| Android is the smart phone platform with the highest market share.In the first quarter of 2017,the market share of Android had reached 85.0%.With the increasing popularity of Android devices,applications such as mobile payment,photo shooting,positioning and navigation,voice calls,and social media have come into the lives of users.These applications require user authorization to access contacts,geographic lo-cations,photo albums,microphones,browsers history and other private data,which also brought a serious risk of people's private information being disclosed.The flaws in the Android security mechanism give the attacker an opportunity to attack and it is imperative to protect Android users' private data.Current malware detection methods generally use the description text of the ap-plication,the applied permissions,and the called application programming interface as features,and utilize a classification method in machine learning to identify the malicious application.However,these classification methods require a large amount of labeled data as training data.The recognition effect on the known attack patterns is quite good,but it is difficult to cope with new types of attack patterns.For malicious applications identified by these detection methods,it is still difficult to describe why the applica-tion is malicious.We also do not have any idea which private data this application has revealed.In order to protect Android users' private data,this paper aims to identify malicious data usage behaviors and focuses on analyzing malicious attack patterns.The work and innovation of this paper mainly include the following aspects.1.Current approaches usually target detecting malicious applications.Although malicious applications can be detected,it is difficult to analyze the specific attack patterns of malicious applications.This paper proposes a finer-grained detection scheme.Instead of treating each application as a whole,we treat each data usage behavior in the application as a detection entity.These detected malicious data usage behaviors can essentially reflect the type of data the malware steals and the attack patterns of malware.2.In order to effectively distinguish between normal data use behavior and mali-cious data use behavior,this paper defines three types of features to describe data usage behavior.ˇSource and Sink.Source reflects what kind of data the behavior gets,and Sink reflects the way the behavior sends the acquired data.ˇTrigger event.Trigger events include life cycle callbacks,GUI events,and system events.Trigger events can reflect the user's intent to some extent.ˇCondition.In order to avoid detection,malicious applications usually per-form their malicious data usage behavior only under certain conditions.Therefore,we can distinguish between normal data usage behavior and ma-licious data usage behavior by using conditions of data usage behavior.After defining these three types of features,We extract these features from An-droid applications based on current static detection tools.3.Since there is currently no data usage behavioral dataset with tags,how to train the model and detect malicious data behavior on untagged data is a big chal-lenge.This paper uses high similarity of data usage behavior in the same type of applications,and we build different detection models for different categories of applications.We treat the malicious data use behavior as anomalies,and use anomaly detection algorithm to detect malicious data usage behavior.Through experimental demonstration,the malicious data usage behavior detection model proposed in this paper can effectively detect malware and provide malicious data usage behaviors to analysis malware's attack pattern. |
PDF Full Text Request