Research And Implementation Of Early Detection Technology For Android Crypto-Ransomware Based On Decoy

With the rapid development of Internet technology,smart phones have become one of the main tools for people to communicate,work and amuse.As a result,smart phones store more and more user privacy and personal data.Criminals also target smart phones.Android as the mainstream smart phone operating system is threatened,and the attacks of crypto-ransomware are particularly serious.This thesis mainly studies the application of decoy in early detection of malicious cryptographic behaviors.It implements an early detection system of Android crypto-ransomware based on decoy,providing protection for Android smart phones without ROOT.The specific work is as follows:1.A scheme for early detection of crypto-ransomware using decoy is proposed.This solution first determines the physical form of the decoy,designs the distribution of the decoy,and proposes the method of tracing the decoy access event on the Android smart phones without ROOT.Experiments show that malware cannot distinguish decoy from user data.Thereby malware is deceived.And decoy consumes less storage space.2.According to the detection scheme,an early detection of crypto-ransomware system based on decoy is designed on the Android smart phone without ROOT.The system is divided into four modules:model detection,decoy deployment,decoy monitoring and event tracing.The model detection module is responsible for ransomware detection of other software;the decoy deployment module is responsible for deploying decoys based on user data;the decoy monitoring module is responsible for monitoring real-time decoy access events;the event tracing module is responsible for determining the originator of decoy access events.3.The early detection system is realized.The experiments and tests are carried out.This thesis first deploys the required system environment,then elaborates the implementation process of the four modules in detail,shows the key functions and their operation results,and statistically analyzes the overall operation results of the system.Experiments show that each module meets the requirements of system design.In an environment where multiple benign software,latent software,and malware are running at the same time,on average,the system can trace the source to malicious software 13.965 seconds before the first user file maliciously encrypted.