Analyzing Function Call Graphs For Detecting Malicious NGB TVOS Applications

In recent years,smart TVs have gradually entered people's homes.Various applications can be installed on Smart TVs so that people realized that television can not only be used to watch program.At the same time,as a part of newly emerging Internet of Things industry,the security of smart TVs also attract people's eyes.In order to ensure the security of the TV operating system kernel and to manage the TVOS applications,China's State Administration of Press,Publication and Broadcasting has taken the lead in developing a kind of operating systems for smart television,called NGB TVOS.NGB TVOS is an autonomous,safe,manageable and controllable smart TV operating system.In order to quickly select malicious TVOS applications from a large number of benign TVOS applications,to protect the information security of smart TV users and to help NGB TVOS manage TVOS applications,we analyze the malicious behaviors of malicious TVOS applications as well as studied the method of detecting malicious TVOS applications.We present a method for detecting malicious TVOS applications based on analyzing function call graphs and form a systematic work.Given a TVOS application,we first extract the implied structure information from its function call graph to generate the eigenvector.Then we input the eigenvector and classify the application using training models to determine whether the application is malicious.Our work is summarized as follows:(1)We study the system architecture of NGB TVOS.The highlights of NGB TVOS are introduced,such as built-in DTV service module,resource management framework,shim mechanism of Java application framework,and TVM environment.We also analyze various security mechanisms of NGB TVOS,such as access control,authorization-based mechanism,sandbox mechanism,digital signature mechanism and security management framework.(2)We study the similarity and difference between NGB TVOS and Android.This part is introduced from two aspects:the similarity and difference of system structure between NGB TVOS and Android;the relationship and difference between TVOS applications and Android smart terminal applications(3)We propose a method of detecting malicious TVOS applications based on analyzing function call graphs.A total of 1,020 benign TVOS applications were achieved from the Huanshi Market,Chipper Market and Dangbei Market.168 malicious TVOS samples were obtained from various channels.We adopted two kinds of methods which are used to analyze function call graph,kernel-based algorithm and graph similarity algorithm,to extract the implicit structure information of the function call graphs.Then we formed a feature matrix.Three kinds of machine learning algorithms are used for training models and classifying unknown samples.The experiment results show that the classification method proposed in this paper can effectively detect the malicious behavior of TVOS applications.