With the development of smart phone, malicious behaviours in applications are also growing explosively on mobile platforms. However, existing permission schemes lack the adapted granularity and sufficient information to differentiate different behaviours from same application when facing the situation of malicious behaviours mixed in the normal ones.It is able to effectively sever the normal and malicious behaviours in application by taking the“applications behaviour” as the granularity to authorise the application assisted by using the context of the behaviour as discriminant basis.In this paper, we design and implement a prototype system of EventChain based on the above concept.It has the capability of tracking, as well as setting up the behaviours of application and its corresponding context.It is shown by experiments that the EventChain system can detect the malicious behaviours in 89 malware from five malware families including BgServ, FakePlayer, etc., and has the performance overhead less than 10%.%随着智能手机的发展,软件的恶意行为在移动平台也呈现爆发性增长。面对正常行为和恶意行为混杂的情况,现有的权限机制缺乏相适应的粒度以及足够的信息区分相同程序中的不同行为。以“程序行为”为粒度对应用程序进行授权,并辅助以行为的上下文作为判定依据可以有效地分离程序正常行为与恶意行为。基于上述概念设计并实现EventChain原型系统,具有追踪、建立程序行为及其上下文的能力。实验表明,该系统能够检测到BgServ、FakePlayer等5个病毒家族的89个恶意软件中的恶意行为,并且具有低于10%的性能开销。
展开▼
