Dissertations / Theses on the topic 'Mobile malware detection'

The increasing popularity and use of smartphones and hand-held devices have made them the most popular target for malware attackers. Researchers have proposed machine learning-based models to automatically detect malware attacks on these devices. Since these models learn application behaviors solely from the extracted features, choosing an appropriate and meaningful feature set is one of the most crucial steps for designing an effective mobile malware detection system. There are four categories of features for mobile applications. Previous works have taken arbitrary combinations of these categories to design models, resulting in sub-optimal performance. This thesis systematically investigates the individual impact of these feature categories on mobile malware detection systems. Feature categories that complement each other are investigated and categories that add redundancy to the feature space (thereby degrading the performance) are analyzed. In the process, the combination of feature categories that provides the best detection results is identified. Ensuring reliability and robustness of the above-mentioned malware detection systems is of utmost importance as newer techniques to break down such systems continue to surface. Adversarial attack is one such evasive attack that can bypass a detection system by carefully morphing a malicious sample even though the sample was originally correctly identified by the same system. Self-crafted adversarial samples can be used to retrain a model to defend against such attacks. However, randomly using too many such samples, as is currently done in the literature, can further degrade detection performance. This work proposed two intelligent approaches to retrain a classifier through the intelligent selection of adversarial samples. The first approach adopts a distance-based scheme where the samples are chosen based on their distance from malware and benign cluster centers while the second selects the samples based on a probability measure derived from a kernel-based learning method. The second method achieved a 6% improvement in terms of accuracy. To ensure practical deployment of malware detection systems, it is necessary to keep the real-world data characteristics in mind. For example, the benign applications deployed in the market greatly outnumber malware applications. However, most studies have assumed a balanced data distribution. Also, techniques to handle imbalanced data in other domains cannot be applied directly to mobile malware detection since they generate synthetic samples with broken functionality, making them invalid. In this regard, this thesis introduces a novel synthetic over-sampling technique that ensures valid sample generation. This technique is subsequently combined with a dynamic cost function in the learning scheme that automatically adjusts minority class weight during model training which counters the bias towards the majority class and stabilizes the model. This hybrid method provided a 9% improvement in terms of F1-score. Aiming to design a robust malware detection system, this thesis extensively studies machine learning-based mobile malware detection in terms of best feature category combination, resilience against evasive attacks, and practical deployment of detection models. Given the increasing technological advancements in mobile and hand-held devices, this study will be very useful for designing robust cybersecurity systems to ensure safe usage of these devices.
Doctor of Philosophy

Each day, anti-virus companies receive large quantities of potentially harmful executables. Many of the malicious samples among these executables are variations of earlier encountered malware, created by their authors to evade pattern-based detection. Consequently, robust detection approaches are required, capable of recognizing similar samples automatically.In this thesis, malware detection through call graphs is studied. In a call graph, the functions of a binary executable are represented as vertices, and the calls between those functions as edges. By representing malware samples as call graphs, it is possible to derive and detect structural similarities between multiple samples. The latter can be used to implement generic malware detection schemes, which can proactively detect existing versions of the malware, as well as future releases with similar characteristics.To compare call graphs mutually, we compute pairwise graph similarity scores via graphmatchings which minimize an objective function known as the Graph Edit Distance. Finding exact graph matchings is intractable for large call graph instances. Hence we investigate several efficient approximation algorithms. Next, to facilitate the discovery of similar malware samples, we employ several clustering algorithms, including variations on k-medoids clustering and DBSCAN clustering algorithms. Clustering experiments are conducted on a collection of real malware samples, and the results are evaluated against manual classifications provided by virus analysts from F-Secure Corporation. Experiments show that it is indeed possible to accurately detect malware families using the DBSCAN clustering algorithm. Based on our results, we anticipate that in the future it is possible to use call graphs to analyse the emergence of new malware families, and ultimately to automate implementinggeneric protection schemes for malware families.

At present, malicious software (mal-ware) is causing many problems on private networks and the Internet. One major cause of this includes outdated or absent security software to countermeasure these anomalies such as Antivirus software and Personal Firewalls. Another cause is that mal-ware can exploit weaknesses in software, notably operating systems. This can be reduced by use of a patch service, which automatically downloads patches to its clients. Unfortunately this can lead to new problems introduced by the patch server itself. The aim of this project is to produce a more flexible approach in which agent programs are dispatched to clients (which in turn run static agent programs), allowing them to communicate locally rather than over the network. Thus, this project uses mobile agents which are software agents which can be given an itinerary and migrate to different hosts, interrogating the static agents therein for any suspicious files. These mobile agents are deployed with a list of known mal-ware signatures and their corresponding cures, which are used as a reference to determine whether a reported suspect is indeed malicious. The overall system is responsible for Dynamic Detection and Immunisation of Mal-ware using Mobile Agents (DIMA) on peer to peer (P2P) systems. DIMA is be categorised under Intrusion Detection Systems (IDS) and deals with the specific branch of malicious software discovery and removal. DIMA was designed using Borland Delphi to implement the static agent due to its seamless integration with the Windows operating system, whereas the mobile agent was implemented in Java, running on the Grasshopper mobile agent environment, due to its compliance with several mobile agent development standards and in-depth documentation. In order to evaluate the characteristics of the DIMA system a number of experiments were carried out. This included measuring the total migration time and host hardware specification and its effect on trip timings. Also, as the mobile agent migrated, its size was measured between hops to see how this varied as more data was collected from hosts. The main results of this project show that the time the mobile agent took to visit all predetermined hosts increased linearly as the number of hosts grew (the average inter-hop interval was approximately 1 second). It was also noted that modifications to hardware specifications in a group of hosts had minimal effect on the total journey time for the mobile agent. Increasing a group of host's processor speeds or RAM capacity made a subtle difference to round trip timings (less than 300 milliseconds faster than a slower group of hosts). Finally, it was proven that as the agent made more hops, it increased in size due to the accumulation of statistical data collected (57 bytes after the first hop, and then a constant increase of 4 bytes per hop thereafter).

Malware in smartphones is growing at a significant rate. There are currently more than 250 million smartphone users in the world and this number is expected to grow in coming years.  In the past few years, smartphones have evolved from simple mobile phones into sophisticated computers. This evolution has enabled smartphone users to access and browse the Internet, to receive and send emails, SMS and MMS messages and to connect devices in order to exchange information. All of these features make the smartphone a useful tool in our daily lives, but at the same time they render it more vulnerable to attacks by malicious applications.  Given that most users store sensitive information on their mobile phones, such as phone numbers, SMS messages, emails, pictures and videos, smartphones are a very appealing target for attackers and malware developers. The need to maintain security and data confidentiality on the Android platform makes the analysis of malware on this platform an urgent issue.  We have based this report on previous approaches to the dynamic analysis of application behavior, and have adapted one approach in order to detect malware on the Android platform. The detector is embedded in a framework to collect traces from a number of real users and is based on crowdsourcing. Our framework has been tested by analyzing data collected at the central server using two types of data sets: data from artificial malware created for test purposes and data from real malware found in the wild. The method used is shown to be an effective means of isolating malware and alerting users of downloaded malware, which suggests that it has great potential for helping to stop the spread of detected malware to a larger community.  This thesis project shows that it is feasible to create an Android malware detection system with satisfactory results.

De nos jours, nous sommes entourés de périphériques intelligents autonomes qui interagissent avec de nombreux services dans le but d'améliorer notre niveau de vie. Ces périphériques font partie d'écosystèmes plus larges, dans lesquels de nombreuses entreprises collaborent pour faciliter la distribution d'applications entre les développeurs et les utilisateurs. Cependant, des personnes malveillantes en profitent illégalement pour infecter les appareils des utilisateurs avec des application malveillantes. Malgré tous les efforts mis en œuvre pour défendre ces écosystèmes, le taux de périphériques infectés par des malware est toujours en augmentation en 2020.Dans cette thèse, nous explorons trois axes de recherche dans le but d'améliorer globalement la détection de malwares dans l'écosystème Android. Nous démontrons d'abord que la précision des systèmes de détection basés sur le machine learning peuvent être améliorés en automatisant leur évaluation et en ré-utilisant le concept d'AutoML pour affiner les paramètres des algorithmes d'apprentissage. Nous proposons une approche pour créer automatiquement des variantes de malwares à partir de combinaisons de techniques d'évasion complexes pour diversifier les datasets de malwares expérimentaux dans le but de mettre à l'épreuve les systèmes de détection. Enfin, nous proposons des méthodes pour améliorer la qualité des datasets expérimentaux utilisés pour entrainer et tester les systèmes de détection
Nowadays, many of us are surrounded by smart devices that seamlessly operate interactively and autonomously together with multiple services to make our lives more comfortable. These smart devices are part of larger ecosystems, in which various companies collaborate to ease the distribution of applications between developers and users. However malicious attackers take advantage of them illegitimately to infect users' smart devices with malicious applications. Despite all the efforts made to defend these ecosystems, the rate of devices infected with malware is still increasing in 2020. In this thesis, we explore three research axes with the aim of globally improving malware detection in the Android ecosystem. We demonstrate that the accuracy of machine learning-based detection systems can be improved by automating their evaluation and by reusing the concept of AutoML to fine-tune learning algorithms parameters. We propose an approach to automatically create malware variants from combinations of complex evasion techniques to diversify experimental malware datasets in order to challenge existing detection systems. Finally, we propose methods to globally increase the quality of experimental datasets used to train and test detection systems

This dissertation explores a new challenge to digital systems posed by the adaptation of mobile devices and proposes a countermeasure to secure systems against threats to this new digital ecosystem. The study provides the reader with background on the topics of spam, Botnets and machine learning before tackling the issue of mobile spam. The study presents the reader with a three tier model that uses machine learning techniques to combat spamming mobile Botnets. The three tier model is then developed into a prototype and demonstrated to the reader using test scenarios. Finally, this dissertation critically discusses the advantages of having using the three tier model to combat spamming Botnets.
Dissertation (MSc)--University of Pretoria, 2013.
gm2014
Computer Science
unrestricted

Ce travail de thèse fait partie du projet 3D NeuroSecure. C'est un projet d'investissement d'avenir, qui vise à développer une solution de collaboration sécurisée pour l'innovation thérapeutique appliquant les traitements de haute performance (HPC) au monde biomédical. Cette solution donnera la possibilité pour les experts de différents domaines de naviguer intuitivement dans l'imagerie Big Data avec un accès via des terminaux mobile. La protection des données contre les fuites de données est primordiale. En tant que tel, l'environnement client et les communications avec le serveur doivent être sécurisé. Nous avons concentré notre travail sur le développement d'une solution antivirale sur le système d'exploitation Android. Nous avons promu la création de nouveaux algorithmes, méthodes et outils qui apportent des avantages par rapport à état de l'art, mais plus important encore, qui peuvent être utilisés efficacement dans un contexte de production. C'est pourquoi, ce qui est proposé ici est souvent un compromis entre ce qui peut théoriquement être fait et son applicabilité. Les choix algorithmiques et technologiques sont motivés par une relation entre efficacité et performance. Cette thèse contribue à l'état de l'art dans les domaines suivants:Analyse statique et dynamique d'applications Android, web crawling d'application.Tout d'abord, pour rechercher des fonctions malveillantes et des vulnérabilités, il faut concevoir les outils qui extraient des informations pertinentes des applications Android. C'est la base de toute analyse. En outre, tout algorithme de classification est toujours limité par la qualité discriminative des données sous-jacentes. Une partie importante de cette thèse est la la conception d'outils d'analyse statique et dynamique efficientes, telles qu'un module de reverse engineering, un outil d'analyse de communication, un système Android instrumenté.Algorithme d'initialisation, d'apprentissage et d'anti-saturation pour réseau de neurones.Les réseaux de neurones sont initialisés au hasard. Il est possible de contrôler la distribution aléatoire sous-jacente afin de réduire l'effet de saturation, le temps de l'entrainement et la capacité à atteindre le minimum global. Nous avons développé une procédure d’initialisation qui améliore les résultats par rapport à l'état del'art. Nous avons aussi adapté l'algorithme ADAM pour prendre en compte les interdépendances avec des techniques de régularisation, en particulier le Dropout. Enfin, nous utilisons techniques d'anti-saturation et nous montrons qu'elles sont nécessaires pour entraîner correctement un réseau neuronal.Un algorithme pour représenter les sous-séquences communes à un groupe de séquences.Nous proposons un nouvel algorithme pour construire l'AntichaineEnglobante des sous-séquences communes. Il est capable de traiter et de représenter toutes les sous-séquences d'un ensemble de séquences. C'estun outil qui permet de caractériser de manière systématique un groupe de séquence. Cet algorithme est une nouvelle voie de recherche verscréation automatique de règles de détection de famille de virus
This thesis work is part of the 3D NeuroSecure project. It is an investment project, that aims to develop a secure collaborative solution for therapeutic innovation using high performance processing(HPC) technology to the biomedical world. This solution will give the opportunity for experts from different fields to navigate intuitivelyin the Big Data imaging with access via 3D light terminals. Biomedicaldata protection against data leaks is of foremost importance. As such,the client environnement and communications with the server must besecured. We focused our work on the development of antimalware solutionon the Android OS. We emphasizes the creation of new algorithms,methods and tools that carry advantages over the current state-of-the-art, but more importantly that can be used effectively ina production context. It is why, what is proposed here is often acompromise between what theoretically can be done and its applicability. Algorithmic and technological choices are motivated by arelation of efficiency and performance results. This thesis contributes to the state of the art in the following areas:Static and dynamic analysis of Android applications, application web crawling.First, to search for malicious activities and vulnerabilities, oneneeds to design the tools that extract pertinent information from Android applications. It is the basis of any analysis. Furthermore,any classifier or detector is always limited by the informative power of underlying data. An important part of this thesis is the designing of efficient static and dynamic analysis tools forapplications, such as an reverse engineering module, a networkcommunication analysis tool, an instrumented Android system, an application web crawlers etc.Neural Network initialization, training and anti-saturation techniques algorithm.Neural Networks are randomly initialized. It is possible to control the underlying random distribution in order to the reduce the saturation effect, the training time and the capacity to reach theglobal minimum. We developed an initialization procedure that enhances the results compared to the state-of-the-art. We also revisited ADAM algorithm to take into account interdependencies with regularization techniques, in particular Dropout. Last, we use anti-saturation techniques and we show that they are required tocorrectly train a neural network.An algorithm for collecting the common sequences in a sequence group.We propose a new algorithm for building the Embedding Antichain fromthe set of common subsequences. It is able to process and represent allcommon subsequences of a sequence set. It is a tool for solving the Systematic Characterization of Sequence Groups. This algorithm is a newpath of research toward the automatic creation of malware familydetection rules

Advancements in mobile computing are attracting traditional device users to transition toward mobile platforms to fulfil their data processing needs. Among these, the Android platform is the most popular, holding the majority of the market share due to its open-source policy and ability to install applications from different application stores. This fact, coupled with the amount of sensitive data these devices now store, makes it attractive for malware authors to attack the Android platform, causing a large influx of malicious applications in the ecosystem. Traditional malware detection methods cannot effectively control and prevent this influx, demanding an automatic and intelligent approach such as machine learning. In this thesis, three machine learning algorithms, XGBoost, SVM and K-NN were trained with several features, with a focus on Android permissions , to measure the effectiveness of applying machine learning techniques to combat the proliferation of malware. Given goodware to malware ratio of 99/1, four experiments with an under-sampled version of the dataset with a ratio of 70/30 were conducted to test different subsets of the feature space as well as feature elimination and aggregation before training the algorithms with the full set of features using feature normalization across two distinct scenarios. This approach showed promising results, with XGBoost, SVM and K-NN distinguishing between malware and goodware with a score of 90 % (Area Under the Receiver Operating Curve values).
Os avanços na computação móvel estão a atrair utilizadores de dispositivos tradicionais a transitar para as plataformas móveis para atender às suas necessidades de processamento de dados. Entre estas, a plataforma Android é a mais popular, detendo a maioria da quota de mercado devido à sua política open-source e capacidade de instalar aplicações através de várias lojas de aplicações. Este facto, conjuntamente com a quantidade de dados sensíveis que estes dispositivos agora armazenam, torna o ataque à plataforma Android atraente para os autores de malware, causando um grande fluxo de aplicações maliciosas no ecossistema. Os métodos tradicionais de deteção de malware não conseguem controlar e prevenir este fluxo eficazmente, exigindo uma abordagem automática e inteligente, como a aprendizagem automática. Nesta tese, três algoritmos de aprendizagem automática, XGBoost, SVM e K-NN, foram treinados com diversas características, focando-se nas permissões Android e características estáticas das aplicações, para medir a eficácia da aplicação de técnicas de aprendizagem automática no combate à proliferação de malware. Dado o rácio de goodware para malware de 99/1 do conjunto de dados, realizaram-se quatro experiências com uma versão subamostrada do mesmo com um rácio de 70/30 para testar diferentes subconjuntos do espaço de características bem como eliminação e agregação de características antes de treinar os algoritmos com o conjunto completo de características usando normalização de características em dois cenários. Esta abordagem apresentou resultados promissores, com XGBoost, SVM e K-NN distinguindo entre malware e goodware com um score de 90 % (valores Area Under the Receiver Operating Curve).

碩士
國立中山大學
資訊管理學系研究所
104
More and more people nowadays use mobile devices. Mobile malwares are also increase very quickly. How to protect mobile devices become an important issue. The two main kinds of approaches to detect mobile malwares are static approaches and dynamic approaches. Dynamic approaches detect malware base on the actual behaviors of applications but how to trigger malicious behavior and the efficient of dynamic approaches are the difficulties of this kind of approaches. Most of the static approaches cannot know what malicious behaviors malwares will conduct. Android is the most popular mobile platform and the main target of malwares. Because Android applications are developed using Java programing language, it’s easier to get application source codes using reverse engineering techniques. The proposed system using data flow analysis on source codes reverse from applications to extract feature. Then using genetic algorithm to obtain features which are helpful to distinguish malicious behaviors. We conduct an experiment on 1,259 malwares and 1,259 benign applications downloaded from Google Play. We can detect 96.5% of the malwares and have precision with 90%.

碩士
國立雲林科技大學
資訊管理系碩士班
99
Mobile device are getting increasingly popular, it has become a trend in communication industry, and thus several malwares appeared targeting smartphone. At present, the countermeasures to malware on smartphone are limited to signature-based solutions which efficiently detect known malware, but they have serious drawback that cannot detect malware variants and usually need a large database. In order to solve above problems, we propose a malware detection mechanism which uses Document object model to analyze application‟s behavior on mobile device to improve the problem of traditional detection system. In the experimental stage, we used 100 benign and 47 malwares for evaluation and apply nine data mining algorithms to training classifier, using our proposed feature extract approach. The experimental result shows that our proposed detection mechanism not only detects malware proactive and high accuracy but also the performance of classifiers that using our extracted feature is better than permission-based.

碩士
銘傳大學
資訊傳播工程學系碩士班
105
Smart phones have become very popular recently. People get used to storing personal profiles such as contact information, email account and password, into their mobile devices. Almost all mobile phones used either Android or IOS operation system. People relying on mobile because of the convenience and functions. However there are some problems while using the mobile including mobile security. Android system is an open source, hence it allows the apps which are not authenticated by official company to be installed into user’s mobile phone. Because of the above reasons, the hackers’ attacking target starts to switch from PC to mobile phones. The hackers steal the user’s private information form user’s mobile devices with malware apps, or send the malware code to user’s phones to execute attack job. This research proposes an agent-based malware network packet detection system. The system employs agent app to periodically collect user’s network packets and store the packets into the pcap file. It then transfers the pcap file which stores the GET protocol packets to a remote server and stores GET protocol packet’s content into the database. The GET packet content in database is analyzed with Support Vector Machine (SVM) to predict the malware behavior. LibSVM and Scikit-learn are used to model the collected GET protocol packet’s contents, and their performances are compared in the thesis. This proposed system also provides interfaces including Agent App and website, which shows the results of the analysis, the history management and model management for the query of users.

Dissertação de Mestrado em Engenharia Informática apresentada à Faculdade de Ciências e Tecnologia
As organizações são frequentemente encaradas com a necessidade de gerir um elevado número de dispositivos móveis, incluindo um controlo apertado de aspetos como perfis de utilização, customização, aplicações e segurança. Inclusivamente, o crescimento do paradigma "Bring Your Own Device" (BYOD) tem contribuído para o aglomerar destes requisitos, tornando difícil a tarefa de equilibrar regulamentos empresariais e liberdade de utilização.Neste contexto, segurança é um dos principais requisitos para uso individual e empresarial. A proteção de dispositivos e de informação em ecossistemas móveis é bastante diferente quando comparada a outros dispositivos como computadores portáteis e fixos, devido a características e restrições específicas. Por exemplo, o custo do consumo de recursos por parte dos mecanismos de segurança, que é de menor relevância em ambientes de computadores fixos ou portáteis, é crítico para dispositivos móveis que frequentemente têm menos poder de processamento e necessitam de manter o seu consumo energético o menos elevado possível.Mecanismos de segurança para dispositivos móveis combinam ferramentas de prevenção (e.g. ambientes de execução confiáveis e aplicações em modo Sandbox), soluções de monitorização e técnicas de reação e mitigação. Nesta tese começamos com uma visão geral destas soluções de segurança, apresentando os resultados da nossa pesquisa sobre estas tecnologias, frameworks e cenários de utilização para gestão e monitorização de segurança para dispositivos móveis, com ênfase nos benefícios e nos desafios ainda em aberto, tanto do ponto de vista do utilizador final como do empresarial.Tendo analisado o estado da arte tecnológico, demonstramos a nossa tentativa de analisar e detetar anomalias em dispositivos móveis num cenário empresarial, os problemas e respetivas soluções de implementação contempladas, bem como os detalhes de desenvolvimento para os alcançar. O sistema descrito é composto por: uma aplicação Android, com o intuito de ser instalada nos dispositivos utilizados; Corretores de Mensagens com perfil leve; um Agregador Central, servindo como o cerne do sistema, processando e gerindo os dados recolhidos pelos dispositivos móveis; um Painel de Controlo para Monitorização, permitindo que o sistema seja alterado enquanto funciona por supervisores humanos.Por fim, avaliamos o projeto, exibindo os resultados preliminares obtidos ao longo do desenvolvimento do sistema, examinando as implicações que os resultados fomentam, avaliando o atual estado das tarefas e requisitos propostos para o projeto, e propondo um rumo para trabalho futuro.
Organizations are often faced with the need to manage large numbers of mobile device assets, including tight control over aspects such as usage profiles, customization, applications and security. Moreover, the rise of the Bring Your Own Device (BYOD) paradigm has further contributed to hamper these requirements, making it difficult to strike a balance between corporate regulations and freedom of usage.In this scope, security is one of the main requirements both for individual and corporate usage. Device and information protection on mobile ecosystems is quite different from securing other assets such as laptops or desktops, due to specific characteristics and restrictions. For instance, the resource consumption overhead of security mechanisms, which is less relevant for desktop/laptop environments, is critical for mobile devices which frequently have less computing power and must keep power consumption as low as possible.Security mechanisms for mobile devices combine preventive tools (e.g. Trusted Execution Environments and sandboxed applications), monitoring solutions and reactive and mitigation techniques. In this thesis we start by overviewing these security solutions, presenting a survey on the technologies, frameworks and use cases for mobile device security monitoring and management, with an emphasis on the associated open challenges and benefits, from both the end-user and the corporate points-of-view.Having analyzed the technological state of the art, we showcase our attempt at analyzing and detecting anomalies in mobile devices on an enterprise scenario, the contemplated and solved implementation ordeals, and the employed development details to achieve it. The described system is comprised of: an Android application, intended to be installed on the target devices; lightweight Message Brokers; a Central Aggregator, serving as the core of the system, processing and managing the collected data from the mobile assets; a Monitoring Dashboard, enabling the system to be altered at runtime by supervising humans.Lastly, we evaluate the project, exhibiting the preliminary results obtained through the developed system, examining the implications that the results warrant, assessing the current state of the project's proposed tasks and requirements, and proposing the course of action for future work.
Universidade de Coimbra - Bolsa de Investigação: (745€ * 6 meses) + (745€ * 3 meses) = 6.705€

碩士
大葉大學
資訊管理學系碩士班
99
At present, the smart phone system is developing vigorously, in which Android occupies most of the current market share, using the open operating system to provide overall effective applications (APPs) for the users to install. However, while it provides protection, it also brings harms just like a double-edged sword. Some malware may hide in the various Android APPs. This study mainly discusses one of the Android botnets, which abuses the powerful connection function of Android. Its distributed denial of service (DDoS)attacks have the features of the large-scaled botnet, plus the high mobility of the Android mobile device, so it will cause greater harm to the targets than the conventional DDoS attacks, and it is hard to track the attack source. This malware makes the Android connection slower, so that users cannot normally use the network service. What worse, the greater threat is that it blocks the operation of servers; as a result, the uninfected Android smart phones can’t normally access the network services. 　　Nowadays, most of the conventional DDoS detection mechanisms are in the server-end, which can only temporarily relieve the DDoS attacks to stabilize the normal service, but don’t provide effective solution to the Android botnet problems. Furthermore, the conventional detectors are not designed for mobile devices, so its design mechanism is not suitable for the mobile devices with low performance, limited powers and less storage space. Therefore, in order to design an effective detection mechanism to unknown botnet malware, this study first develops a kind of Android botnet malware based on the HTTP Flood attack, which is the most inundant DDoS attack and is hard to detect; meanwhile, it cannot be detected by the well-known anti-virus software tools. Afterward, we further develop a mechanism that cannot only effectively detect a wide variety of unknown botnet malware, but also detect the botnet malware developed in this study. The performance evaluation and analysis reveal the proposed detection mechanism indeed has high detection accuracy, and is superior to the related studies in terms of performance requirements and practical applications. Thus, we affirm the proposed detection mechanism has extremely high practical application value.

碩士
國立中正大學
通訊工程研究所
104
In recent years, the use of smart devices is becoming increasingly popular. All kinds of mobile applications are emerging. In addition to the official market, there are also many ways to allow users to download the mobile app. As unidentified instances of malware grow day by day, off-the-shelf malware detection methods identify malicious programs mainly with extracted signatures of codes, which only can effectively identify already known malwares, but not new malwares in initial spread. If no samples of these malwares are reported and the virus code library is not patched, users won’t be alerted to the malwares. Meanwhile, scanning each running programs on the mobile device is a very resource-consuming and power-consuming job. A detection method that can save resources and power as well as effectively identify unknown malware in time is essential. Therefore, this paper proposes a new detection method by live log analysis. A sandbox is conducted to mimic human operations and monitor responses from APPs. Feeding these manual events can excite deactivated malwares and improve the accuracy of log analysis, even though these malware are unknown yet. This study takes recent malwares and benign programs to conduct experiments, and then verifies the effectiveness of the proposed method comparing with those in other papers. The experimental results show that the proposed method outperforms in both hit rate and pass rate.

Dissertação de mestrado integrado em Engenharia Eletrónica Industrial e Computadores
With the exponential use of mobile phones to handle sensitive information, the intrusion systems development has also increased. Malicious software is constantly being developed and the intrusion techniques are increasingly more sophisticated. Security protection systems trying to counteract these intrusions are constantly being improved and updated. Being Android one of the most popular operating systems, it became an intrusion’s methods development target. Developed security solutions constantly monitor their host system and by accessing a set of defined parameters they try to find potentially harmful changes. An important topic when addressing malicious applications detection is the malware identification and characterization. Usually, to separate the normal system behavior from the malicious behavior, security systems employ machine learning or data mining techniques. However, with the constant evolution of malicious applications, such techniques are still far from being capable of completely responding to the market needs. This dissertation aim was to verify if malicious behavior patterns definition is a viable way of addressing this challenge. As part of the proposed research two data mining classification models were built and tested with the collected data, and their performances were compared. the RapidMiner software was used for the proposed model development and testing, and data was collected from the FlowDroid application. To facilitate the understanding of the security potential of the Android framework, research was done on the its architecture, overall structure, and security methods, including its protection mechanisms and breaches. It was also done a study on models threats/attacks’ description, as well as, on the current existing applications for anti-mobile threats, analyzing their strengths and weaknesses.
Com o uso exponencial de telefones para lidar com informações sensíveis, o desenvolvimento de sistemas de intrusão também aumentou. Softwares maliciosos estão constantemente a ser desenvolvidos e as técnicas de intrusão são cada vez mais sofisticadas. Para neutralizar essas intrusões, os sistemas de proteção de segurança precisam constantemente de ser melhorados e atualizados. Sendo o Android um dos sistemas operativos (SO) mais populares, tornou-se também num alvo de desenvolvimento de métodos de intrusão. As soluções de segurança desenvolvidas monitoram constantemente o sistema em que se encontram e acedendo a um o conjunto definido de parâmetros procuram alterações potencialmente prejudiciais. Um tópico importante ao abordar aplicações mal-intencionadas é a identificação e caracterização do malware. Normalmente, para separar o comportamento normal do sistema do comportamento mal-intencionado, os sistemas de segurança empregam técnicas de machine learning ou de data mining. No entanto, com a constante evolução das aplicações maliciosas, tais técnicas ainda estão longe de serem capazes de responder completamente às necessidades do mercado. Esta dissertação teve como objetivo verificar se os padrões de comportamento malicioso são uma forma viável de enfrentar esse desafio. Para responder à pesquisa proposta foram construídos e testados dois modelos de classificação de dados, usando técnicas de data mining, e com os dados recolhidos compararam-se os seus desempenhos. Para o desenvolvimento e teste do modelo proposto foi utilizado o software RapidMiner, e os dados foram recolhidos através do uso da aplicação FlowDroid. Para facilitar a compreensão sobre as potencialidades de segurança da framework do Android, realizou-se uma pesquisa sobre a sua arquitetura, estrutura geral e métodos de segurança, incluindo seus mecanismos de defesa e algumas das suas limitações. Além disso, realizou-se um estudo sobre algumas das atuais aplicações existentes para a defesa contra aplicações maliciosas, analisando os seus pontos fortes e fracos.