這篇論文主要分析關於 Android 惡意軟體異常下載行為之複雜的時序行為，在這項研究中我們提出了將 Android 軟體進行動態特徵萃取並找出形成異常下載行為的重要循序特徵，幫助我們進行異常下載行為的偵測。偵測的系統主要會依循以下的步驟：(1) 利用 TaintDroid – Android 上的 sandbox 幫助我們取
得包含資料流紀錄的 Android 軟體的日誌 (2) Application Behavioral Tokenizer 模組取出從 TaintDroid 得到的資料流紀錄及其他特定行為當成代符(token) (3) TaintLog Information Profiler 模組將資料流紀錄中取用特定資料的方法及取用的特定資料萃取出來加入後續分析之特徵 (4) Behavior Sequence Constructor 模組將先前模組所取出之行為代符及資料流特徵建構成
依照時間序列的行為序列 (5) Frequency Ordered Sequential Pattern Finder 利用修改自 Apriori 演算法之 Ordered-Apriori 演算法從輸入的 Android 軟體行為序列找出出現頻率較高的嚴格有序樣式 (6) Abnormal Download Behavior Identifier 利用先前模組找到之嚴格有序樣式建構出偵測異常下載行為之黑名單(black list)，並利用建構出之黑名單判斷需被檢測之 Android 軟體是否有可
能出現異常的下載行為。經過實驗證明我們所提出的方法可以有效分辨出具有複雜行為之異常下載行為的 Android 惡意軟體。

This thesis mainly analyze the complicated temporal behavior of abnormal download about Android malware. we present a framework by using dynamic application features extraction for finding the key patterns about abnormal download action while the malware installed and executed. This framework follows the operations: (1) the TaintDroid sandbox on Android logging the information flow based on Android logcat (2) the Application Behavioral Tokennizer extracts specific behavior and TaintLog in app reports from TaintDroid (3) the TaintLog Information Profiler capture the method and used information in TaintLog (4) the Behavior Sequence Constructor constructs the behavior sequences from app reports in time series (5) the Frequency Ordered Sequential Pattern Finder strictly finds the frequency patterns from behavior sequences by Ordered-Apriori modified from Apriori (6) the Abnormal Download Behavior Identifier identifies the app with abnormal download action or not by constructing black list. The experiments results show our proposed framework to detect abnormal download behavior on Android applications by ordered sequential pattern mining is effective.

[1] Android logcat. [Online]. Available: http://developer.android.com/tools/help/logcat.html
[2] Android malware genome project. [Online]. Available: http://www.malgenomeproject.org/
[3] Android monkeyrunner api. [Online]. Available: http://developer.android.com/
tools/help/monkeyrunner_concepts.html
[4] Contagio mobile - mobile malware minidump. [Online]. Available: http:
//contagiominidump.blogspot.tw/
[5] Dexclassloader. [Online]. Available: http://developer.android.com/reference/
dalvik/system/DexClassLoader.html
[6] Droidbox. [Online]. Available: https://code.google.com/p/droidbox/
[7] Google play. [Online]. Available: https://play.google.com/store
[8] Stack based vs register based virtual machine architecture, and the
dalvik vm. [Online]. Available: http://markfaction.wordpress.com/2012/07/15/
stack-based-vs-register-based-virtual-machine-architecture-and-the-dalvik-vm/
[9] Taintdroid for android 2.3.4. [Online]. Available: http://appanalysis.org/
download_2.3.html
[10] Taintdroid runner for taintdroid 2.3. [Online]. Available: https://sites.google.
com/site/taintdroid23/taintdroid_runner
[11] Virustotal. [Online]. Available: https://www.virustotal.com/
[12] “An analysis of the anserverbot trojan,” Tech. Rep., 2011. [Online]. Available:http://www.csc.ncsu.edu/faculty/jiang/pubs/AnserverBot_Analysis.pdf
[13] “Security alert: New stealthy android spyware – plankton – found in
official android market,” Tech. Rep., 2011. [Online]. Available: http:
//www.csc.ncsu.edu/faculty/jiang/Plankton/
[14] “Gartner says worldwide sales of mobile phones declined 3 percent in third
quarter of 2012; smartphone sales increased 47 percent,” Tech. Rep., 2012.
[Online]. Available: http://www.gartner.com/newsroom/id/2237315
[15] “Lookout blog - security alert: New variants of legacy native (lena) identified,”Tech. Rep., 2012. [Online]. Available: https://blog.lookout.com/blog/2012/04/03/security-alert-new-variants-of-legacy-native-lena-identified/
[16] “F-secure mobile threat report q1 2013,” Tech. Rep., 2013. [Online]. Available: http://www.fsecure.com/static/doc/labs_global/Research/Mobile_Threat_Report_Q1_2013.pdf
[17] “Statista - number of apps available in the top app stores,” Tech. Rep.,2013. [Online]. Available: http://www.statista.com/topics/1001/google/chart/812/number-of-apps-available-in-the-top-app-stores/
[18] R. Agrawal, H. Mannila, R. Srikant, H. Toivonen, and A. I. Verkamo, “Advances in knowledge discovery and data mining,” U. M. Fayyad, G. Piatetsky-Shapiro,P. Smyth, and R. Uthurusamy, Eds. Menlo Park, CA, USA: American Association for Artificial Intelligence, 1996, ch. Fast Discovery of Association Rules, pp. 307–328.
[19] I. Burguera, U. Zurutuza, and S. Nadjm-Tehrani, “Crowdroid: behavior-based malware detection system for android,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM ’11. New
York, NY, USA: ACM, 2011, pp. 15–26.
[20] P. P. Chan, L. C. Hui, and S. M. Yiu, “Droidchecker: analyzing android applications for capability leak,” in Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks, ser. WISEC ’12. New York, NY, USA: ACM, 2012, pp. 125–136.
[21] S. Dai, A. Tongaonkar, X. Wang, A. Nucci, and D. Song, “Networkprofiler: Towards automatic fingerprinting of android apps,” in Proceedings of the 32nd IEEE International Conference on Computer Communications, ser. INFOCOM ’13, 2013.
[22] W. Enck, M. Ongtang, and P. McDaniel, “Understanding android security,” Security Privacy, IEEE, vol. 7, no. 1, pp. 50–57, 2009.
[23] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones,” in Proceedings of the 9th USENIX conference on Operating systems design and implementation, ser. OSDI’10. Berkeley, CA, USA: USENIX Association, 2010, pp. 1–6.
[24] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri, “A study of android application security.” in USENIX security symposium, 2011.
[25] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in Proceedings of the 18th ACM conference on Computer and communications security, ser. CCS ’11. New York, NY, USA: ACM, 2011, pp. 627–638.
[26] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices, ser. SPSM ’11. New York, NY, USA: ACM, 2011, pp. 3–14.
[27] A. P. Fuchs, A. Chaudhuri, and J. S. Foster, “Scandroid: Automated security certification of android applications,” Manuscript, Univ. of Maryland, 2009.
[28] M. Grace, Y. Zhou, Q. Zhang, S. Zou, and X. Jiang, “Riskranker: scalable and accurate zero-day android malware detection,” in Proceedings of the 10th international conference on Mobile systems, applications, and services, ser. MobiSys’12. New York, NY, USA: ACM, 2012, pp. 281–294.
[29] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure analysis of mobile in-app advertisements,” in Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, ser. WISEC ’12. New York, NY, USA: ACM, 2012, pp. 101–112.
[30] J. Hoffmann, M. Ussath, T. Holz, and M. Spreitzenbarth, “Slicing droids: program slicing for smali code,” in Proceedings of the 28th Annual ACM Symposium on Applied Computing, ser. SAC ’13. New York, NY, USA: ACM, 2013, pp. 1844–1851.
[31] M. La Polla, F. Martinelli, and D. Sgandurra, “A survey on security for mobile devices,” Communications Surveys Tutorials, IEEE, vol. 15, no. 1, pp. 446–471, 2013.
[32] D. Lo, H. Cheng, J. Han, S.-C. Khoo, and C. Sun, “Classification of software behaviors for failure detection: A discriminative pattern mining approach,” in Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, ser. KDD ’09. New York, NY, USA: ACM, 2009, pp. 557–566.
[33] N. R. Mabroukeh and C. I. Ezeife, “A taxonomy of sequential pattern mining algorithms,” ACM Comput. Surv., vol. 43, no. 1, pp. 3:1–3:41, Dec. 2010. [Online]. Available: http://doi.acm.org/10.1145/1824795.1824798
[34] S.-H. Seo, A. Gupta, A. Mohamed Sallam, E. Bertino, and K. Yim, “Detecting mobile malware threats to homeland security through static analysis,” Journal of Network and Computer Applications, 2013.
[35] A. Shabtai, U. Kanonov, Y. Elovici, C. Glezer, and Y. Weiss, “"andromaly": a behavioral malware detection framework for android devices,” J. Intell. Inf. Syst., vol. 38, no. 1, pp. 161–190, Feb. 2012.
[36] F. Shahzad, M. Akbar, S. Khan, and M. Farooq, “Tstructdroid: Realtime malware detection using in-execution dynamic analysis of kernel process control blocks on android,” Tech. Rep., 2013.
[37] M. Spreitzenbarth, F. Freiling, F. Echtler, T. Schreck, and J. Hoffmann, “Mobile-sandbox: having a deeper look into android applications,” in Proceedings of the 28th Annual ACM Symposium on Applied Computing, ser. SAC ’13. New York,
NY, USA: ACM, 2013, pp. 1808–1815.
[38] G. Suarez-Tangil, J. E. Tapiador, P. Peris-Lopez, and J. Blasco, “Dendroid: A text mining approach to analyzing and classifying code structures in android malware families,” Expert Systems with Applications, vol. 41, no. 4, pp. 1104–1117, 2014.
[39] M. Veelasha, R. Jia, and L. Shaowu, “Mining permission patterns for contrasting clean and malicious android applications,” Journal of Future Generation Computer Systems, 2013.
[40] T. Vidas, D. Votipka, and N. Christin, “All your droid are belong to us: a survey of current android attacks,” in Proceedings of the 5th USENIX conference on Offensive technologies, ser. WOOT ’11. Berkeley, CA, USA: USENIX Association, 2011, pp. 10–10.
[41] J. A. Whittaker and M. G. Thomason, “A markov chain model for statistical software testing,” IEEE Trans. Softw. Eng., vol. 20, no. 10, pp. 812–824, Oct. 1994.
[42] D.-J. Wu, C.-H. Mao, T.-E. Wei, H.-M. Lee, and K.-P. Wu, “Droidmat: Android malware detection through manifest and api calls tracing,” in Information Security (Asia JCIS), 2012 Seventh Asia Joint Conference on. IEEE, 2012, pp. 62–69.
[43] L. K. Yan and H. Yin, “Droidscope: seamlessly reconstructing the os and dalvik semantic views for dynamic android malware analysis,” in Proceedings of the 21st USENIX conference on Security symposium, ser. Security’12. Berkeley, CA, USA: USENIX Association, 2012, pp. 29–29.
[44] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda, “Panorama: Capturing system-wide information flow for malware detection and analysis,” in Proceedings of the 14th ACM Conference on Computer and Communications Security, ser. CCS ’07. New York, NY, USA: ACM, 2007, pp. 116–127.
[45] M. Zhao, T. Zhang, F. Ge, and Z. Yuan, “Robotdroid: A lightweight malware detection framework on smartphones,” Journal of Networks, vol. 7, no. 4, pp. 715–722, 2012.
[46] W. Zhou, Y. Zhou, M. Grace, X. Jiang, and S. Zou, “Fast, scalable detection of "piggybacked" mobile applications,” in Proceedings of the third ACM conference on Data and application security and privacy, ser. CODASPY ’13. New York, NY, USA: ACM, 2013, pp. 185–196.
[47] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,” in Proceedings of the 2012 IEEE Symposium on Security and Privacy, ser. SP ’12. Washington, DC, USA: IEEE Computer Society, 2012, pp. 95–109.
[48] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets,” in Proceedings of the 19th Annual Network and Distributed System Security Symposium, 2012.