移动终端的多维度隐私泄露评估模型研究  被引量：4

作　　者：李涛[1] 王永剑[2] 邢月秀[1] 胡爱群[1] LI Tao;WANG Yong-Jian;XING Yue-Xiu;HU Ai-Qun(School of Information Science and Engineering,Southeast University,Nanjing 210096;The Third Research Institute of Ministry of Public Security,Shanghai 200031)

机构地区：[1]东南大学信息科学与工程学院,南京210096 [2]公安部第三研究所,上海200031

出　　处：《计算机学报》2018年第9期2134-2147,共14页Chinese Journal of Computers

基　　金：国家自然科学基金(61601113);国家"九七三"重点基础研究发展规划项目(2013CB338003);公安部第三研究所开放课题(C15606)资助~~

摘　　要：移动终端隐私泄露问题日益严重,现有的单一检测方法存在一定的局限性,该文基于应用程序的架构,提出了一种包括静态分析、动态分析和数据分析的多维度检测框架,使用静态分析的结果为动态执行提供指导,有利于提高覆盖率和准确率,并分别针对Android和iOS系统平台进行了泄露行为特征抽取的研究.为量化评估提供了更加全面的泄露事件数据和抽象特征描述,在评估的过程中引入用户对隐私对象的预期关注度,提出了带有主观性的隐私泄露评估模型,通过对Android和iOS应用的测试分析表明,该文的检测框架能够对移动终端应用的隐私泄露事件进行准确高效的检测,评估模型能够反映用户的主观预期,有效弥补了单一检测维度的局限性,为隐私泄露的个性化评估提供了基础理论支撑.Privacy leakage of mobile terminals becomes a serious problem with the rapidly development of mobile applications.Leakage detection is one of the important methods to protect user’s privacy data.The state-of-the-art researches only use isolated static analysis or dynamic analysis technologies.Static analysis owns benefits of fast speed,but be limited to high false positive.Dynamic analysis performance well in accuracy rating,but its testing speed is slow.Based on application composition,a feature of application contains three dimensions which are code,behavior and data.Code and behavior are related to static and dynamic testing separately.Data testing can be accomplished by analyzing data flow.Being different from aforementioned single analysis technology,this paper proposes a multi-dimensional testing framework taking into account of the overall application structure,which contains static analysis,dynamic analysis and data analysis.The framework firstly analyzes applications’static structure and invoking information to find potential invoking paths of sensitive information.The potential paths are used to guide the subsequent dynamic executing.This method not only improves testing efficiency and coverage rate,but also solves the limitations of single dimensional testing method,which can provide more complete leakage event data for privacy leakage assessment model.Under the proposed framework,the privacy leakage testing is also divided into three layers including data acquiring,eigenvectors forming and quantitative evaluating.During the assessment process,the final quantitative evaluation results are calculated based on the three-dimensional eigenvectors and user’s expectations.In order to use the proposed framework in real systems,behavior characteristic events about privacy leakage are abstracted for Android and iOS platforms.The abstracted events provide comprehensive original leakage data for quantitative evaluation.After acquiring original leakage data,a comprehensive quantitative evaluation method is r

关 键 词：隐私泄露 评估模型 静态分析 动态分析 数据分析 主观预期 

分 类 号：TP309[自动化与计算机技术—计算机系统结构]