针对Android移动应用的恶意加密流量标注方法研究

doi:10.19678/j.issn.1000-3428.0055613

计算机工程 ›› 2020, Vol. 46 ›› Issue (7): 116-121,128. doi: 10.19678/j.issn.1000-3428.0055613

针对Android移动应用的恶意加密流量标注方法研究

何高峰^1,2, 司勇瑞¹, 徐丙凤³

1. 南京邮电大学物联网学院, 南京 210003;
2. 东南大学计算机网络和信息集成教育部重点实验室, 南京 211189;
3. 南京林业大学信息科学技术学院, 南京 210037

收稿日期:2019-07-31 修回日期:2019-09-06 发布日期:2019-09-17
作者简介:何高峰(1984-),男,讲师、博士,主研方向为移动应用安全、网络流量分析;司勇瑞,硕士研究生;徐丙凤,讲师、博士。
基金资助:
国家自然科学基金青年基金项目"面向网络加密流量的恶意移动应用检测研究"（61702282）；国家自然科学基金青年基金项目"集成防危性与安全性建模的信息物理融合系统风险分析"（61802192）；江苏省高等学校自然科学研究面上项目"面向移动应用加密流量的恶意攻击检测研究"（17KJB520023）；江苏省高等学校自然科学研究面上项目"集成防危性与安全性的信息物理融合系统风险建模及分析"（18KJB520024）。

Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application

HE Gaofeng^1,2, SI Yongrui¹, XU Bingfeng³

1. College of Internet of Things, Nanjing University of Posts and Telecommunications, Nanjing 210003, China;
2. Key Laboratory of Computer Network and Information Integration Ministry of Education, Southeast University, Nanjing 211189, China;
3. College of Information Science and Technology, Nanjing Forestry University, Nanjing 210037, China

Received:2019-07-31 Revised:2019-09-06 Published:2019-09-17

摘要/Abstract

摘要： 为区分恶意Android移动应用在运行过程中产生的恶意流量和正常流量，提出一种Android移动应用恶意流量标注方法。针对加密类型的网络流量，根据端口号和流载荷内容的字节熵值进行加密检测，依据服务器证书等内容判断加密流量是否异常，同时对恶意Android移动应用进行反编译，并利用程序控制流程图分析该加密流量是否涉及敏感操作，从而标注出恶意加密流量。对300个重打包类型的恶意移动应用进行测试，实验结果与同基准值对比分析表明，与未采用该方法的标注结果（1 602条恶意加密流量）相比，该方法检测出的恶意加密流量有341条，且标注结果中仅有28条为误报流量。

关键词: 移动应用, 加密流量, 数据标注, 异常检测, 恶意代码分析

Abstract: In order to distinguish malicious traffic generated by running malicious Android applications from normal traffic,this paper proposes a method for annotating malicious traffic of mobile Android applications.For encrypted network traffic,encryption detection is performed based on the port number and the value of byte entropy of the stream payload content.Then whether the encrypted traffic is abnormal is determined based on the server certificate and other content.At the same time,the malicious Android mobile applications are decompiled,and the program is used to control the flow chart to analyze whether the encrypted traffic involves sensitive operations,so as to annotate malicious encrypted traffic.Tests are performed on 300 repackaged types of malicious mobile applications.The comparison of the experimental results with the same benchmark value show that the proposed method detects 341 malicious encrypted traffic where only 28 are false alarms.The result is more accurate than that of annotation that does not use the proposed method,which reports 1 602 malicious encrypted traffic.

Key words: mobile application, encrypted traffic, data annotation, anomaly detection, malicious code analysis

中图分类号:

TP316

何高峰, 司勇瑞, 徐丙凤. 针对Android移动应用的恶意加密流量标注方法研究[J]. 计算机工程, 2020, 46(7): 116-121,128.

HE Gaofeng, SI Yongrui, XU Bingfeng. Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application[J]. Computer Engineering, 2020, 46(7): 116-121,128.

http://www.ecice06.com/CN/Y2020/V46/I7/116

参考文献

[1] XU E,GUO G.Spyware disguises as Android applications on Google play[EB/OL].[2019-06-03].https://blog.trendmicro.com/trendlabs-security-intelligence/spyware-disg uises-as-android-applications-on-google-play.
[2] HE Gaofeng,XU Bingfeng,ZHANG Lu.et al.Mobile app identification for encrypted network flows by traffic correlation [J].International Journal of Distributed Sensor Networks,2018,14(12): 1-17.
[3] HE Gaofeng,XU Bingfeng,ZHU Haiting.AppFA:a novel approach to detect malicious Android applications on the network[J].Security and Communication Networks,2018,2018:1-15.
[4] SHABTAI A,TENENBOIM-CHEKINA L,MIMRAN D,et al.Mobile malware detection through analysis of deviations in application network behavior[J].Computers & Security,2014,43:1-18.
[5] GARG S,PEDDOJU S K,SARJE A K.Network-based detection of Android malicious apps[J].International Journal of Information Security,2017,16(4):385-400.
[6] ZHOU L N,PAN S M,WANG J W,et al.Machine learning on big data:opportunities and challenges[J].Neurocomputing,2017,237:350-361.
[7] LASHKARI A H,KADIR A F A,GONZALEZ H F,et al.Towards a network-based framework for Android malware detection and characterization[C]//Proceedings of the 15th Annual Conference on Privacy,Security and Trust.Washington D.C.,USA:IEEE Press,2017:233-239.
[8] LI L,LI D Y,BISSYANDE T F,et al.Understanding Android app piggybacking:a systematic study of malicious code grafting[J].IEEE Transactions on Information Forensics and Security,2017,12(6):1269-1284.
[9] CHEN P S,LIN S C,SUN C H.Simple and effective method for detecting abnormal internet behaviors of mobile devices[J].Information Sciences,2015,321:193-204.
[10] ARORA A,GARG S,PEDDOJU S K.Malware detection using network traffic analysis in Android based mobile devices[C]//Proceedings of 2014 8th International Conference on Next Generation Mobile Apps,Services and Technologies.Oxford,UK:IEEE Press,2014:1-9.
[11] SHABTAI A,TENENBOIM-CHEKINA L,MIMRAN D,et al.Mobile malware detection through analysis of deviations in application network behavior[J].Computers & Security,2014,43:1-18.
[12] HE Gaofeng,XU Bingfeng,ZHU Haiting.AppFA:a novel approach to detect malicious android applications on the network[J].Security and Communication Networks,2018,2018:1-15.
[13] HE Gaofeng,ZHANG Lu,XU Bingfeng,et al.Detecting repackaged Android malware based on mobile edge computing[C]//Proceedings of 2018 6th International Conference on Advanced Cloud and Big Data.Washington D.C.,USA:IEEE Computer Society,2018:360-365.
[14] CHEN Lu,LIU Xing,CHEN Mu,et al.Scalable security evaluation model of mobile application based on graph[J].Computer Engineering,2018,44(5):78-82.(in Chinese) 陈璐,刘行,陈牧,等.基于图的可扩展移动应用安全评估模型[J].计算机工程,2018,44(5):78-82.
[15] YANG Xinyu,XU Guoai.Construction method on mobile application security ecological chain[J].Journal of Software,2017,28(11):3058-3071.(in Chinese) 杨昕雨,徐国爱.移动应用安全生态链构建方法[J].软件学报,2017,28(11):3058-3071.
[16] CAI Rongyan,WANG He,YAO Qigui,et al.Research on malicious mobile application detection based on domain name association[J].Computer Engineering,2020,46(5):174-180.(in Chinese) 蔡荣彦,王鹤,姚启桂,等.基于域名关联的恶意移动应用检测研究[J].计算机工程,2020,46(5):174-180.
[17] SANGSTER B,O'CONNOR T J,COOK T,et al.Toward instrumenting network warfare competitions to generate labeled datasets[C]//Proceedings of the 2nd Conference on Cyber Security Experimentation and Test.San Diego,USA:USENIX Association,2009:1-6.
[18] STEVANOVIC M,PEDERSEN J M,D’ALCONZO A,et al.On the ground truth problem of malicious DNS traffic analysis[J].Computers & Security,2015,55:142-158.
[19] FRANC V,SOFKA M,BARTOS K.Learning detector of malicious network traffic from weak labels[C]//Proceedings of European Conference on Machine Learning and Knowledge Discovery in Databases.Berlin,Germany:Springer,2015:85-99.
[20] ABRAHAM A,ANDRIATSIMANDEFITRA R,BRUNELAT A,et al.GroddDroid:a gorilla for triggering malicious behaviors[C]//Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE).Washington D.C.,USA:IEEE Press,2015:15-20.
[21] WEI X T,WOLF M.A survey on HTTPS implementation by Android apps:issues and countermeasures[J].Applied Computing and Informatics,2017,13(2):101-117.
[22] HE Gaofeng,ZHANG Tao,MA Yuanyuan,et al.A novel method to detect encrypted data exfiltration[C]//Proceedings of 2014 International Conference on Advanced Cloud and Big Data.Washington D.C.,USA:IEEE Press,2014:240-246.
[23] OLIVAIN J,GOUBAULT-LARRECQ J.Detecting subverted cryptographic protocols by entropy checking[R/OL].(2006-06-13)[2019-05-08].http://www.lsv.fr/publis/RAPPORTS_LSV/PDF/rr-lsv-2006-13.pdf.
[24] ANDERSON B,PAUL S,MCGREW D.Deciphering malware’s use of TLS (without decryption)[J].Journal of Computer Virology and Hacking Techniques,2018,14(3):195-211.
[25] LIN Jingqiang,JING Jiwu,ZHANG Qionglu,et al.Recent advances in PKI technologies[J].Journal of Cryptologic Research,2015,2(6):487-496.(in Chinese)林璟锵,荆继武,张琼露,等.PKI技术的近年研究综述[J].密码学报,2015,2(6):487-496.
[26] CHUNG H,PARK J,LEE S,et al.Digital forensic investigation of cloud storage services[J].Digital Investigation,2012,9(2):81-95.
[27] AAFER Y,DU W L,YIN H.DroidAPIMiner: mining API-level features for robust malware detection in android[C]//Proceedings of International Conference on Security and Privacy in Communication Systems.Berlin,Germany:Springer,2013:86-103.
[28] ALLIX K,BISSYANDE T F,KLEIN J,et al.AndroZoo:collecting millions of Android apps for the research community[C]//Proceedings of the 13th International Conference on Mining Software Repositories.Washington D.C.,USA:IEEE Press,2016:468-471.

选择文件类型/文献管理软件名称

选择包含的内容

针对Android移动应用的恶意加密流量标注方法研究

Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价

[1]	陈仲磊, 伊鹏, 陈祥, 胡涛. 基于集成学习的系统调用实时异常检测框架[J]. 计算机工程, 2023, 49(6): 162-169,179.
[2]	王爱玲, 马文臻, 邹自明, 钟佳. 基于领域自适应的卫星工程参数异常检测[J]. 计算机工程, 2023, 49(5): 29-37,47.
[3]	张子宣, 宗学军, 何戡, 连莲. 基于CVAE-CatBoost的工业控制网络异常流量检测研究[J]. 计算机工程, 2023, 49(5): 173-180.
[4]	王禹博, 陈利锋, 许卫霞. 结合多解码器与两阶段通道选择的异常检测方法[J]. 计算机工程, 2023, 49(3): 37-48.
[5]	孙懿, 高见, 顾益军. 融合一维Inception结构与ViT的恶意加密流量检测[J]. 计算机工程, 2023, 49(1): 154-162.
[6]	董卫宇, 李海涛, 王瑞敏, 任化娟, 孙雪凯. 基于堆叠卷积注意力的网络流量异常检测模型[J]. 计算机工程, 2022, 48(9): 12-19.
[7]	孙嘉, 张建辉, 卜佑军, 陈博, 胡楠, 王方玉. 基于CNN-BiLSTM模型的日志异常检测方法[J]. 计算机工程, 2022, 48(7): 151-158,167.
[8]	生龙, 袁丽娜, 武南南, 姬少培. 基于GSA与DE优化混合核ELM的网络异常检测模型[J]. 计算机工程, 2022, 48(6): 146-153.
[9]	张伟成, 卫红权, 刘树新, 王庚润. 面向5G MEC基于行为的用户异常检测方案[J]. 计算机工程, 2022, 48(5): 27-34.
[10]	李贝贝, 彭力, 戴菲菲. 结合马氏距离与自编码器的网络流量异常检测方法[J]. 计算机工程, 2022, 48(4): 133-142.
[11]	崔景洋, 陈振国, 田立勤, 张光华. 基于机器学习的用户与实体行为分析技术综述[J]. 计算机工程, 2022, 48(2): 10-24.
[12]	建澜涛, 任秀江, 张祯, 石嵩, 黄益明, 张春林. E级高性能计算机的维护故障诊断系统研究[J]. 计算机工程, 2022, 48(12): 24-37.
[13]	张稣荣, 卜佑军, 陈博, 孙重鑫, 王涵, 胡先君. 基于多层双向SRU与注意力模型的加密流量分类方法[J]. 计算机工程, 2022, 48(11): 127-136.
[14]	张攀, 高丰, 周逸, 饶涵宇, 毛冬, 李静. 一种在线实时微服务调用链异常检测方法[J]. 计算机工程, 2022, 48(11): 161-169.
[15]	黄涛, 邬开俊, 王迪聪, 白晨帅, 陶小苗. 基于改进型时间分段网络的视频异常检测[J]. 计算机工程, 2022, 48(11): 137-144.

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

针对Android移动应用的恶意加密流量标注方法研究

Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

本文评价