The Android operating system provides a rich Inter-Component Communication(ICC) method that brings enormous convenience. However, the Android ICC also increases security risks. To address this problem, a formal method...The Android operating system provides a rich Inter-Component Communication(ICC) method that brings enormous convenience. However, the Android ICC also increases security risks. To address this problem, a formal method is proposed to model and detect inter-component communication behavior in Android applications. Firstly,we generate data flow graphs and data facts for each component through component-level data flow analysis.Secondly, our approach treats ICC just like method calls. After analyzing the fields and data dependencies of the intent, we identify the ICC caller and callee, track the data flow between them, and construct the ICC model. Thirdly,the behavior model of Android applications is constructed by a formal mapping method for component data flow graph based on Pi calculus. The runtime sensitive path trigger detection algorithm is then given. Communicationbased attacks are detected by analyzing intent abnormity. Finally, we analyze the modeling and detection efficiency,and compare it with relevant methods. Analysis of 57 real-world applications partly verifies the effectiveness of the proposed method.展开更多
A precise representation for attacks can benefit the detection of malware in both accuracy and efficiency.However,it is still far from expectation to describe attacks precisely on the Android platform.In addition,new ...A precise representation for attacks can benefit the detection of malware in both accuracy and efficiency.However,it is still far from expectation to describe attacks precisely on the Android platform.In addition,new features on Android,such as communication mechanisms,introduce new challenges and difficulties for attack detection.In this paper,we propose abstract attack models to precisely capture the semantics of various Android attacks,which include the corresponding targets,involved behaviors as well as their execution dependency.Meanwhile,we construct a novel graph-based model called the inter-component communication graph(ICCG)to describe the internal control flows and inter-component communications of applications.The models take into account more communication channel with a maximized preservation of their program logics.With the guidance of the attack models,we propose a static searching approach to detect attacks hidden in ICCG.To reduce false positive rate,we introduce an additional dynamic confirmation step to check whether the detected attacks are false alarms.Experiments show that DROIDECHO can detect attacks in both benchmark and real-world applications effectively and efficiently with a precision of 89.5%.展开更多
基金supported by the Hebei Provincial Natural Science Foundation(Nos.F2016203290 and F2017203307)the National Natural Science Foundation of China(No.61772450)+3 种基金the Doctoral Foundation of Yanshan University(Nos.BL18011 and B906)the Hebei Normal University of Science and Technology Scientific Research Foundation(No.2018YB019)the China Postdoctoral Science Foundation(No.2018M631764)the Hebei Province Science and Technology Planning Project(No.17210701D)
文摘The Android operating system provides a rich Inter-Component Communication(ICC) method that brings enormous convenience. However, the Android ICC also increases security risks. To address this problem, a formal method is proposed to model and detect inter-component communication behavior in Android applications. Firstly,we generate data flow graphs and data facts for each component through component-level data flow analysis.Secondly, our approach treats ICC just like method calls. After analyzing the fields and data dependencies of the intent, we identify the ICC caller and callee, track the data flow between them, and construct the ICC model. Thirdly,the behavior model of Android applications is constructed by a formal mapping method for component data flow graph based on Pi calculus. The runtime sensitive path trigger detection algorithm is then given. Communicationbased attacks are detected by analyzing intent abnormity. Finally, we analyze the modeling and detection efficiency,and compare it with relevant methods. Analysis of 57 real-world applications partly verifies the effectiveness of the proposed method.
基金supported in part by National Key R&D Program of China(No.2016QY04W0805)NSFC U1536106,61728209+3 种基金National Top-notch Youth Talents Program of ChinaYouth Innovation Promotion Association CASBeijing Nova Program and a research grant from Ant Financialpartly supported by International Cooperation Program on CyberSecurity,administered by SKLOIS,Institute of Information Engineering,Chinese Academy of Sciences,China(No.SNSBBH-2017111036).
文摘A precise representation for attacks can benefit the detection of malware in both accuracy and efficiency.However,it is still far from expectation to describe attacks precisely on the Android platform.In addition,new features on Android,such as communication mechanisms,introduce new challenges and difficulties for attack detection.In this paper,we propose abstract attack models to precisely capture the semantics of various Android attacks,which include the corresponding targets,involved behaviors as well as their execution dependency.Meanwhile,we construct a novel graph-based model called the inter-component communication graph(ICCG)to describe the internal control flows and inter-component communications of applications.The models take into account more communication channel with a maximized preservation of their program logics.With the guidance of the attack models,we propose a static searching approach to detect attacks hidden in ICCG.To reduce false positive rate,we introduce an additional dynamic confirmation step to check whether the detected attacks are false alarms.Experiments show that DROIDECHO can detect attacks in both benchmark and real-world applications effectively and efficiently with a precision of 89.5%.
