Android恶意应用HTTP行为特征生成与提取方法

Android恶意应用数量的不断增加不仅严重危害Android市场安全,同时也为Android恶意应用检测工作带来挑战。设计了一种基于HTTP流量的Android恶意应用行为生成与特征自动提取方法。该方法首先使用自动方式执行恶意应用,采集所生成的网络流量。然后从所生成的网络流量中提取基于HTTP的行为特征。最后将得到的网络行为特征用于恶意应用检测。实验结果表明,所设计的方法可以有效地提取Android恶意应用行为特征,并可以准确地识别Android恶意应用。     

DroidEnemy: Battling adversarial example attacks for Android malware detection

In recent years, we have witnessed a surge in mobile devices such as smartphones, tablets, smart watches, etc., most of which are based on the Android operating system. However, because these Android-based mobile devices are becoming increasingly popular, they are now the primary target of mobile malware, which could lead to both privacy leakage and property loss. To address the rapidly deteriorating security issues caused by mobile malware, various research efforts have been made to develop novel and effective detection mechanisms to identify and combat them. Nevertheless, in order to avoid being caught by these malware detection mechanisms, malware authors are inclined to initiate adversarial example attacks by tampering with mobile applications. In this paper, several types of adversarial example attacks are investigated and a feasible approach is proposed to fight against them. First, we look at adversarial example attacks on the Android system and prior solutions that have been proposed to address these attacks. Then, we specifically focus on the data poisoning attack and evasion attack models, which may mutate various application features, such as API calls, permissions and the class label, to produce adversarial examples. Then, we propose and design a malware detection approach that is resistant to adversarial examples. To observe and investigate how the malware detection system is influenced by the adversarial example attacks, we conduct experiments on some real Android application datasets which are composed of both malware and benign applications. Experimental results clearly indicate that the performance of Android malware detection is severely degraded when facing adversarial example attacks.     

Android恶意软件检测技术分析和应用研究

针对Android平台安全问题,提出了手机端和服务端协作的恶意代码检测方案,手机端应用主要采用基于permission检测技术,实现轻量级的检测。服务端检测系统主要负责对手机端提交的可疑样本进行检测,同时实现了软件行为分析,特征库更新,与手机端同步等功能。其中服务端检测技术包括基于permission检测技术、基于字节码静态检测技术和基于root权限的动态检测技术。实验测试结果表明,3种检测技术能达到较好的检测效果。     

基于聚类分析的内核恶意软件特征选择

针对现有基于数据特征的内核恶意软件检测方法存在随特征的增多效率较低的问题,该文提出一种基于层次聚类的特征选择方法。首先,分析相似度计算方法应用于数据特征相似度计算时存在的困难,提出最长公共子集并设计两轮Hash求解法计算最长公共子集;其次,设计基于最长公共子集的层次聚类算法,有效地将相似特征聚类成簇;在此基础上,设计基于不一致系数的内核恶意软件特征选择算法,大大减少特征数,提高检测效率。实验结果验证了方法的有效性,且时间开销在可接受的范围内。     

Intelligent Vehicle Parking System (IVPS) Using Wireless Sensor Networks

Android smartphones are employed widely due to its flexible programming system with several user-oriented features in daily lives. With the substantial growth rate of smartphone technologies, cyber-attack against such devices has surged at an exponential rate. Majority of the smartphone users grant permission blindly to various arbitrary applications and hence it weakens the efficiency of the authorization mechanism. Numerous approaches were established in effective malware detection, but due to certain limitations like low identification rate, low malware detection rate as well as category detection, the results obtained are ineffective. Therefore, this paper proposes a convolutional neural network based adaptive red fox optimization (CNN-ARFO) approach to detect the malware applications as benign or malware. The proposed approach comprising of three different phases namely the pre-processing phase, feature extraction phase and the detection phase for the effective detection of android malware applications. In the pre-processing phase, the selected dataset utilizes Minmax technique to normalize the features. Then the malicious APK and the collected benign apps are investigated to identify and extract the essential features for the proper functioning of malware in the extraction phase. Finally, the android mobile applications are detected using CNN based ARFO approach. Then the results based on detecting the benign and malicious applications from the android mobiles are demonstrated by evaluating certain parameters like model accuracy rate, model loss rate, accuracy, precision, recall and f-measure. The resulting outcome revealed that the detection accuracy achieved by the proposed approach is 97.29%.

     

Evaluation method for information security capability of mobile phone user based on behavior ontology under unconscious condition

A security capacity assessment method based on security behavior ontology,was proposed to collect users' be-havior data from their smartphones under unconscious condition to solve the problem of detecting mobile phone users' real existing insecure behaviors.A security behavior ontology was set up for formalizing the phone,message,network and App behavior data of mobile phone users and relevant rules were also set down for determining and associating inse-cure actions.Referring to the notion of attack graph,an insecure behavior detection algorithm was proposed based on behavior association graph for analyzing the paths of insecure behaviors dynamically.Furthermore,a competency model of information security capability assessment was presented for realizing the quantitative evaluation of information secu-rity capability of users.The experiment results prove the effectiveness of present competency model for insecure behavior path detection and security ability assessment.     

基于人工智能的威胁检测与防护系统

文中针对传统的基于签名匹配的威胁检测系统存在的局限,探讨了人工智能技术在网络安全防护中的应用。通过分析异常检测、恶意软件检测和自动化安全响应3个方面,阐明了机器学习和深度学习模型可以实现对未知威胁的检测和主动防御。研究认为,人工智能驱动的网络安全防护系统代表了技术发展的方向,但还需进一步的数据积累和模型优化,以实现更智能的商业安全产品的开发。     

An Autonomous Host-Based Intrusion Detection System for Android Mobile Devices

Intrusion Detection System (IDS) is crucial to protect smartphones from imminent security breaches and ensure user privacy. Android is the most popular mobile Operating System (OS), holding above 85% market share. The traffic generated by smartphones is expected to exceed the one generated by personal computers by 2021. Consequently, this prevalent mobile OS will stay one of the most attractive targets for potential attacks on fifth generation mobile networks (5G). Although Android malware detection has received considerable attention, offered solutions mostly rely on performing resource intensive analysis on a server, assuming a continuous connection between the device and the server, or on employing supervised Machine Learning (ML) algorithms for profiling the malware’s behaviour, which essentially require a training dataset consisting of thousands of examples from both benign and malicious profiles. However, in practice, collecting malicious examples is tedious since it entails infecting the device and collecting thousands of samples in order to characterise the malware’s behaviour and the labelling has to be done manually. In this paper, we propose a novel Host-based IDS (HIDS) incorporating statistical and semi-supervised ML algorithms. The advantage of our proposed IDS is two folds. First, it is wholly autonomous and runs on the mobile device, without needing any connection to a server. Second, it requires only benign examples for tuning, with potentially a few malicious ones. The evaluation results show that the proposed IDS achieves a very promising accuracy of above 0.9983, reaching up to 1.

     

异常检测技术在移动设备及网络安全防护中的应用

网络安全就是采取一定的手段对网络系统进行保护,避免用户系统内部的硬件、软件以及数据遭到他人的损坏、修改或者泄露,从而保障系统运行的安全性和可靠性。在移动设备和网络的安全防护中,由于恶意软件更新速度较快、移动网络本身稳定性较差,使得异常检测得到了广泛的应用和研究。文中探讨了异常检测技术在移动设备及网络安全防护中的应用,以期为网络安全相关研究提供借鉴意义。     

移动自组网中基于多跳步加密签名 函数签名的分布式认证

移动自组网Manet(Mobile Ad Hoc Network)是一种新型的无线移动网络,由于其具有网络的自组性、拓扑的动态性、控制的分布性以及路由的多跳性,所以,传统的安全机制还不能完全保证Manet的安全,必须增加一些新的安全防范措施.本文探讨了Manet所特有的各种安全威胁,提出了一种基于多跳步加密签名函数签名的安全分布式认证方案,即将移动密码学与(n,t)门槛加密分布式认证相结合,并采用了分布式容错处理算法和私钥分量刷新技术以发现和避免攻击者假冒认证私钥进行非法认证以及保护私钥分量和认证私钥不外泄.     

基于移动设备手写签名认证系统的设计与实现

由于移动设备具有通过外部的无线网络访问数据、体积小容易丢失等特征，给操作带来方便的同时．也给后台数据库带来很大的安全隐患。文章针对基于移动设备的无线网络应用系统，在Windows2000和Windows Mobile2003操作平台上．利用Microsoft的Visual Studio．Net2003和．NET Compact Framework开发环境，设计和实现了基于移动设备手写签名认证系统。实验结果表明：在少量样本数据情况下，对于非专业模仿签名的错误接受率FAR为3．65％．而错误拒绝率FRR为2．9％。该系统增强移动设备访问数据的安全性，提高操作员认证的效率．具有很强的舅用性。     

基于改进贝叶斯分类的Android恶意软件检测

针对Android手机安全受恶意软件威胁越来越严重这一问题,提出一种改进的Android恶意软件检测算法。监控从Android移动设备应用程序获取的多种行为特征值,应用机器学习技术,通过与卡方检验滤波测试结合的方式改进传统的朴素贝叶斯算法,检测Android系统中的恶意软件。通过实验仿真,结果表明在采取朴素贝叶斯分类模型之前,使用卡方检验过滤应用程序的行为特征,可以使基于Android的恶意软件检测技术拥有较低的误报率和较高的精度。     

Malware variants detection based on ensemble learning

Application programming interface (API) is a procedure call interface to operation system resource. API-based behavior features can capture the malicious behaviors of malware variants. However, existing malware detection approaches have a deal of complex operations on constructing and matching. Furthermore, graph matching is adopted in many approaches, which is a nondeterministic polynominal (NP)-complete problem because of computational complexity. To address these problems, a novel approach is proposed to detect malware variants. Firstly, the API of the malware are divided by their functions and parameters. Then, the classified behavior graph (CBG) is constructed from the API call sequences. Finally, the signature based on CBGs for each malware family is generated. Besides, the malware variants are classified by ensemble learning algorithm. Experiments on 1 220 malware samples show that the true positive rate (TPR) is up to 89.0% with the low false positive rate (FPR) 3.7% by ensemble learning.     

移动设备的安全性研究

智能移动设备不断接近传统计算环境的性能和可扩展性.但这些新的功能和应用使移动设备成为攻击者和恶意软件的攻击目标.本文分析了移动设备所面临的安全挑战,深入研究了移动设备的安全模型.     

Homology analysis of malware based on graph

Malware detection and homology analysis has been the hotspot of malware analysis.API call graph of malware can represent the behavior of it.Because of the subgraph isomorphism algorithm has high complexity,the analysis of malware based on the graph structure with low efficiency.Therefore,this studies a homology analysis method of API graph of malware that use convolutional neural network.By selecting the key nodes,and construct neighborhood receptive field,the convolution neural network can handle graph structure data.Experimental results on 8 real-world malware family,shows that the accuracy rate of homology malware analysis achieves 93%,and the accuracy rate of the detection of malicious code to 96%.     

当前移动应用软件常用安全检测技术

在各类移动应用给人们的生活带来便利的同时,恶意应用对终端安全的威胁也在逐渐增多。文章针对恶意应用安全检测的问题,总结了四种常用的检测技术:静置检测、特征码扫描、二进制代码逆向分析和动态行为监测,给出了这四种技术的检测方法、检测流程以及关键技术,分析了每种技术的优点和不足。     

基于FSM检测的移动自组网攻击分类研究

在移动自组网环境下,由于移动节点可能被攻击截获,导致攻击从内部产生,传统的网络安全措施难以应用,只有通过入侵检测才能发现攻击者。通过分析移动自组网的攻击类型,并构造从恶意节点发起的攻击树,采用有限状态机的思想,设计一个基于FSM的入侵检测算法。采用该算法的入侵检测系统可通过邻居节点的监视,实时地检测到节点的各种攻击行为。     

机会网络中基于身份门限签名的可信路由

In opportunistic Networks, compromised nodes can attack social context based routing protocols by publishing false social attributes information. To solve this problem, we propose a security scheme based on the identity based threshold signature which allows mobile nodes to jointly generate and distribute the secrets for social attributes in a totally self organized way without the need of any centralized authority. New joining nodes can reconstruct their own social attribute signatures by getting enough partial signature services from encounter opportunities with the initial nodes. Mobile nodes need to testify whether the neighbors can provide valid attribute signatures for their routing advertisements in order to resist potential routing attacks. Simulation results show that: by implementing our security scheme, the network delivery probability of the social context based routing protocol can be effectively improved when there are large numbers of compromised nodes in opportunistic networks.     

Screen-shooting resistant image watermarking based on lightweight neural network in frequency domain

Currently, digital mobile devices, especially smartphones, can be used to acquire information conveniently through photograph taking. To protect information security in this case, we propose an efficient screen-shooting resistant watermarking scheme via deep neural network (DNN) in the frequency domain to achieve additional information embedding and source tracing. Specifically, we enhance the imperceptibility of watermarked images and the robustness against various attacks in real scene by computing the residual watermark message and encoding it with the original image using a lightweight neural network in the DCT domain. In addition, a noise layer is designed to simulate the photometric and radiometric effects of screen-shooting transfer. During the training process, the enhancing network is used to highlight the coding features of distorted images and improve the accuracy of extracted watermark message. Experimental results demonstrate that our scheme not only effectively ensures the balance between the imperceptibility of watermark embedding and the robustness of watermark extraction, but also significantly improves computational efficiency compared with some state-of-the-art schemes.