指導教授:王勝德臺灣大學:電機工程學研究所莊欣瑜Chuang, Hsin-YuHsin-YuChuang2014-11-282018-07-062014-11-282018-07-062014http://ntur.lib.ntu.edu.tw//handle/246246/262932Android平台上的惡意程式偵測為當前重要且熱門的研究議題。 本論文提出一個Android應用程式行為分析方法,以靜態分析的方式,逆向工程取得應用程式的Android API使用情形,歸納出惡意行為以及正常行為的特性,並結合機器學習的方法-支持向量機,從現有的資料中分別學習獲得在惡意行為及正常行為上的分類模型。為了提高準確度,我們修改了支持向量機的預測方法以及結合兩種不同的行為模型,能夠更加有效的達到提高偵測率的效果。由於採用機器學習為基礎的模型,有別於一般假設條件之模型,能夠於未知的應用程式甚至未知之惡意攻擊手法偵測上有較好的偵測效果。透過本篇論文,我們設計並討論了不同的結合兩種模型之方法並比較其偵測效果之差異。此外,本論文提出之偵測方法亦被設計為能夠只將具有明顯特徵之應用程式標示出之分類器,並計算標記之效果,期望能增加機器學習預測方法之實用性。實驗結果指出本論文提出之系統在辨識未知的應用程式可達到96.69%之正確率且誤報率為2.5%,另一方面,我們在未知的應用程式資料中,標示了79.4%的資料,在這些標記的資料中可達到避免錯誤分類的發生之效果。Malware analysis on the Android platform has been an important issue as the platform is prevalent. We proposed a detection approach based on a static analysis and machine learning techniques to obtain a considerably accurate Android malware classifier. By conducting SVM classifications on two different feature sets, malicious-preferred features and normal-preferred features, we built a hybrid-model classifier to improve the detection accuracy. With the consideration of normal behavior features, the ability of detecting unknown malwares can be improved. Our experiment shows that the accuracy is as high as 96.69% in predicting unknown applications. Further, the proposed approach can be applied to make confident decisions on labeling unknown applications. In our experiments, the proposed hybrid model classifier can label 79.4% applications without false positive and false negative occurred in the labeling process.摘要 iii Abstract iv Chapter 1 Introduction 1 1.1 Machine Learning in Detecting malwares 2 1.2 Motivation 2 1.3 Approach overview 3 1.4 Contribution 5 1.5 Thesis organization 6 Chapter 2 Related Works 7 2.1 Static Analysis 7 2.2 Dynamic Analysis 8 Chapter 3 Classification 10 3.1 Preprocessing 11 3.2 Classification Model 13 Chapter 4 Experiments 24 4.1 Implementation 24 4.2 Experiment Result 26 4.3 Comparing with other works 30 4.4 Cross Validation on Dataset A 31 4.5 Time consumption 32 4.6 Evaluation on popular apps in 2014 33 Chapter 5 Discussion 34 5.1 Other features 34 5.2 Malwares characteristics and Possible Evasion techniques 35 5.4 Future Work 37 Chapter 6 Conclusion 39 Chapter 7 References 40 Appendix A 45573415 bytesapplication/pdf論文公開時間:2019/08/25論文使用權限:同意有償授權(權利金給回饋學校)惡意軟體靜態分析分類基於機器學習之Android惡意程式複合偵測方法Machine learning based hybrid behavior model for Android malware analysisthesishttp://ntur.lib.ntu.edu.tw/bitstream/246246/262932/1/ntu-103-R01921019-1.pdf