Please wait a minute...
 首页  期刊介绍 期刊订阅 联系我们 横山亮次奖 百年刊庆
 
最新录用  |  预出版  |  当期目录  |  过刊浏览  |  阅读排行  |  下载排行  |  引用排行  |  横山亮次奖  |  百年刊庆
清华大学学报(自然科学版)  2018, Vol. 58 Issue (2): 131-136    DOI: 10.16511/j.cnki.qhdxxb.2018.26.007
  计算机科学与技术 本期目录 | 过刊浏览 | 高级检索 |
基于AHP的安卓应用安全信用指数度量方法
徐君锋1, 王嘉捷1, 朱克雷1, 张普含1, 马宇飞2
1. 中国信息安全测评中心, 北京 100085;
2. 中国科学技术大学 软件学院, 合肥 230026
Credit index measurement method for Android application security based on AHP
XU Junfeng1, WANG Jiajie1, ZHU Kelei1, ZHANG Puhan1, MA Yufei2
1. China Information Technology Security Evaluation Center, Beijing 100085, China;
2. School of Software, University of Science and Technology of China, Hefei 230026, China
全文: PDF(1355 KB)  
输出: BibTeX | EndNote (RIS)      
摘要 在Android移动应用市场上,由于Android系统的高度开放性和广泛普及性,Android应用面临着被恶意注入、二次打包等严重安全风险。传统Android软件安全度量技术的度量精度可确定软件的安全等级,但无法满足软件信用精确度量和安全指数排序的现实需求。针对上述问题,该文通过对Android软件逆向分析,根据不同权限安全等级划分,给定安全范围内的安全系数,引入层次分析法(analytic hierarchy process,AHP)评估模型,对Android软件进行初步安全评分。同时结合Android软件的认证强度和第三方应用市场上的违规记录,再次使用AHP综合度量软件的最终安全信用指数。实验结果表明:该度量方法有效可行,可在精度允许的范围内,精确度量Android软件的安全信用指数。
服务
把本文推荐给朋友
加入引用管理器
E-mail Alert
RSS
作者相关文章
徐君锋
王嘉捷
朱克雷
张普含
马宇飞
关键词 Android逆向工程Android安全度量层次分析法    
Abstract:The openness and popularity of Android systems has resulted in, Android applications facing serious security risks such as malicious injection and re-packaging. The traditional measurement methods of Android software security can generally determine its security level for its security index measurement accuracy, but they cannot provide accurate software credit measurements and security index sorting. This paper assigns a safety coefficient to indicate the scope of security after a reverse analysis of the Android software for the security classification. Then, the analytic hierarchy process (AHP) evaluation model is used for a preliminary safety score of the Android software. Meanwhile, the Android software certification strength and the violation records in the external application market are used to calculate the final AHP security index twice. Tests show that this measurement method can accurately measure the security index of Android software products.
Key wordsAndroid reverse engineering    Android security measurement    analytic hierarchy process
收稿日期: 2017-08-11      出版日期: 2018-02-15
ZTFLH:  TP319.4  
引用本文:   
徐君锋, 王嘉捷, 朱克雷, 张普含, 马宇飞. 基于AHP的安卓应用安全信用指数度量方法[J]. 清华大学学报(自然科学版), 2018, 58(2): 131-136.
XU Junfeng, WANG Jiajie, ZHU Kelei, ZHANG Puhan, MA Yufei. Credit index measurement method for Android application security based on AHP. Journal of Tsinghua University(Science and Technology), 2018, 58(2): 131-136.
链接本文:  
http://jst.tsinghuajournals.com/CN/10.16511/j.cnki.qhdxxb.2018.26.007  或          http://jst.tsinghuajournals.com/CN/Y2018/V58/I2/131
  图1 A n d r o i d软件安全分析与信用评估分类
  图2 安全信用指标度量技术框架
  图3 AHP建模示意图
  表1 权限访问可信一致性比例(0.0 7 86), 对“信用指数”的权重(0.7 2 58),λm a x=6.4 9 50
  表2 信用指数一致性比例(0.0 2 79), 对“信用指数”的权重(1.0 0 00),λm a x=3.0 2 91
  图5 信用指标计算流程
  表3 各类要素中间计算结果
  图6 计算得到排序权重和安全信用指数
[1] 徐君锋, 吴世忠, 张利. Android软件安全攻防对抗技术及发展[J]. 北京理工大学学报, 2017, 37(2):163-167. XU J F, WU S Z, ZHANG L. Survey on attack and defense technologies of Android software security[J]. Transactions of Beijing Institute of Technology, 2017, 37(2):163-167. (in Chinese)
[2] 卿斯汉. Android安全研究进展[J]. 软件学报, 2016, 27(1):45-71. QING S H. Research progress on Android security[J]. Journal of Software, 2016, 27(1):45-71. (in Chinese)
[3] BAGHERI H, SADEGHI A, GARCIA J, et al. COVERT:Compositional analysis of Android inter-App permission leakage[J]. IEEE Transactions on Software Engineering, 2015, 41(9):866-886.
[4] WANG W, WANG X, FENG D W, et al. Exploring permission-induced risk in Android applications for malicious application detection[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(11):1869-1882.
[5] CEN L, GATES C S, SI L, et al. A probabilistic discriminative model for Android malware detection with decompiled source code[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(4):400-412.
[6] YANG Z M, YANG M. LeakMiner:Detect information leakage on Android with static taint analysis[C]//Proceedings of the Third World Congress on Software Engineering. Wuhan, China:IEEE, 2012:101-104.
[7] JING Y M, AHN G J, ZHAO Z M, et al. Towards automated risk assessment and mitigation of mobile applications[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(5):571-584.
[8] YERIMA S Y, SEZER S, MUTTIK I. High accuracy Android malware detection using ensemble learning[J]. IET Information Security, 2015, 9(6):313-320.
[9] ZHENG M, SUN M S, LUI J C S. DroidTrace:A ptrace based Android dynamic analysis system with forward ution capability[C]//Proceedings of 2014 International Wireless Communications and Mobile Computing Conference. Nicosia, Cyprus:IEEE, 2014:128-133.
[10] BARTEL A, KLEIN J, MONPERRUS M, et al. Static analysis for extracting permission checks of a large scale framework:The challenges and solutions for Analyzing android[J]. IEEE Transactions on Software Engineering, 2014, 40(6):617-632.
[11] GUTJAHR W J. Software dependability evaluation based on Markov usage models[J]. Performance Evaluation, 2000, 40(4):199-222.
[12] SHI E, PERRIG A, VAN DOORN L. BIND:A fine-grained attestation service for secure distributed systems[C]//Proceedings of 2005 IEEE Symposium on Security and Privacy. Oakland, USA:IEEE, 2005:154-168.
[13] 乐洪舟, 张玉清, 王文杰, 等. Android动态加载与反射机制的静态污点分析研究[J]. 计算机研究与发展, 2017, 54(2):313-327. LE H Z, ZHANG Y Q, WANG W J, et al. Android static taint analysis of dynamic loading and reflection mechanism[J]. Journal of Computer Research and Development, 2017, 54(2):313-327. (in Chinese)
[14] FERNANDES E, CRISPO B, CONTI M. FM 99.9, radio virus:Exploiting FM radio broadcasts for malware deployment[J]. IEEE Transactions on Information Forensics and Security, 2013, 8(6):1027-1037.
[15] 宁卓, 胡婷, 孙知信. 基于动态分析的Android应用程序安全研究[J]. 计算机科学, 2016, 43(S2):324-328. NING Z, HU T, SUN Z X. Security survey on Android application based on dynamic analysis[J]. Computer Science, 2016, 43(S2):324-328. (in Chinese)
[16] JARABEK C, BARRERA D, AYCOCK J. ThinAV:Truly lightweight mobile cloud-based anti-malware[C]//Proceedings of the 28th Annual Computer Security Applications Conference. Orlando, USA:ACM 2012:209-218.
[17] 李舟军, 吴春明, 王啸. 基于沙盒的Android应用风险行为分析与评估[J]. 清华大学学报(自然科学版), 2016, 56(5):453-460. LI Z J, WU C M, WANG X. Assessment of Android application's risk behavior based on a sandbox system[J]. Journal of Tsinghua University (Science and Technology), 2016, 56(5):453-460. (in Chinese)
[1] 陈道想, 林鹏, 丁鹏, 李果, 陈涛, 余卓憬. 基于群层次分析法的振冲碎石桩填料方法比选[J]. 清华大学学报(自然科学版), 2022, 62(12): 1915-1921.
[2] 蒋光昱, 王忠静, 索滢. 西北典型节水灌溉技术综合性能的层次分析与模糊综合评价[J]. 清华大学学报(自然科学版), 2019, 59(12): 981-989.
[3] 陈涛, 陈智超. 基于证据推理法的城镇综合承灾能力网格化评价方法[J]. 清华大学学报(自然科学版), 2018, 58(6): 570-575.
[4] 杨萍, 彭羽, 刘雪华, 孟鸿雁, 王斌. 基于生态评估的新疆玛纳斯县域发展适宜性分析[J]. 清华大学学报(自然科学版), 2016, 56(8): 865-870.
[5] 卢兆麟, 李升波, Schroeder Felix, 周吉晨, 成波. 结合自然语言处理与改进层次分析法的乘用车驾驶舒适性评价[J]. 清华大学学报(自然科学版), 2016, 56(2): 137-143.
[6] 吕艳丽, 李元龙, 向爽, 夏春和. 基于服务相关性的应用层安全事件危害评估方法[J]. 清华大学学报(自然科学版), 2016, 56(1): 35-41.
[7] 袁尚南, 强茂山, 温祺, 江汉臣. 基于模糊层次分析法的建设项目组织效能评价模型[J]. 清华大学学报(自然科学版), 2015, 55(6): 616-623.
Viewed
Full text


Abstract

Cited

  Shared   
  Discussed   
版权所有 © 《清华大学学报(自然科学版)》编辑部
本系统由北京玛格泰克科技发展有限公司设计开发 技术支持:support@magtech.com.cn