没有合适的资源?快使用搜索试试~ 我知道了~
基于Android平台的恶意代码行为分析研究.pdf
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 60 浏览量
2022-06-21
17:12:06
上传
评论
收藏 1.05MB PDF 举报
温馨提示
试读
77页
基于Android平台的恶意代码行为分析研究.pdf
资源推荐
资源详情
资源评论
摘要
I
摘 要
从 2009 年我国正式开展 3G 业务之后,3G 建设进展迅速。伴随着 3G 网络的
发展,越来越多的用户开始使用智能移动终端,而其中 Android 智能手机由于其开
源性以及高性价比正在迅速抢占智能手机市场。随着 Android 市场份额的急剧扩
大,针对 Android 智能手机的恶意程序数量正以惊人的速率增长,使得用户面临非
常严峻的安全性问题。
针对 Android 的安全性问题,现在已经提出了一些解决方法,但它们大多采用
的仍是传统的静态分析方法,并不能分析程序运行期间执行的恶意操作,而少数
提出的动态分析方法也在稳定性等方面存在缺陷。
根据上述现状,本文提出了在虚拟机层应用动态分析技术来分析 Android 平台
恶意代码的方法。该方法不同于传统的静态分析技术,而是主动监控并记录目标
程序运行期间的各种行为特征。在该方法的基础上,本文还设计了一个新的基于
沙箱的 Android 恶意代码行为分析系统,该系统是通过修改 Android 原生系统实现
的,它可以对敏感数据源流出的数据进行跟踪。在实现该系统的过程中,首先需
要分析恶意代码常用的数据源和程序接口库,并据此定义数据标签;然后在多个
对象层次上设计了数据标签的嵌入方式,并通过 Binder IPC 机制完成了标签传递,
使得标签能跟随数据在程序间进行传递;最后是标签提取功能的设计,通过标签
提取功能可以从标签中获取有用的信息;此外在该系统中还有输出日志记录的功
能,实现对相关数据的记录。
同时为了验证该系统的正确性,本文设计了相关的测试。测试用的 Android
应用程序包括两部分,一是根据常见恶意代码的行为特征编写的样本,其行为特
征包括文件访问、获取敏感信息以及后台自动连接网络等;二是从网络上获取的
恶意代码样本。本文所设计的测试样本的优势在于调用了全部嵌入点提供的接口
方法,相比真实恶意代码零散的行为特征,更能集中体现恶意代码常见的发作情
况,反映测试样本使用各种数据的方式。
本文实现的分析系统的优势体现在它能在虚拟机层分析运行时程序的行为,
并动态地跟踪敏感数据的传递,能弥补静态分析技术不能发现程序在运行期间表
现出的恶意操作的缺陷。并且使用模拟器构建沙箱能防止恶意代码对真实系统造
成破坏,而将标签的使用限制在传递环节也使得恶意代码不易发现沙箱的存在。
万方数据
摘要
II
最后,通过在虚拟机层嵌入标签,而不是 Linux 内核,使得本系统易于日后的移植,
能弥补不能跨平台操作的缺陷。
关键词:Android;恶意代码;动态分析;标签;沙箱
万方数据
ABSTRACT
III
ABSTRACT
3G service has been developing rapidly in China since its launch in 2009. More
users start to use smart terminals along with the widespread of 3G network, meanwhile
Android begins to predominate the smart phone market due to its openness and
cost-effectiveness. Nevertheless, the rapid expansion of Android market share
introduces malware aiming at Android at an alarming rate, which poses great threats to
its users.
Some solutions to security issues on Android have been put forward, but most of
them belong to the traditional static analysis approach, and they cannot analyze
malicious behaviors during the execution of a program. Although few solutions are able
to analyze samples dynamically, they show weaknesses in stability and so forth.
According to previous statement, this dissertation proposes an approach by
analyzing Android malware dynamically at virtual machine level, which actively tracks
and records the behavior of target program instead of using traditional static analysis
method. Based on the newly-proposed method, a new Android malware behavior
analysis system based on sandbox is proposed, which modifies the Android system and
tracks data originated from sensitive sources. Defining data tags in our new system is
the first step, and it is based on the premise of analyzing data sources and application
interface libraries that malware frequently uses. And then this dissertation concentrates
on how to embed data tags at various object levels, along with transmitting data and
tags across programs by Binder IPC mechanism. Finally, a module for extracting tags
from data is also constructed, so as to acquire valuable information indicating how data
is handled. In addition, a module for exporting logs out of the virtual machine is
implemented as well, which enables recording of sensitive data.
To verify the correctness of our system, relevant tests are designed. And two
different kinds of Android applications for testing are selected, one is a self-written
program imitating behaviors that malware possesses, such as file operation, sensitive
data access and automatic Internet connection in the background; and others are
malware samples collected online. The self-written sample invokes APIs provided by
万方数据
ABSTARACT
IV
embedded points, and can present a whole picture of actions that malwares take when
compared with scatterd behaviors of real test samples, thus presents us how data is used
by different samples.
Our system can make up for defects that static analysis systems cannot analyze
behaviors of programs at runtime, and is able to track transmissions of sensitive data by
analyzing applications’ behavior at runtime, and therefore is superior to traditional static
analysis systems. Besides, by building sandbox with emulator, our system is immune to
damages caused by malwares, and using tags only in transmission can also minimize the
probability of our sandbox being detected. Finally, embedding tags at virtual machine
level instead of Linux kernel enables future transplantation, thus it becomes available to
operate on various platforms.
Key words: Android; malware; dynamic analysis; tag; sandbox
万方数据
剩余76页未读,继续阅读
资源评论
programyp
- 粉丝: 87
- 资源: 1万+
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- 问题1 只考虑使用A类无人机,请给出公交与无人机协同配送方案,使总费用最小;要求给出具体的飞行路径及时刻表无人机.xlsx
- NCSU PDK 45nm
- E语言 CompleteUI-窗体控件美化支持库1.0版(静态版CompleteUI.fne)
- PyQt5实现PDF预览
- VMware-ESXI7.0.2镜像
- YOLOv8绘制map曲线图,采用matlab实现
- 毕业设计基于mysql+php实现的外卖点餐系统源码+答辩PPT+项目说明文档.zip
- OCPP-2.0.1 欧洲V2G开放充电协议
- 无人机自主导航-基于强化学习实现的无人机自主导航-附项目源码-优质项目实战.zip
- 2024金地杯本科组赛题.zip
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功