基于Dalvik指令的Android恶意代码特征描述及验证

为实现Android平台下恶意软件的高效检测,提出了一种基于Dalvik指令的Android恶意代码特征形式化描述和分析方法,能够在无需反编译应用程序的基础上,快速检测样本的恶意特征.该方法首先依照DEX文件格式对Android应用程序切分得到以方法为单位的指令块,通过对块中Dalvik指令进行形式化描述以实现程序特征的简化和提取,之后综合使用改进的软件相似度度量算法和闵可夫斯基距离算法计算提取特征与已知恶意特征的相似度,并根据相似度比对结果来判定当前待测软件是否含有恶意代码.最后建立原型系统模型来验证上述方法,以大量随机样本进行特征匹配实验.实验结果表明,该方法描述特征准确、检测速度较快,适用于Android恶意代码的快速检测.     

结合局部优化匹配的Android恶意家族检测算法

近年来,飞速增长的Android恶意代码给移动安全研究带来了沉重的负担。为海量的恶意样本进行准确的家族分类对移动恶意代码的识别与演变过程研究具有极为重要的作用。基于此目的提出了一种新的基于局部结构优化分析的恶意软件家族识别与分类方法。从应用程序的反编译文件中提取函数调用图,采用基于节点相似度的迭代匹配算法来构建恶意家族特征,通过对待检测应用程序函数调用图与恶意家族特征的匹配来进行应用程序的恶意性检测与家族识别。实验结果表明,该方法较三项已有研究和Androguard工具具有更好的性能。     

Android恶意软件的多特征协作决策检测方法

由于智能手机使用率持续上升促使移动恶意软件在规模和复杂性方面发展更加迅速。作为免费和开源的系统,目前Android已经超越其他移动平台成为最流行的操作系统,使得针对Android平台的恶意软件数量也显著增加。针对Android平台应用软件安全问题,提出了一种基于多特征协作决策的Android恶意软件检测方法,该方法主要通过对Android 应用程序进行分析、提取特征属性以及根据机器学习模型和分类算法判断其是否为恶意软件。通过实验表明,使用该方法对Android应用软件数据集进行分类后,相比其他分类器或算法分类的结果,其各项评估指标均大幅提高。因此,提出的基于多特征协作决策的方式来对Android恶意软件进行检测的方法可以有效地用于对未知应用的恶意性进行检测,避免恶意应用对用户所造成的损害等。     

基于贝叶斯网络的Android恶意行为检测方法

Android操作系统是市场占有率最高的移动操作系统,基于Android平台的恶意软件也呈现爆发式的增长,而目前仍然没有有效的手段进行Android恶意行为的检测,通过分析Android恶意行为的特点,采用基于贝叶斯网络的机器学习算法进行Android恶意行为的检测,通过静态分析的方法进行Android文件静态特征的提取,将Android恶意应用的静态分析与贝叶斯网络相结合,最后通过使用提出的方法构建贝叶斯网络模型,通过实验验证了提出的Android恶意行为检测模型的有效性。     

基于静态污点分析的Android隐私泄露检测方法研究

Android移动设备中存储了大量的敏感信息,如通话记录、联系人等,容易成为恶意攻击者的目标。基于静态污点分析技术,提出了一种面向Android平台的隐私泄露检测方法。通过提取Android敏感权限与API,创建两者之间的映射关系,生成Android应用程序的函数调用图,实现了对于大规模应用程序中潜在隐私数据泄露行为的检测。实验结果表明,本文所提出方法的准确率较高,且运行耗时较短,适合于大规模应用程序的检测。     

一种Android应用程序恶意行为的静态检测方法

目前Android应用程序的安全问题得到越来越多的关注. 提出一种检测Android应用程序中恶意行为的静态分析方法, 该方法采用静态数据流分析技术, 并实现了常量分析算法, 通过跟踪应用程序对常量值的使用来检测恶意订购、资费消耗等多种类型的恶意行为. 实验结果表明, 该方法可以有效检测出Android应用程序的恶意行为, 具有较高的实用性.     

基于分层API调用的Android恶意代码静态描述方法

针对Android APK的静态描述,目前主要是采用权限、数据以及API调用序列的方法,而忽视了代码本身的层级结构,因此无法有效地通过这些静态特征来揭示应用程序的可能行为和恶意属性.设计并实现了一种基于代码层次结构的系统API调用描述方法,其主要是提取APK文件中API调用在应用包、对象类、类函数层面的信息,并将这些信息以树形结构表示,通过将不同应用程序的描述树进行逐层对比来计算相似度,揭示恶意应用程序由于在类型和族群上的差异所带来的API调用特征上的区别,从而为Android应用程序的特征描述和恶意检测提供新的视角.实验采用真实多样的已知Android恶意程序来验证描述方法的正确性和系统实现的效果,分析了不同层次和检测情况下该方法的利弊以及可能的改进之处.     

一种基于组合事件行为触发的Android恶意行为检测方法

当前Android恶意应用程序在传播环节缺乏有效的识别手段,对此提出了一种基于自动化测试技术和动态分析技术的Android恶意行为检测方法。 通过自动化测试技术触发Android应用程序的行为,同时构建虚拟的沙箱监控这些行为。设计了一种组合事件行为触发模型——DroidRunner,提高了Android应用程序的代码覆盖率、恶意行为的触发率以及Android恶意应用的检测率。经过实际部署测试,该方法对未知恶意应用具有较高的检测率,能帮助用户发现和分析未知恶意应用。     

静动态结合的恶意Android应用自动检测技术

随着移动互联网的快速发展,移动终端及移动应用在人们日常生活中越来越重要,与此同时,恶意移动应用给网络和信息安全带来了严峻的挑战。Android平台由于其开放性和应用市场审查机制不够完善,使其成为了移动互联网时代恶意应用的主要传播平台。现有的恶意应用检测方法主要有静态分析和动态测试两种。一般而言,静态分析方法代码覆盖率高、时间开销小,但存在误报率较高的问题;而动态测试准确度较高,但需要实际运行应用,所需的时间和计算资源开销较大。针对上述情况,本文基于静动态结合的方法,自动检测恶意Android应用。首先,使用静态分析技术获取应用API的调用情况来判定其是否为疑似恶意应用,特别是可有效检测试图通过反射机制调用API躲避静态分析的恶意应用;然后,根据疑似恶意应用UI控件的可疑度进行有针对性的动态测试,来自动确认疑似恶意应用中是否存在恶意行为。基于此方法,我们实现了原型检测工具框架,并针对吸费短信类恶意行为,对由465个恶意应用和1085个正常应用组成的数据集进行了对比实验。实验结果表明,该方法在提高恶意应用检测效率的同时,有效地降低了误报率。     

基于类别以及权限的Android恶意程序检测

针对Android平台恶意软件数量的日益增多,提出一种基于类别以及权限的Android恶意程序检测方法。以Google Play划分的类为依据,统计每一个类别应用程序权限使用情况,利用应用程序的访问权限,计算该类别恶意阈值。安装应用程序时,利用序列最小优化算法给应用程序正确分类,分析应用程序使用的权限,计算该程序恶意值,与该类别的恶意阈值进行比较,给用户提供建议,帮助用户判断该程序是否是恶意的。实验结果表明了该方法的有效性和可行性。     

A recent review of conventional vs. automated cybersecurity anti-phishing techniques

In the era of electronic and mobile commerce, massive numbers of financial transactions are conducted online on daily basis, which created potential fraudulent opportunities. A common fraudulent activity that involves creating a replica of a trustful website to deceive users and illegally obtain their credentials is website phishing. Website phishing is a serious online fraud, costing banks, online users, governments, and other organisations severe financial damages. One conventional approach to combat phishing is to raise awareness and educate novice users on the different tactics utilised by phishers by conducting periodic training or workshops. However, this approach has been criticised of being not cost effective as phishing tactics are constantly changing besides it may require high operational cost. Another anti-phishing approach is to legislate or amend existing cyber security laws that persecute online fraudsters without minimising its severity. A more promising anti-phishing approach is to prevent phishing attacks using intelligent machine learning (ML) technology. Using this technology, a classification system is integrated in the browser in which it will detect phishing activities and communicate these with the end user. This paper reviews and critically analyses legal, training, educational and intelligent anti-phishing approaches. More importantly, ways to combat phishing by intelligent and conventional are highlighted, besides revealing these approaches differences, similarities and positive and negative aspects from the user and performance prospective. Different stakeholders such as computer security experts, researchers in web security as well as business owners may likely benefit from this review on website phishing.     

Usability evaluation of anti-phishing toolbars

Phishing is considered as one of the most serious threats for the Internet and e-commerce. Phishing attacks abuse trust with the help of deceptive e-mails, fraudulent web sites and malware. In order to prevent phishing attacks some organizations have implemented Internet browser toolbars for identifying deceptive activities. However, the levels of usability and user interfaces are varying. Some of the toolbars have obvious usability problems, which can affect the performance of these toolbars ultimately. For the sake of future improvement, usability evaluation is indispensable. We will discuss usability of five typical anti-phishing toolbars: built-in phishing prevention in the Internet Explorer 7.0, Google toolbar, Netcraft Anti-phishing toolbar and SpoofGuard. In addition, we included Internet Explorer plug-in we have developed, Anti-phishing IEPlug. Our hypothesis was that usability of anti-phishing toolbars, and as a consequence also security of the toolbars, could be improved. Indeed, according to the heuristic usability evaluation, a number of usability issues were found. In this article, we will describe the anti-phishing toolbars, we will discuss anti-phishing toolbar usability evaluation approach and we will present our findings. Finally, we will propose advices for improving usability of anti-phishing toolbars, including three key components of anti-phishing client side applications (main user interface, critical warnings and the help system). For example, we found that in the main user interface it is important to keep the user informed and organize settings accordingly to a proper usability design. In addition, all the critical warnings an anti-phishing toolbar shows should be well designed. Furthermore, we found that the help system should be built to assist users to learn about phishing prevention as well as how to identify fraud attempts by themselves. One result of our research is also a classification of anti-phishing toolbar applications. Linfeng Li is a student at the University of Tampere, Finland. Marko Helenius is Assistant Professor at the Department of Computer Sciences, University of Tampere, Finland.     

Five-tier barrier anti-phishing scheme using hybrid approach

ABSTRACT

Though hoaxing people to make financial benefits is an old idea, phishers have realized that social engineering tools for web attacks are relatively easy to execute and are highly profitable over the Internet. One of the threatening criminal activities is phishing, in which the phishers trap users into revealing their identities and financial information to a fraudulent website. Researchers have proposed a number of anti-phishing techniques based on blacklist, whitelist, and visual similarity, but the major disadvantage with such approaches is that they are slow techniques with high false positive rates. For robust detection of phishing attacks, this article uses fundamentals of heuristic factors and a whitelist. The article proposes a safeguard scheme referred as the five-tier barrier hybrid approach. Input to the five-tier barrier is a uniform resource locator (URL), and output of the application is a status of the page (“Secure Connection” representing a legitimate URL, “Phishing Alert” representing phishing URL, and “Query Page” representing that the webpage needs to be processed further/failure of JSoup connection). In comparison to a blacklist, the five-tier barrier is competent in detecting zero-hour phishing attacks, and it is much faster than visual similarity–based anti-phishing techniques.     

“Andromaly”: a behavioral malware detection framework for android devices

This article presents Andromaly—a framework for detecting malware on Android mobile devices. The proposed framework realizes a Host-based Malware Detection System that continuously monitors various features and events obtained from the mobile device and then applies Machine Learning anomaly detectors to classify the collected data as normal (benign) or abnormal (malicious). Since no malicious applications are yet available for Android, we developed four malicious applications, and evaluated Andromaly’s ability to detect new malware based on samples of known malware. We evaluated several combinations of anomaly detection algorithms, feature selection method and the number of top features in order to find the combination that yields the best performance in detecting new malware on Android. Empirical results suggest that the proposed framework is effective in detecting malware on mobile devices in general and on Android in particular.     

利用图像识别技术过滤海量可疑钓鱼网站

网络钓鱼攻击（phishing,又称钓鱼攻击、网络钓鱼）作为一种主要基于互联网传播和实施的新兴攻击、诈骗的方式,正呈逐年上升之势,使广大用户和金融机构遭受到财产和经济损失。如何及时、有效地识别网络钓鱼相关的互联网风险,控制钓鱼攻击可能带来的影响,已经成为各金融机构当前亟待解决的问题。因此,各大银行、证券公司以及安全公司纷纷推出自己的反钓鱼监控服务,目前的反钓鱼技术普遍采取利用爬虫主动进行大范围互联网仿冒站点的搜素,爬取大量可疑钓鱼网站,并逐一对可疑钓鱼网站进行检测,判断其是否为钓鱼网站。面对海量可疑网站,如何高效快速地检测出可疑钓鱼网站又成为一个难题。文中介绍了一种基于图像识别技术的网站徽标（LOGO）检测的新思路,用于过滤海量的可疑钓鱼网站,加快钓鱼网站的检测效率。     

基于深度信念网络的Android恶意应用检测方法

传统的机器学习算法无法有效地从海量的行为特征中选择出有本质的行为特征来对未知的Android恶意应用进行检测。为了解决这个问题,提出DBNSel,一种基于深度信念网络模型的Android恶意应用检测方法。为了实现该方法,首先通过静态分析方法从Android应用中提取5类不同的属性。其次,建立深度信念网络模型从提取到的属性中进行选择和学习。最后,使用学习到的属性来对未知类型的Android恶意应用进行检测。在实验阶段,使用一个由3 986个Android正常应用和3 986个Android恶意应用组成的数据集来验证DBNSel的有效性。实验结果表明,DBNSel的检测结果要优于其他几种已有的检测方法,并可以达到99.4%的检测准确率。此外,DBNSel具有较低的运行开销,可以适应于更大规模的真实环境下的Android恶意应用检测。     

基于应用分类和系统调用的Android恶意程序检测

针对Android平台恶意程序泛滥的问题,提出一种基于应用分类和系统调用的恶意程序检测方法。以Google Play为依据进行应用程序分类,利用运行时产生的系统调用频数计算每个类别的系统调用使用阈值。当应用程序安装运行时,手机端收集应用程序权限信息和产生的系统调用信息发给远程服务器,远程服务器根据权限信息采用序列最小优化算法给应用程序进行分类,分类后利用系统调用频数计算出系统调用使用值,与该类别的阈值进行比较判断是否恶意程序,将分类结果及判定结果反馈给用户,由用户判断是否需要更改分类重新检测。实验结果表明了该方法的可行性和有效性,不仅减少了手机的资源消耗,又能对产生恶意行为的应用程序及时做出反应。     

HEMD: a highly efficient random forest-based malware detection framework for Android

Mobile phones are rapidly becoming the most widespread and popular form of communication; thus, they are also the most important attack target of malware. The amount of malware in mobile phones is increasing exponentially and poses a serious security threat. Google’s Android is the most popular smart phone platforms in the world and the mechanisms of permission declaration access control cannot identify the malware. In this paper, we proposed an ensemble machine learning system for the detection of malware on Android devices. More specifically, four groups of features including permissions, monitoring system events, sensitive API and permission rate are extracted to characterize each Android application (app). Then an ensemble random forest classifier is learned to detect whether an app is potentially malicious or not. The performance of our proposed method is evaluated on the actual data set using tenfold cross-validation. The experimental results demonstrate that the proposed method can achieve a highly accuracy of 89.91%. For further assessing the performance of our method, we compared it with the state-of-the-art support vector machine classifier. Comparison results demonstrate that the proposed method is extremely promising and could provide a cost-effective alternative for Android malware detection.