NeighborWatcher：基于程序家族关系的附加恶意手机应用检测方法研究

doi:10.3969/j.issn.0372-2112.2014.08.029

PDF(1455 KB)

电子学报 ›› 2014, Vol. 42 ›› Issue (8) : 1642-1646. DOI: 10.3969/j.issn.0372-2112.2014.08.029

科研通信

NeighborWatcher：基于程序家族关系的附加恶意手机应用检测方法研究

张焕¹, 武建亮¹, 唐俊杰¹, 班涛², 俞研³, 郭山清^1,4, 王利明⁵, 胡安磊⁵

作者信息 +

NeighborWatcher：Detecting Piggybacked Smartphone Applications with Their Family Members

ZHANG Huan¹, WU Jian-liang¹, TANG Jun-jie¹, BAN Tao², YU Yan³, GUO Shan-qing^1,4, WANG Li-ming⁵, HU An-lei⁵

Author information +

文章历史 +

摘要

经过对多个手机恶意应用程序的分析，发现其与被感染程序所属家族的不同版本在程序语义方面存在很大的相似性，并且这种相似性与原家族中不同版本之间的相似性有很大不同.基于该事实，本文借助于分层聚类技术，针对函数的调用图，提出了一种基于程序家族关系的恶意手机应用检测方法并构建了一个NeighborWatcher系统.实验结果表明当每个程序家族都含有四个以上的成员时，NeighborWatcher系统对附加恶意应用的检测率可以达到92.86%.

Abstract

Through the analysis of some mobile malwares,we found that malware is similar with its original application in semantics of the program,and the similarity is different with the similarity between other members of the family.Based on this fact,by means of hierarchical clustering technology for the function call graph,we propose a program based on family relationships to detect the malicious mobile applications and build a system named as "NeighborWatcher".Experimental results show that when each family contains four or more members,the detection rate of Piggybacked application can reach 92.86%.

导出引用

张焕, 武建亮, 唐俊杰, 班涛, 俞研, 郭山清, 王利明, 胡安磊. NeighborWatcher：基于程序家族关系的附加恶意手机应用检测方法研究[J]. 电子学报, 2014, 42(8): 1642-1646. https://doi.org/10.3969/j.issn.0372-2112.2014.08.029

ZHANG Huan, WU Jian-liang, TANG Jun-jie, BAN Tao, YU Yan, GUO Shan-qing, WANG Li-ming, HU An-lei. NeighborWatcher：Detecting Piggybacked Smartphone Applications with Their Family Members[J]. Acta Electronica Sinica, 2014, 42(8): 1642-1646. https://doi.org/10.3969/j.issn.0372-2112.2014.08.029

中图分类号： TP309

参考文献

[1] Nielsen.Who is winning the u.s.smartphone battle?[EB/OL].http://blog.nielsen.com/nielsenwire/onlinemobile/who-is-winning-the-u-s-smartphone-battle/.2011-03-03.
[2] Lookout.App genome report[CP].https://www.mylookout.com/,2011-02-16.
[3] apktool[CP].http://code.google.com/p/android-apktool/,2012-12-14.
[4] J Crussell,C Gibler,et al.Attack of the clones:Detecting cloned applications on android markets[A].ESORICS 2012[C].Berlin:Springer,2012.37-54.
[5] W Zhou,Y Zhou,et al.Fast,scalable detection of “piggybacked” mobile applications[A].CODASPYD Grove,C Chambers.A framework for call graph construction algorithms[J].ACM Trans Program Lang Syst,2001,23(6):685-746.
[7] T J Watson libraries for analysis wala[EB/OL].http://wala.sourceforge.net/,2011-07-17.
[8] A Gupta,P Kuppili,et al.An empirical study of malware evolution[A].COMSNETS 2009[C].Piscataway:IEEE,2009.1-10.
[9] T Dumitras，I Neamtiu.Experimental challenges in cyber security:A story of provenance and lineage for malware[A].CSET'11[C].Berkeley,CA,USA:USENIX Association,2011.9-9.
[10] M Lindorfer,A Di Federico,et al.Lines of malicious code:Insights into the malicious software industry[A].ACSAC'12[C].New York,NY,USA:ACM,2012.349-358.
[11] Jiyong Jang,Maverick Woo,et al.Towards Automatic Software Lineage Inference[A].USENIX Security'13[C].Berkeley,CA,USA:USENIX Association,2013.81-96.
[12] A P Fuchs,A Chaudhuri,et al.SCanDroid:Automated security certification of android applications[R].Maryland:Department of Computer Science,University of Maryland,2009.
[13] Z W Michael Grace,et al.Systematic detection of capability leaks in stock android smartphones[A].Proceedings of the 19^th Annual Network and Distributed System Security Symposium[C].San Diego,CA:NDSS Symposium,2012.
[14] C Kruegel,E Kirda,et al.Polymorphic worm detection using structural information of executables[A].Recent Advances in Intrusion Detection[C].Berlin:Springer,2006.207-226.
[15] George Karypis.Cluto[CP].http://glaros.dtc.umn.edu/gkhome/cluto/cluto/overview,2006-10-18.