한국융합학회논문지 (Journal of the Korea Convergence Society)

  • 제8권4호
  • /
  • Pages.25-36
  • /
  • 2017
  • /
  • 2233-4890(pISSN)
  • /
  • 2713-6353(eISSN)
한국융합학회 (Korea Convergence Society)
권호 표지
DOI QR코드

DOI QR Code

모바일 앱 실행시 커널 계층 이벤트 시퀀스 유사도 측정을 통한 악성 앱 판별 기법

Malicious App Discrimination Mechanism by Measuring Sequence Similarity of Kernel Layer Events on Executing Mobile App

  • 투고 : 2017.02.21
  • 심사 : 2017.04.20
  • 발행 : 2017.04.28
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

최근 스마트폰 사용자가 증가함에 따라 특히 안드로이드 기반 모바일 단말을 대상으로 다양한 어플리케이션들이 개발 및 이용되고 있다. 하지만 악의적인 목적으로 개발된 악성 어플리케이션 또한 3rd Party 오픈 마켓을 통해 배포되고 있으며 모바일 단말 내 사용자의 개인정보 또는 금융정보 등을 외부로 유출하는 등의 피해가 계속적으로 증가하고 있다. 따라서 이를 방지하기 위해서는 안드로이드 기반 모바일 단말 사용자를 대상으로 악성 앱과 정상 앱을 구별할 수 있는 방법이 필요하다. 이에 본 논문에서는 앱 실행시 발생하는 시스템 콜 이벤트를 추출해서 악성 앱을 탐지하는 기존 관련 연구에 대해 분석하였다. 이를 토대로 다수의 모바일 단말에서 앱이 실행되는 과정에서 발생하는 커널 계층 이벤트들에 대한 발생 순서간 유사도 분석을 통해 악성 앱을 판별하는 기법을 제안하였으며 상용 단말을 대상으로 실험 결과를 제시하였다.

As smartphone users have increased in recent years, various applications have been developed and used especially for Android-based mobile devices. However, malicious applications developed by attackers for malicious purposes are also distributed through 3rd party open markets, and damage such as leakage of personal information or financial information of users in mobile terminals is continuously increasing. Therefore, to prevent this, a method is needed to distinguish malicious apps from normal apps for Android-based mobile terminal users. In this paper, we analyze the existing researches that detect malicious apps by extracting the system call events that occur when the app is executed. Based on this, we propose a technique to identify malicious apps by analyzing the sequence similarity of kernel layer events occurring in the process of running an app on commercial Android mobile devices.

키워드

참고문헌

  1. W. R. Jeon, J. Y. Kim, Y. S. Lee, D. H. Won, “Analysis of Threats and Countermeasures on Mobile Smartphone,” Journal of the Korean Society of Computer and Information, Vol. 16, No. 2, pp. 153-163, 2011.
  2. W. Enck, M. Ongtang, P. McDaniel, “Understanding android security,” IEEE Security & Privacy Magazine, Vol. 7, No. 1, pp. 50-57, 2009. https://doi.org/10.1109/MSP.2009.26
  3. A. Shabtai, Y. Fledel, U. Kanonov, Y. Elovici, S. Dolev, "Google Android: A State-of-the-art Review of Security Mechanisms," Technical Report, Cornell University, 2009.
  4. Sushma Verma, Sunil Kumar Muttoo, S.K. Pal, “MDroid: Android based Malware Detection Using MCM Classifier,” International Journal of Engineering Applied Sciences and Technology, Vol. 1, No. 8, pp. 206-215, 2016.
  5. J. W. Park, S. T. Moon, G. W. Son, I. K. Kim, K. S. Han, E. G. Im, I. G. Kim, “An Automatic Malware Classification System using String List and APIs,” Journal of Security Engineering, Vol. 8, No. 5, pp. 611-626, 2011.
  6. I. Burguera, U. Zurutuza, S. Nadjm-Tehrani, "Crowdroid: Behavoir-Based Malware Detection System for Android," Proceeding of the 1st ACM workshop on security and privacy in smartphones and mobile devices(SPSM'11), ACM, Vol. 1, pp. 15-26, 2011.
  7. A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, Y. Weiss, “Andromaly: a behavioral malware detection framework for android devices,” Journal of Intelligent Information Systems, Vol. 38, No. 1, pp. 161-190, 2012. https://doi.org/10.1007/s10844-010-0148-x
  8. Y. Zhong, H. Yamaki, H. Takakura, "A Malware Classification method Based on Similarity of Function Structure," 12th International Symposium of Applications and the Internet(SAINT), pp. 256-261, 2012.
  9. More than 50 Android apps found infected with rootkit malware, http://www.guardian.co.uk/technology/blog/2011/mar/02/android-market-apps-malware.
  10. CuckooDroid - http://cuckoo-droid.readthedocs.org/
  11. Y. J. Ham, H. W. Lee, “Design and Implementation of Malicious Application Detection System Using Event Aggregation on Android based Mobile Devices,” Journal of The Korea Society of Internet and Information, Vol. 14, No. 6, pp. 125-139, 2013.
  12. Y. J. Ham, H. W. Lee, “Malicious Trojan Horse Application Discrimination Mechanism using Realtime Event Similarity on Android Mobile Devices,” Journal of Internet Computing and Services, Vol. 15, No. 3, pp. 31-43, 2014. https://doi.org/10.7472/jksii.2014.15.3.31
  13. H. W. Lee, "Android based Mobile Device Rooting Attack Detection and Malicious Application Event Monitoring," Review of Korean Society for Internet Information, Vol. 13, No. 1, pp. 30-38, 2012.
  14. http://www.malgenomeproject.org, 2013. 4
  15. Y. J. Ham, D. Y. Moon, H. W. Lee, J. D. Lim, J. N. Kim, "Android Mobile Application System Call Event Pattern Analysis for Determination of Malicious Attack", International Journal of Security and Its Applications(IJSIA), Vol. 8, No. 1, pp. 231-246, 2014. https://doi.org/10.14257/ijsia.2014.8.1.22
  16. S. W. Cho, W. J. Jang, H. W. Lee, “Development of User Oriented Vulnerability Analysis Application on Smart Phone,” Journal of the Korea Convergence Society, Vol. 3, No. 2, pp. 7-12, 2012.
  17. B. S. Yu, S. H. Yun, "The Design and Implementation of Messenger Authentication Protocol to Prevent Smartphone Phishing", Journal of the Korea Convergence Society, Vol. 2, No. 4, pp. 9-14, 2011.
  18. M. H. Lee, "A Study on N-Screen Convergence Application with Mobile WebApp Environment", Journal of the Korea Convergence Society, Vol. 6, No. 2, pp. 43-48, 2015. https://doi.org/10.15207/JKCS.2015.6.2.043