摘要
近年来,基于Android平台的勒索软件呈现爆发式增长趋势,同时恶意行为也正在不断的进化.Android勒索软件专门以用户智能设备和隐私文件为攻击目标,给受害者带来了严重的精神和财产损失.该文提出了一种轻量化的勒索软件检测方法,能够在应用安装到手机之前发现潜在的勒索风险.通过广泛收集2721个勒索软件样本,并对这些样本进行深入分析,该文在勒索软件锁屏、加密、权限、威胁文本、支付方式和网络通信等方面提取特征,利用模块化规则归纳学习算法实时检测风险.另外,基于自然语言生成技术提出了一种证据链生成方法,将待检测应用的外围信息和匹配的分类规则以普通用户能够理解的方式展现,帮助非专业用户做出合理的决策.最终实验表明,所实现系统能够达到95%的检测准确率,90%的普通用户表示能够正常理解证据链描述,性能分析结果证明系统能够满足智能手机实时检测的需求.
In recent years,we witness a drastic increase of ransomware,especially on the popular platforms such as Android.Generally,ransomware limits legitimate users from accessing their own mobile devices by locking the screen or encrypting the storage data.Then,it blackmails victims for a sum of money in return for their devices or files.Different from other type of malware,by removing which the damage can be controlled,deleting ransomware from the infected devices cannot help victims get their files back.In light of ransomware’s rapid growth,it is imperative to develop effective solutions in real-time mode that can detect and stop the malicious behaviors of ransomware in early time.However,the research community is still constrained by the lack of a comprehensive dataset,and there exists no insightful understanding of mobile ransomware in the wild,which makes researchers to develop an effective mitigation solution very hard.Although several standalone systems have been designed to detect PC ransomware,the detection approach running on mobile devices should be lightweight to provide good experience to users,which makes directly applying the existing PC solutions to mobile devices infeasible.Moreover,none of these detection systems can help users understand how,where,when,and why a threat operates.In this paper,we propose a novel light-weight ransomware detection scheme,called RansomGuard,which decompiles an APK file to extract sensitive features and utilizes machine learning method to detect ransomware-like app before the user installs it on the device.Specifically,we have managed to collect 2721 ransomware samples from 15 different families,which seems to be the first large collection of Android ransomware and cover the majority of existing families.Also,we divide the collected samples into three classes,i.e.,controlling devices,kidnapping data,and intimidating users.Considering the real-time requirements,we focus on malicious features that can be statically extracted from an APK file without resorting to heavy and t
作者
王持恒
陈晶
陈祥云
杜瑞颖
WANG Chi-Heng;CHEN Jing;CHEN Xiang-Yun;DU Rui-Ying(State Key Laboratory of Software Engineering,Wuhan University,Wuhan 430072;Science and Technology on Communication Security Laboratory,Chengdu 610041;Collaborative Innovation Center of Geospatial Technology,Wuhan 430079)
出处
《计算机学报》
EI
CSCD
北大核心
2018年第10期2344-2358,共15页
Chinese Journal of Computers
基金
国家自然科学基金项目(61572380
61772383
61702379)
国家重点基础研究发展规划(2014CB340600)资助~~
关键词
ANDROID
勒索软件
模块化规则归纳学习
自然语言生成
证据链
静态分析
Android
ransomware
inductive learning with modular classification rules
nature language generation
evidence chain
static analysis
