Credit index measurement method for Android application security based on AHP
XU Junfeng1, WANG Jiajie1, ZHU Kelei1, ZHANG Puhan1, MA Yufei2
1. China Information Technology Security Evaluation Center, Beijing 100085, China;
2. School of Software, University of Science and Technology of China, Hefei 230026, China
Abstract:The openness and popularity of Android systems has resulted in, Android applications facing serious security risks such as malicious injection and re-packaging. The traditional measurement methods of Android software security can generally determine its security level for its security index measurement accuracy, but they cannot provide accurate software credit measurements and security index sorting. This paper assigns a safety coefficient to indicate the scope of security after a reverse analysis of the Android software for the security classification. Then, the analytic hierarchy process (AHP) evaluation model is used for a preliminary safety score of the Android software. Meanwhile, the Android software certification strength and the violation records in the external application market are used to calculate the final AHP security index twice. Tests show that this measurement method can accurately measure the security index of Android software products.
徐君锋, 王嘉捷, 朱克雷, 张普含, 马宇飞. 基于AHP的安卓应用安全信用指数度量方法[J]. 清华大学学报(自然科学版), 2018, 58(2): 131-136.
XU Junfeng, WANG Jiajie, ZHU Kelei, ZHANG Puhan, MA Yufei. Credit index measurement method for Android application security based on AHP. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 131-136.
徐君锋, 吴世忠, 张利. Android软件安全攻防对抗技术及发展[J]. 北京理工大学学报, 2017, 37(2):163-167. XU J F, WU S Z, ZHANG L. Survey on attack and defense technologies of Android software security[J]. Transactions of Beijing Institute of Technology, 2017, 37(2):163-167. (in Chinese)
[2]
卿斯汉. Android安全研究进展[J]. 软件学报, 2016, 27(1):45-71. QING S H. Research progress on Android security[J]. Journal of Software, 2016, 27(1):45-71. (in Chinese)
[3]
BAGHERI H, SADEGHI A, GARCIA J, et al. COVERT:Compositional analysis of Android inter-App permission leakage[J]. IEEE Transactions on Software Engineering, 2015, 41(9):866-886.
[4]
WANG W, WANG X, FENG D W, et al. Exploring permission-induced risk in Android applications for malicious application detection[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(11):1869-1882.
[5]
CEN L, GATES C S, SI L, et al. A probabilistic discriminative model for Android malware detection with decompiled source code[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(4):400-412.
[6]
YANG Z M, YANG M. LeakMiner:Detect information leakage on Android with static taint analysis[C]//Proceedings of the Third World Congress on Software Engineering. Wuhan, China:IEEE, 2012:101-104.
[7]
JING Y M, AHN G J, ZHAO Z M, et al. Towards automated risk assessment and mitigation of mobile applications[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(5):571-584.
[8]
YERIMA S Y, SEZER S, MUTTIK I. High accuracy Android malware detection using ensemble learning[J]. IET Information Security, 2015, 9(6):313-320.
[9]
ZHENG M, SUN M S, LUI J C S. DroidTrace:A ptrace based Android dynamic analysis system with forward ution capability[C]//Proceedings of 2014 International Wireless Communications and Mobile Computing Conference. Nicosia, Cyprus:IEEE, 2014:128-133.
[10]
BARTEL A, KLEIN J, MONPERRUS M, et al. Static analysis for extracting permission checks of a large scale framework:The challenges and solutions for Analyzing android[J]. IEEE Transactions on Software Engineering, 2014, 40(6):617-632.
[11]
GUTJAHR W J. Software dependability evaluation based on Markov usage models[J]. Performance Evaluation, 2000, 40(4):199-222.
[12]
SHI E, PERRIG A, VAN DOORN L. BIND:A fine-grained attestation service for secure distributed systems[C]//Proceedings of 2005 IEEE Symposium on Security and Privacy. Oakland, USA:IEEE, 2005:154-168.
[13]
乐洪舟, 张玉清, 王文杰, 等. Android动态加载与反射机制的静态污点分析研究[J]. 计算机研究与发展, 2017, 54(2):313-327. LE H Z, ZHANG Y Q, WANG W J, et al. Android static taint analysis of dynamic loading and reflection mechanism[J]. Journal of Computer Research and Development, 2017, 54(2):313-327. (in Chinese)
[14]
FERNANDES E, CRISPO B, CONTI M. FM 99.9, radio virus:Exploiting FM radio broadcasts for malware deployment[J]. IEEE Transactions on Information Forensics and Security, 2013, 8(6):1027-1037.
[15]
宁卓, 胡婷, 孙知信. 基于动态分析的Android应用程序安全研究[J]. 计算机科学, 2016, 43(S2):324-328. NING Z, HU T, SUN Z X. Security survey on Android application based on dynamic analysis[J]. Computer Science, 2016, 43(S2):324-328. (in Chinese)
[16]
JARABEK C, BARRERA D, AYCOCK J. ThinAV:Truly lightweight mobile cloud-based anti-malware[C]//Proceedings of the 28th Annual Computer Security Applications Conference. Orlando, USA:ACM 2012:209-218.
[17]
李舟军, 吴春明, 王啸. 基于沙盒的Android应用风险行为分析与评估[J]. 清华大学学报(自然科学版), 2016, 56(5):453-460. LI Z J, WU C M, WANG X. Assessment of Android application's risk behavior based on a sandbox system[J]. Journal of Tsinghua University (Science and Technology), 2016, 56(5):453-460. (in Chinese)