面向网络加密流量的恶意移动应用检测研究

By exploiting the “always-connected” network access and the powerful computing power of mobile smart devices, mobile malware can conveniently conduct attacks through the network, and furthermore use encryption to avoid detection. Thus, new challenges are brought to the security and privacy protection for mobile users. Unfortunately, existing mobile malware detection researches are mainly focusing on plaintext flows, and the achievements cannot be applied to encrypted network traffic. Therefore, in this project, we consider mobile apps’ functions and their running features carefully and propose a novel mobile malware detection method for encrypted network traffic. To be specific, firstly, we propose a traffic correlation technique to correlate encrypted and plaintext flows. The mobile app created the encrypted network traffic will be rapidly identified with the help of these correlated plaintext flows. Secondly, we propose a network traffic anomaly analysis technique based on mobile apps’ categories. We select comparison samples from the network traffic generated by mobile apps in the same category (also including the target app itself). After that, the network traffic similarity is calculated, and the network interaction behavior graphs are compared to analyze apps’ traffic anomalies. We also infer anomalies of encrypted network traffic based on context information. Finally, we propose an apps’ encrypted traffic classification technique that can automatically generate training samples and extract classification features. Combing with the abnormal analysis results as extra classification features, the proposed classification technique can efficiently determine the specific attack type of encrypted traffic, and detect mobile malware.

由于移动智能终端的“永久在线”特性和计算能力增强，恶意移动应用易于通过网络进行恶意攻击，并采用加密通信方式躲避检测，给用户安全和隐私保护带来新的挑战。现有恶意移动应用流量检测研究主要针对明文流量展开，无法应用于加密网络流量的检测分析。本项目根据移动应用功能和运行特点，提出面向网络加密流量的恶意移动应用检测方法。首先，提出移动应用网络流量关联技术，将加密流量和明文流量相关联，实现加密流量所对应移动应用的快速识别。然后，提出一种基于移动应用类别的网络流量异常分析技术，从同类别移动应用（包括目标移动应用）所产生的网络流量中选择比对样本。针对选定的样本，结合网络流量相似度计算和网络交互行为图对比分析异常，并基于上下文实现加密流量的异常推断。最后，提出一种移动应用加密流量攻击分类技术，自动生成攻击流量样本和自动提取分类特征，并将异常分析结果作为分类特征之一，实现加密攻击流量和恶意移动应用的有效检测。

恶意移动应用会通过加密网络连接隐藏关键传输内容。本项目重点研究面向网络加密流量的恶意移动应用检测方法。针对加密网络流量，通过移动应用识别、网络行为异常检测以及攻击流量分类确认等三个步骤，实现对应恶意移动应用的有效检测。在移动应用识别方面，提出基于流关联的移动应用识别方法，利用时间特征将加密网络流量的DNS域名同其它域名相关联，并以关联所得的域名集合作为识别整体，从而有效识别出加密网络流量所对应的具体移动应用。在网络异常检测方面，提出基于同类对比的移动应用网络行为异常分析方法。利用边缘计算节点对移动应用网络流量进行特征提取，减少移动客户端负载；边缘计算节点将提取的特征发送至云平台，由云平台对所有样本进行密度峰值聚类，自动确定异常结果。在攻击流量分类确认方面，提出基于会话密钥安全共享的恶意加密流量分类与确认方法，对于疑似的恶意加密流量先进行解密，然后进行特征匹配，进而准确分类。.本项目的研究意义在于探索针对加密网络流量的恶意移动应用检测技术。本项目将加密网络流量的恶意攻击检测问题抽象为“异常确认”问题。首先通过异常检测发现可疑的加密流量，然后使用自动、安全的确认技术排除误报，并给出具体的攻击特征。本项目研究为加密网络流量的安全分析提供了新的实现思路。项目研究成果可以用于移动互联网、工业互联网的网络管理和网络安全防护中。