Android恶意应用HTTP行为特征生成与提取方法

doi:10.11959/j.issn.1000-0801.2016222

摘要/Abstract

摘要：

Android恶意应用数量的不断增加不仅严重危害Android市场安全，同时也为Android恶意应用检测工作带来挑战。设计了一种基于HTTP流量的Android恶意应用行为生成与特征自动提取方法。该方法首先使用自动方式执行恶意应用，采集所生成的网络流量。然后从所生成的网络流量中提取基于HTTP的行为特征。最后将得到的网络行为特征用于恶意应用检测。实验结果表明，所设计的方法可以有效地提取Android恶意应用行为特征，并可以准确地识别Android恶意应用。

关键词: Android恶意应用, HTTP流量, 网络行为特征, 安全

Abstract:

Growing of Android malware，not only seriously endangered the security of the Android market，but also brings challenges for detection.A generation and extraction approach of automatic Android malware behavioral signatures was proposed based on HTTP traffic.Firstly，the behavioral signatures were extracted from the traffic traces generated by Android malware.Then，network behavioral characteristics were extracted from the generated network traffic.Finally，these behavioral signatures were used to detect Android malware.The experimental results show that the approach is able to extract Android malware network traffic behavioral signature with accuracy and efficiency.

Key words: Androidmalware, HTTPtraffic, networkbehavioralcharacteristic, security

罗亚玲,黎文伟,苏欣. Android恶意应用HTTP行为特征生成与提取方法[J]. 电信科学, 2016, 32(8): 136-145.

Yaling LUO,Wenwei LI,Xin SU. HTTP behavior characteristics generation and extraction approach for Android malware[J]. Telecommunications Science, 2016, 32(8): 136-145.

图/表 15

图1

图2

图3

图4

表1

表2

图5

表3

表4

表5

表6

图6

表7

表8

图7

参考文献 22

[1]	上年国内在网活跃移动智能设备数量达到 8.99 亿[EB/OL].[2016-04-25]. .The number of online active smart devices reach 0.899 billion in first half of 2015 in China[EB/OL].[2016-04-25]. .
[2]	GRACE M , ZHOU Y , ZHANG Q ,et al. RiskRanker:scalable and accurate zero-day Android malware detection[C]// The 10th International Conference on Mobile Systems,Applications and Services(MobiSys 2012),April 5-11,2012, San Diego,CA,USA. New York： ACM Press, 2012: 281-294.
[3]	ARP D , SPREITZENBARTH M , HUBNER M ,et al. Drebin:effective and explainable detection of Android malware in your pocket[C]// Network and Distributed System Security Symposium(NDSS 2014),June 11-15,2014, San Diego,CA,USA. Washington： IEEE Computer Society, 2014: 199-210.
[4]	Linear SVM[EB/OL].[2016-04-25]. .
[5]	HAO S , LIU B , NATH S ,et al. Programmable UI-automation for large-scale dynamic analysis of mobile apps[C]// 12th International Conference on Mobile Systems,Applications and Services(MobiSys 2014),September 5-11,2014, Bretton Woods,New Hampshire,USA. New York： ACM Press, 2014: 204-217.
[6]	ENCK W , GILBERT P , CHUN B ,et al. Taintdroid:an information-flow tracking system for realtime privacy monitoring on smartphones[C]// 9th USENIX Conference on Operating Systems Design and Implementation,December 9-12,2010, Vancouver,BC,Canada. New Jersey： IEEE Press, 2010: 1-6.
[7]	Monkey[EB/OL].[2016-04-25]. .
[8]	WEI X , GOMEZ L , NEAMTIU I ,et al. Profile droid:multilayer profilin g of android applications[C]// 18th Annual International Conference on Mobile Computing and Networking(MobiCom 2012),June 11-15,2012, Istanbul,Turkey. New York： ACM Press, 2012: 137-148.
[9]	JIANG X , ZHOU Y . Dissecting android malware:Characterization and evolution[C]// 2012 IEEE Symposium on Security and Privacy,May 20-23,2012, San Francisco,USA. New Jersey： IEEE Press, 2012: 95-109.
[10]	SU X , ZHANG D , DAI S ,et al. Mobile traffic Identification based on applications network signature[J]. International Journal of Embedded Systems, 2016,8(2-3): 217-227.
[11]	DAI S , TONGAONKAR A , WANG X ,et al. Network profiler:Towards automatic fingerprinting of android apps[C]// 32nd IEEE International Conference on Computer Communications,Infocom 2013,June 5-7,2013, Turin,Italy. New Jersey： IEEE Press, 2013: 809-817.
[12]	XU Q , LIAO Y , MISKOVIC S ,et al. Automatic generation of mobile App signatures from traffic observations[C]// 34th IEEE International Conference on Computer Communications,Infocom 2015,November 3-5,2015, Hong Kong,China. New Jersey： IEEE Press, 2015: 1481-1489.
[13]	ZHOU Y , JIANG X . Dissecting android malware:characterization and evolution[C]// IEEE Symposium on Security and Privacy,June 5-9,2012, San Francisco,CA,USA. New Jersey： IEEE Press, 2012: 95-109.
[14]	Tcpdump[EB/OL].[2016-04-25]. .
[15]	Tools[EB/OL].[2016-04-25]. .
[16]	Jaccard index[EB/OL].[2016-04-25]. .
[17]	Adrd[EB/OL].[2016-04-25]. .
[18]	Trojan:droid dream light[EB/OL].(2011-07-23)[2016-04-25]. .
[19]	Alexa[EB/OL].[2016-04-25]. .
[20]	GRACE M , ZHOU W , JIANG X ,et al. Unsafe exposure analysis of mobile in-app advertisements[C]// Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks(WiSec 2012),November 3-5,2012, Tucson,Arizona,USA. New York： ACM Press, 2012: 101-112.
[21]	苏欣, 张大方, 罗章琪 ,等. 基于Command and Control通信信道流量属性聚类的僵尸网络检测方法[J]. 电子与信息学报, 2012,34(8): 1993-1999. SU X , ZHANG D F , LUO Z Q ,et al. Botnet detecting method based on clustering flow attributes of Command and Control communication channel[J]. Journal of Electronics ＆ Information Technology, 2012,34(8): 1993-1999.
[22]	Virus total[EB/OL].[2016-04-25]. .

数据集	恶意应用数目/个	具有网络访问/个	正常运行/个	产生网络流量/个
Genome	1 260	1 171	952	952
未知类型	118	107	96	96

数据集	总共产生流个数/个	恶意流个数/个	正常流个数/个	广告流个数/个
Genome	26 889	3 804	10 936	17 189
未知类型	1 748	857	194	828

Jaccard指标	准确率	误判率	精准率	召回率	F值
0.2	0.851	0.149	0.858	0.851	0.852
0.4	0.937	0.063	0.878	0.937	0.906
0.6	0.989	0.011	0.989	0.989	0.989
0.8	0.974	0.026	0.972	0.971	0.972

数据集		流量解析	流量聚类	特征生成	特征合并
Genome	数目/个	26 889	3 804	660	623
	簇数目/个	-	370	-	99
未知类型	数目/个	1 748	851	84	79
	簇数目/个	-	64	-	11

数据集	流量解析	流量聚类	特征生成	特征合并	合计
Genome	5 min 47 s	4.7 s	1.8s	1.6s	5 min 55.1 s
未知类型	29 s	1.4s	1.1s	1s	32.5 s