上下文感知的安卓应用程序漏洞检测研究
Research on context-aware Android application vulnerability detection
- 通信学报 2021年42卷第11期 页码:13-27
- 作者机构:
1. 北京邮电大学网络与交换技术国家重点实验室,北京 100876
2. 国家计算机网络应急技术处理协调中心,北京 100029
- 作者简介:
[ "秦佳伟(1993− ),男,满族,辽宁本溪人,北京邮电大学博士生,国家计算机网络应急技术处理协调中心工程师,主要研究方向为移动端安全分析、物联网安全分析等" ]
[ "张华(1978− ),女,吉林四平人,博士,北京邮电大学副教授,主要研究方向为网络安全、隐私保护等" ]
[ "严寒冰(1975− ),男,江西进贤人,博士,国家计算机网络应急技术处理协调中心教授级工程师,主要研究方向为网络安全、计算机图形学等" ]
[ "何能强(1985− ),男,浙江义乌人,博士,国家计算机网络应急技术处理协调中心高级工程师,主要研究方向为移动恶意程序分析、应用程序安全检测等" ]
[ "涂腾飞(1990− ),男,山东临沂人,博士,北京邮电大学在站博士后,主要研究方向为网络安全、移动安全等" ]
- 基金信息:国家自然科学基金资助项目(62072051);国家自然科学基金资助项目(61976024);国家自然科学基金资助项目(61972048);中央高校基本科研业务费专项资金资助项目(2019XD-A01);教育部区场链核心计划基金资助项目(2020KJ010802)
DOI:10.11959/j.issn.1000-436x.2021198
中图分类号: TP18-
网络首发:2021-11,
纸质出版:2021-11-25
- 稿件说明:
移动端阅览
秦佳伟, 张华, 严寒冰, 等. 上下文感知的安卓应用程序漏洞检测研究[J]. 通信学报, 2021,42(11):13-27.
Jiawei QIN, Hua ZHANG, Hanbing YAN, et al. Research on context-aware Android application vulnerability detection[J]. Journal on Communications, 2021, 42(11): 13-27.
秦佳伟, 张华, 严寒冰, 等. 上下文感知的安卓应用程序漏洞检测研究[J]. 通信学报, 2021,42(11):13-27. DOI: 10.11959/j.issn.1000-436x.2021198.
Jiawei QIN, Hua ZHANG, Hanbing YAN, et al. Research on context-aware Android application vulnerability detection[J]. Journal on Communications, 2021, 42(11): 13-27. DOI: 10.11959/j.issn.1000-436x.2021198.
摘要
针对基于学习的安卓应用程序的漏洞检测模型对源程序的特征提取结果欠缺语义信息,且提取的特征化结果包含与漏洞信息无关的噪声数据,导致漏洞检测模型的准确率下降的问题,提出了一种基于代码切片(CIS)的程序特征提取方法。该方法和抽象语法树(AST)特征方法相比可以更加精确地提取和漏洞存在直接关系的变量信息,避免引入过多噪声数据,同时可以体现漏洞的语义信息。利用CIS,基于Bi-LSTM和注意力机制提出了一个上下文感知的安卓应用程序漏洞检测模型VulDGArcher;针对安卓漏洞数据集不易获得的问题,构建了一个包含隐式Intent通信漏洞和PendingIntent权限绕过漏洞的41 812个代码片段的数据集,其中漏洞代码片段有16 218个。在这个数据集上,VulDGArcher检测准确率可以达到96%,高于基于AST特征和未进行处理的APP源码特征的深度学习漏洞检测模型。
Abstract
The vulnerability detection model of Android application based on learning lacks semantic features.The extracted features contain noise data unrelated to vulnerabilities
which leads to the false positive of vulnerability detection model.A feature extraction method based on code information slice (CIS) was proposed.Compared with the abstract syntax tree (AST) feature method
the proposed method could extract the variable information directly related to vulnerabilities more accurately and avoid containing too much noise data.It contained semantic information of vulnerabilities.Based on CIS and BI-LSTM with attention mechanism
a context-aware Android application vulnerability detection model VulDGArcher was proposed.For the problem that the Android vulnerability data set was not easy to obtain
a data set containing 41 812 code fragments including the implicit Intent security vulnerability and the bypass PendingIntent permission audit vulnerability was built.There were 16 218 code fragments of vulnerability.On this data set
VulDGArcher’s detection accuracy can reach 96%
which is higher than the deep learning vulnerability detection model based on AST features and APP source code features.
关键词
Keywords
references
CHOWDHURY I , ZULKERNINE M . Using complexity,coupling,and cohesion metrics as early indicators of vulnerabilities [J ] . Journal of Systems Architecture , 2011 , 57 ( 3 ): 294 - 313 .
YAMAGUCHI F , WRESSNEGGER C , GASCON H , et al . Chucky:exposing missing checks in source code for vulnerability discovery [C ] // Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security . New York:ACM Press , 2013 : 499 - 510 .
赵尚儒 , 李学俊 , 方越 , 等 . 安全漏洞自动利用综述 [J ] . 计算机研究与发展 , 2019 , 56 ( 10 ): 73 - 87 .
ZHANG S R , LI X J , FANG Y et al . An overview of automatic exploitation of security vulnerabilities [J ] . Computer Research and Development , 2019 , 56 ( 10 ): 73 - 87 .
GRO S , TIWARI A , HAMMER C . PIAnalyzer:a precise approach for PendingIntent vulnerability analysis [C ] // Computer Security . Berlin:Springer , 2018 : 41 - 59 .
过辰楷 , 许静 , 司冠南 , 等 . 面向移动应用软件信息泄露的模型检测研究 [J ] . 计算机学报 , 2016 , 39 ( 11 ): 2324 - 2343 .
GUO C K , XU J , SI G N , et al . Model checking for software information leakage in mobile application [J ] . Chinese Journal of Computers , 2016 , 39 ( 11 ): 2324 - 2343 .
WEI F G , ROY S , OU X M , et al . Amandroid:a precise and general inter-component data flow analysis framework for security vetting of Android apps [C ] // Proceedings of the ACM Conference on Computer and Communications Security . New York:ACM Press , 2014 : 1329 - 1341 .
KLIEBER W , FLYNN L , BHOSALE A , et al . Android taint flow analysis for app sets [C ] // Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis . New York:ACM Press , 2014 : 1 - 6 .
BAGHERI H , SADEGHI A , GARCIA J , et al . COVERT:compositional analysis of android inter-app permission leakage [J ] . IEEE Transactions on Software Engineering , 2015 , 41 ( 9 ): 866 - 886 .
LI L , BARTEL A , BISSYANDÉ T F , et al . IccTA:detecting inter-component privacy leaks in android apps [C ] // Proceedings of 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering . Piscataway:IEEE Press , 2015 : 280 - 291 .
OCTEAU D , MCDANIEL P , JHA S , et al . Effective inter-component communication mapping in Android with Epicc:an essential step towards holistic security analysis [C ] // Proceedings of the 22nd USENIX Conference on Security . Berkeley:USENIX Association , 2013 : 543 - 558 .
OCTEAU D , LUCHAUP D , DERING M , et al . Composite constant propagation:application to android inter-component communication analysis [C ] // Proceedings of 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering . Piscataway:IEEE Press , 2015 : 77 - 88 .
LEE Y K , BANG J Y , SAFI G , et al . A SEALANT for inter-app security holes in android [C ] // Proceedings of 2017 IEEE/ACM 39th International Conference on Software Engineering (ICSE) . Piscataway:IEEE Press , 2017 : 312 - 323 .
王持恒 , 陈晶 , 苏涵 , 等 . 基于宿主权限的移动广告漏洞攻击技术 [J ] . 软件学报 , 2018 , 29 ( 5 ): 1392 - 1409 .
WANG C H , CHEN J , SU H , et al . Mobile advertising loophole attack technology based on host APP’s permissions [J ] . Journal of Software , 2018 , 29 ( 5 ): 1392 - 1409 .
DAM H K , TRAN T , PHAM T , et al . Automatic feature learning for predicting vulnerable software components [J ] . IEEE Transactions on Software Engineering , 2021 , 47 ( 1 ): 67 - 85 .
ZOU D Q , WANG S J , XU S H , et al . $\mu$μVulDeePecker:a deep learning-based system for multiclass vulnerability detection [J ] . IEEE Transactions on Dependable and Secure Computing , 2021 , 18 ( 5 ): 2224 - 2236 .
PERL H , DECHAND S , SMITH M , et al . VCCFinder:finding potential vulnerabilities in open-source projects to assist code audits [C ] // Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security . New York:ACM Press , 2015 : 426 - 437 .
SCANDARIATO R , WALDEN J , HOVSEPYAN A , et al . Predicting vulnerable software components via text mining [J ] . IEEE Transactions on Software Engineering , 2014 , 40 ( 10 ): 993 - 1006 .
BAN X B , LIU S G , CHEN C , et al . A performance evaluation of deep-learnt features for software vulnerability detection [J ] . Concurrency and Computation:Practice and Experience , 2019 , 31 ( 19 ): e5103 .
LIN G J , ZHANG J , LUO W , et al . Cross-project transfer representation learning for vulnerable function discovery [J ] . IEEE Transactions on Industrial Informatics , 2018 , 14 ( 7 ): 3289 - 3297 .
WU F , WANG J G , LIU J Q , et al . Vulnerability detection with deep learning [C ] // Proceedings of 2017 3rd IEEE International Conference on Computer and Communications . Piscataway:IEEE Press , 2017 : 1298 - 1302 .
HOVSEPYAN A , SCANDARIATO R , JOOSEN W , et al . Software vulnerability prediction using text analysis techniques [C ] // Proceedings of the 4th International Workshop on Security Measurements and Metrics .[S.l.:s.n. ] , 2012 : 7 - 10 .
MA S Q , THUNG F , LO D , et al . VuRLE:automatic vulnerability detection and repair by learning from examples [C ] // Computer Security– ESORICS 2017 . Berlin:Springer , 2017 : 229 - 246 .
乐洪舟 , 张玉清 . 网络直播平台主播地理位置泄露漏洞的分析与利用 [J ] . 计算机学报 , 2019 , 42 ( 5 ): 1095 - 1111 .
YUE H Z , ZHANG Y Q . Vulnerability analysis and exploitation of location privacy leakage in webcasting platforms [J ] . Chinese Journal of Computers , 2019 , 42 ( 5 ): 1095 - 1111 .
AVERSANO L , CERULO L , DEL GROSSO C . Learning from bug-introducing changes to prevent fault prone code [C ] // Proceedings of Ninth International Workshop on Principles of Software Evolution in Conjunction with the 6th ESEC/FSE Joint Meeting .[S.l.:s.n. ] , 2007 : 19 - 26 .
GARG S , BALIYAN N . A novel parallel classifier scheme for vulnerability detection in Android [J ] . Computers & Electrical Engineering , 2019 , 77 : 12 - 26 .
CURTSINGER C , LIVSHITS B , ZORN B , et al . ZOZZLE:fast and precise in-browser JavaScript malware detection [C ] // Proceedings of the 20th USENIX Conference on Security . Berkeley:USENIX Association , 2011 :3.
RIECK K , KRUEGER T , DEWALD A . Cujo:efficient detection and prevention of drive-by-download attacks [C ] // Proceedings of Proceedings of the 26th Annual Computer Security Applications Conference . New York:ACM Press , 2010 : 31 - 39 .
FASS A , KRAWCZYK R P , BACKES M , et al . JaSt:fully syntactic detection of malicious (obfuscated) JavaScript [C ] // Detection of Intrusions and Malware,and Vulnerability Assessment . Berlin:Springer , 2018 : 303 - 325 .
GENCER K , BAŞÇIFTÇI F , . Time series forecast modeling of vulnerabilities in the android operating system using ARIMA and deep learning methods [J ] . Sustainable Computing:Informatics and Systems , 2021 , 30 : 100515 .
GRUSKA N , WASYLKOWSKI A , ZELLER A . Learning from 6,000 projects:lightweight cross-project anomaly detection [C ] // Proceedings of the 19th International Symposium on Software Testing and Analysis . New York:ACM Press , 2010 : 119 - 130 .
0
浏览量
1139
下载量
0
CSCD
- 网络PDF下载
- XML下载
- Meta-XML下载
- BibTeX下载
- Endnote下载
- RefMan 下载
- NoteExpress下载
- NoteFirst下载
关联资源
相关文章
相关作者
相关机构
AI问答- 技术支持由北京北大方正电子有限公司提供 京ICP备09064830号-19
京公网安备11010802024621 - 本系统建议在Chrome、 IE9+ 以上版本浏览器阅读本站内容,360浏览器请切换至极速模式
- Cookies帮助我们提供服务并提供个性化体验。使用本网站,即表示您同意我们使用Cookies
- 总访问量:583619 今日访问量:1435