基于行为的Android恶意软件判定方法及其有效性

doi:10.11772/j.issn.1001-9081.2016.04.0973

计算机应用 ›› 2016, Vol. 36 ›› Issue (4): 973-978.DOI: 10.11772/j.issn.1001-9081.2016.04.0973

基于行为的Android恶意软件判定方法及其有效性

孙润康¹, 彭国军^1,2, 李晶雯¹, 沈诗琦¹

1. 武汉大学计算机学院, 武汉 430072;
2. 空天信息安全与可信计算教育部重点实验室(武汉大学), 武汉 430072

收稿日期:2015-09-14 修回日期:2015-10-26 出版日期:2016-04-10 发布日期:2016-04-08
通讯作者: 孙润康
作者简介:孙润康(1991-),男,河北衡水人,硕士研究生,主要研究方向:网络安全、移动终端安全; 彭国军(1979-),男,湖北荆州人,副教授,博士,主要研究方向:网络安全、恶意代码、可信软件、电子证据; 李晶雯(1991-),女,湖北十堰人,硕士研究生,主要研究方向:网络安全、恶意代码、移动终端安全; 沈诗琦 (1993-),女,浙江杭州人,主要研究方向:信息安全。
基金资助:
国家自然科学基金资助项目(61202387, 61373168, 61202385);中国博士后科学基金资助项目(2012M510641);高等学校博士学科点专项科研基金资助项目(20120141110002);武汉市青年科技晨光计划项目(201271031367)。

Behavior oriented method of Android malware detection and its effectiveness

SUN Runkang¹, PENG Guojun^1,2, LI Jingwen¹, SHEN Shiqi¹

1. College of Computer, Wuhan University, Wuhan Hubei 430072, China;
2. Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education(Wuhan University), Wuhan Hubei 430072, China

Received:2015-09-14 Revised:2015-10-26 Online:2016-04-10 Published:2016-04-08
Supported by:
This work is partially supported by the National Natural Science Foundation of China(61202387,61373168, 61202385), the Postdoctoral Science Foundation of China(2012M510641), the Specialized Research Fund for the Doctoral Program of Higher Education(20120141110002), the Wuhan City Hope Youth Science and Technology Project (201271031367).

摘要/Abstract

摘要： 针对当前Android平台资源受限及恶意软件检测能力不足这一问题,以现有Android安装方式、触发方式和恶意负载方面的行为特征为识别基础,构建了基于ROM定制的Android软件行为动态监控框架,采用信息增益、卡方检验和Fisher Score的特征选择方法,评估了支持向量机(SVM)、决策树、k-邻近(KNN)和朴素贝叶斯(NB)分类器四类算法在Android恶意软件分类检测方面的有效性。通过对20916个恶意样本及17086个正常样本的行为日志的整体分类效果进行评估,结果显示,SVM算法在恶意软件判定上准确率可以达到93%以上,误报率低于2%,整体效果最优。可应用于在线云端分析环境和检测平台,满足海量样本处理需求。

关键词: Android, 恶意软件特征, 动态行为分析, 恶意性判定, 机器学习

Abstract: Concerning the constrained resources and low detection rate of Android, a software behavior dynamic monitoring framework based on ROM was constructed by considering behavior characteristics of Android in installation mode, trigger mode and malicious load, and the effectivenesses of Support Vector Machine (SVM), decision tree, k-Nearest Neighbor (KNN) and Naive Bayesian (NB) classifier were evaluated using information gain, chi square test and Fisher Score. The results of evaluation on overall classification of the behavior log of 20916 malicious samples and 17086 normal samples show that SVM has the best performance in the detection of malicious software, its accuracy rate can reach 93%, and the False Positive Rate (FPR) is less than 2%. It can be applied to the online cloud analysis environment and detection platform, as well as meeting the needs of mass sample processing.

Key words: Android, malware characteristic, dynamic behavior analysis, malware detection, machine learning

中图分类号:

TP309

孙润康, 彭国军, 李晶雯, 沈诗琦. 基于行为的Android恶意软件判定方法及其有效性[J]. 计算机应用, 2016, 36(4): 973-978.

SUN Runkang, PENG Guojun, LI Jingwen, SHEN Shiqi. Behavior oriented method of Android malware detection and its effectiveness[J]. Journal of Computer Applications, 2016, 36(4): 973-978.

参考文献

[1] ZHOU Y, WANG Z, ZHOU W, et al. Hey, you, get off of my market:detecting malicious apps in official and alternative Android markets[EB/OL].[2015-02-10]. http://www.internetsociety.org/sites/default/files/P07_5.pdf.
[2] GRACE M, ZHOU Y, ZHANG Q, et al. RiskRanker:scalable and accurate zero-day Android malware detection[C]//Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services. New York:ACM, 2012:281-294.
[3] ENCK W, ONGTANG M, McDANIEL P. On lightweight mobile phone application certification[C]//Proceedings of the 16th ACM Conference on Computer and Communications Security. New York:ACM, 2009:235-245.
[4] PANDITA R, XIAO X, YANG W, et al. WHYPER:towards automating risk assessment of mobile applications[C]//SEC 2013:Proceedings of the 22nd USENIX Conference on Security. Berkeley:USENIX, 2013:527-542.
[5] WEI F, ROY S, OU X. Amandroid:a precise and general inter-component data flow analysis framework for security vetting of Android APPs[C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM, 2014:1329-1341.
[6] ZHANG M, DUAN Y, YIN H, et al. Semantics-aware Android malware classification using weighted contextual API dependency graphs[C]//Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. New York:ACM, 2014:1105-1116.
[7] SHABTAI A, KANONOV U, ELOVICI Y, et al. "Andromaly":a behavioral malware detection framework for Android devices[J]. Journal of Intelligent Information Systems, 2012, 38(1):161-190.
[8] 彭国军, 李晶雯, 孙润康, 等. Android恶意软件检测研究与进展[J]. 武汉大学学报(理学版), 2015(1):21-33.(PENG G J, LI J W, SUN R K, et al. Android malware detection research and development[J]. Journal of Wuhan University (Natural Science Edition), 2015(1):21-33.)
[9] LING G C, ASAHARA M, MATSUMOTO Y. Chinese unknown word identification using character-based tagging and chunking[C]//ACL 2003:Proceedings of the 41st Annual Meeting on Association for Computational Linguistics. Stroudsburg, PA:Association for Computational Linguistics, 2003, 2:197-200.
[10] XU Y, CHEN L. Term-frequency based feature selection methods for text categorization[C]//Proceedings of the 2010 4th International Conference on Genetic and Evolutionary Computing. Piscataway, NJ:IEEE, 2010:280-283.
[11] JIANG S, PANG G, WU M, et al. An improved K-nearest-neighbor algorithm for text categorization[J]. Expert Systems with Applications, 2012, 39(1):1503-1509.
[12] BASRI R, JACOBS D W. Lambertian reflectance and linear subspaces[J]. IEEE Transactions on Pattern Analysis & Machine Intelligence, 2000, 25(2):383-390.
[13] CAO L, LI J, SUN Y, et al. EEG-based vigilance analysis by using Fisher score and PCA algorithm[C]//Proceedings of the 2010 IEEE International Conference on Progress in Informatics and Computing. Piscataway, NJ:IEEE, 2010:175-179.
[14] 丁世飞, 齐丙娟, 谭红艳. 支持向量机理论与算法研究综述[J]. 电子科技大学学报, 2011, 40(1):2-10.(DING S F, QI B J, TAN H Y. An overview on theory and algorithm of support vector machines[J]. Journal of the University of Electronic Science and Technology of China, 2011, 40(1):2-10.)
[15] DING S, LI X, ZHU H, et al. Research and progress of cluster algorithms based on granular computing[J]. International Journal of Digital Content Technology & its Applications, 2010, 4(5):96-102.
[16] JOLNTTI V. Do we need more anesthesia EEG indexes?[J]. Journal of Clinical Monitoring & Computing, 2013, 27(2):105-106.
[17] WANG L, CHEN H, ZHAO L, et al. Efficiently mining co-location rules on interval data[C]//ADMA 2010:Proceedings of the 6th International Conference on Advanced Data Mining and Applications, LNCS 6440. Berlin:Springer, 2010:477-488.
[18] SU J, ZHANG H. Full Bayesian network classifiers[EB/OL].[2015-02-10]. http://www.cs.unb.ca/profs/hzhang/publications/icml06.pdf.

基于行为的Android恶意软件判定方法及其有效性

Behavior oriented method of Android malware detection and its effectiveness

PDF

可视化

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

编辑推荐

Metrics

[1]	郭棉, 张锦友. 移动边缘计算环境中面向机器学习的计算迁移策略[J]. 计算机应用, 2021, 41(9): 2639-2645.
[2]	毛铭泽, 曹芮浩, 闫春钢. 基于权值多样性的半监督分类算法[J]. 计算机应用, 2021, 41(9): 2473-2480.
[3]	秦斌斌, 彭良康, 卢向明, 钱江波. 司机分心驾驶检测研究进展[J]. 计算机应用, 2021, 41(8): 2330-2337.
[4]	姜倩玉, 王凤英, 贾立鹏. 基于感知哈希算法和特征融合的恶意代码检测方法[J]. 计算机应用, 2021, 41(3): 780-785.
[5]	秦静, 左长青, 汪祖民, 季长清, 王宝凤. 基于堆叠分类器的心电异常监测模型设计[J]. 计算机应用, 2021, 41(3): 887-890.
[6]	孟祥瑞, 杨文忠, 王婷. 基于图文融合的情感分析研究综述[J]. 计算机应用, 2021, 41(2): 307-317.
[7]	刘晓龙, 王士同. 渐进式分离的开放集模糊域自适应算法[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3127-3131.
[8]	楼豪杰, 郑元林, 廖开阳, 雷浩, 李佳. 基于Siamese-YOLOv4的印刷品缺陷目标检测[J]. 《计算机应用》唯一官方网站, 2021, 41(11): 3206-3212.
[9]	王雅辉, 钱宇华, 刘郭庆. 基于模糊优势互补互信息的有序决策树算法[J]. 计算机应用, 2021, 41(10): 2785-2792.
[10]	蒋阳升, 王胜男, 涂家祺, 李莎, 王红军. 面向高铁站的热舒适度和能耗综合预测[J]. 计算机应用, 2021, 41(1): 249-257.
[11]	朱琳, 于海涛, 雷新宇, 刘静, 王若凡. 基于MRI图像的阿尔茨海默症患者脑网络特征识别算法[J]. 计算机应用, 2020, 40(8): 2455-2459.
[12]	梁登高, 周安民, 郑荣锋, 刘亮, 丁建伟. 基于大小突发块划分的微信支付行为识别模型[J]. 计算机应用, 2020, 40(7): 1970-1976.
[13]	徐周波, 杨健, 刘华东, 黄文文. 基于XGBoost与拓扑结构信息的蛋白质复合物识别算法[J]. 计算机应用, 2020, 40(5): 1510-1514.
[14]	张俊升, 徐晶晶, 余伟. 面部美化图像质量无参考评价方法[J]. 计算机应用, 2020, 40(4): 1184-1190.
[15]	任海培, 李腾. 面向移动平台人脸检测的FaceYoLo算法[J]. 计算机应用, 2020, 40(4): 1002-1008.