基于安卓平台的恶意软件动态监测的研究  被引量：2

作　　者：王倩文 沈苏彬[1] 吴振宇[2] WANG Qian-wen;SHEN Su-bin;WU Zhen-yu(School of Computer,Nanjing University of Posts and Telecommunications,Nanjing 210003,China;School of Internet of Things,Nanjing University of Posts and Telecommunications,Nanjing 210003,China)

机构地区：[1]南京邮电大学计算机学院,江苏南京210003 [2]南京邮电大学物联网学院,江苏南京210003

出　　处：《计算机技术与发展》2018年第8期124-128,共5页Computer Technology and Development

基　　金：国家自然科学基金(61502246);未来网络前瞻性研究项目(BY20130951108)

摘　　要：介绍了安卓签名机制与安卓安全架构各层的特点,分析了不同层面所存在的监测机制。着重研究了应用程序框架层的Hook API方法和内核层的系统调用拦截方法,设计了一种基于安卓平台的恶意软件的动态监测方案。该方案结合安卓签名机制,通过计算文件MD5值判断应用程序是否存在重打包迹象,进而实现样本过滤。选定内核层监测方法修改系统调用表还原应用程序上层行为,并针对恶意软件的不同攻击行为给出相应安全策略。为减轻手机端负荷,与PC端结合,利用monkey工具实现apk自动安装和卸载。为验证该方案的可行性,选取Malgenome Project数据集中最具代表性的恶意软件类族在安卓模拟器上进行实验验证和测试。实验结果表明,该方案能够有效地监测恶意软件行为,并向安卓手机用户发出警告。We introduce the Android signature mechanism and the characteristics at each layer of the Android security architecture and analyze the monitoring mechanism at each layer. We focus on the Hook API method at the application framework layer and the system call interception method at the kernel layer and propose a malware dynamic monitoring scheme based on Android platform. The scheme determines whether the application has been repackaged by calculating the MD5 value of the file combining with the Android signature mechanism,so as to filter the samples. Modifying the system call table of the kernel layer monitoring method is selected,which can restore the application’s high-level behavior. Also,corresponding security policies are given for different malware attacks. In order to reduce the mobile terminal load,the monkey tool is adopted to automatically install and uninstall the apk combining with the PC terminal. Experiments which select the most representative malware class in Malgenome Project data set for validation and testing have been conducted on the AVD to verify the proposed scheme. The results illustrate that the scheme can effectively monitor malware behavior and warn Android mobile users.

关 键 词：安卓平台 恶意软件 系统调用 动态监测 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]