detection precision is not less than 90%.Moreover,the effectiveness feature selection algorithm we proposed has been validated,as well as the model's ability to detect the samples from different sources. |
PDF Full Text Request