作者投稿和查稿 主编审稿 专家审稿 编委审稿 远程编辑

计算机工程 ›› 2020, Vol. 46 ›› Issue (7): 116-121,128. doi: 10.19678/j.issn.1000-3428.0055613

• 网络空间安全 • 上一篇    下一篇

针对Android移动应用的恶意加密流量标注方法研究

何高峰1,2, 司勇瑞1, 徐丙凤3   

  1. 1. 南京邮电大学 物联网学院, 南京 210003;
    2. 东南大学 计算机网络和信息集成教育部重点实验室, 南京 211189;
    3. 南京林业大学 信息科学技术学院, 南京 210037
  • 收稿日期:2019-07-31 修回日期:2019-09-06 发布日期:2019-09-17
  • 作者简介:何高峰(1984-),男,讲师、博士,主研方向为移动应用安全、网络流量分析;司勇瑞,硕士研究生;徐丙凤,讲师、博士。
  • 基金资助:
    国家自然科学基金青年基金项目"面向网络加密流量的恶意移动应用检测研究"(61702282);国家自然科学基金青年基金项目"集成防危性与安全性建模的信息物理融合系统风险分析"(61802192);江苏省高等学校自然科学研究面上项目"面向移动应用加密流量的恶意攻击检测研究"(17KJB520023);江苏省高等学校自然科学研究面上项目"集成防危性与安全性的信息物理融合系统风险建模及分析"(18KJB520024)。

Research on Malicious Encrypted Traffic Annotation Method for Android Mobile Application

HE Gaofeng1,2, SI Yongrui1, XU Bingfeng3   

  1. 1. College of Internet of Things, Nanjing University of Posts and Telecommunications, Nanjing 210003, China;
    2. Key Laboratory of Computer Network and Information Integration Ministry of Education, Southeast University, Nanjing 211189, China;
    3. College of Information Science and Technology, Nanjing Forestry University, Nanjing 210037, China
  • Received:2019-07-31 Revised:2019-09-06 Published:2019-09-17

摘要: 为区分恶意Android移动应用在运行过程中产生的恶意流量和正常流量,提出一种Android移动应用恶意流量标注方法。针对加密类型的网络流量,根据端口号和流载荷内容的字节熵值进行加密检测,依据服务器证书等内容判断加密流量是否异常,同时对恶意Android移动应用进行反编译,并利用程序控制流程图分析该加密流量是否涉及敏感操作,从而标注出恶意加密流量。对300个重打包类型的恶意移动应用进行测试,实验结果与同基准值对比分析表明,与未采用该方法的标注结果(1 602条恶意加密流量)相比,该方法检测出的恶意加密流量有341条,且标注结果中仅有28条为误报流量。

关键词: 移动应用, 加密流量, 数据标注, 异常检测, 恶意代码分析

Abstract: In order to distinguish malicious traffic generated by running malicious Android applications from normal traffic,this paper proposes a method for annotating malicious traffic of mobile Android applications.For encrypted network traffic,encryption detection is performed based on the port number and the value of byte entropy of the stream payload content.Then whether the encrypted traffic is abnormal is determined based on the server certificate and other content.At the same time,the malicious Android mobile applications are decompiled,and the program is used to control the flow chart to analyze whether the encrypted traffic involves sensitive operations,so as to annotate malicious encrypted traffic.Tests are performed on 300 repackaged types of malicious mobile applications.The comparison of the experimental results with the same benchmark value show that the proposed method detects 341 malicious encrypted traffic where only 28 are false alarms.The result is more accurate than that of annotation that does not use the proposed method,which reports 1 602 malicious encrypted traffic.

Key words: mobile application, encrypted traffic, data annotation, anomaly detection, malicious code analysis

中图分类号: