计算机应用 ›› 2017, Vol. 37 ›› Issue (6): 1650-1656.DOI: 10.11772/j.issn.1001-9081.2017.06.1650

• 网络空间安全 • 上一篇    下一篇

基于深度学习的安卓恶意应用检测

苏志达, 祝跃飞, 刘龙   

  1. 数学工程与先进计算国家重点实验室, 郑州 450001
  • 收稿日期:2016-11-17 修回日期:2017-02-20 出版日期:2017-06-10 发布日期:2017-06-14
  • 通讯作者: 苏志达
  • 作者简介:苏志达(1992-),男,内蒙古赤峰人,硕士研究生,主要研究方向:安卓逆向、安卓安全检测;祝跃飞(1962-),男,浙江杭州人,教授,博士,主要研究方向:计算数论、密码学、信息安全;刘龙(1983-),男,河南郑州人,讲师,硕士,主要研究方向:漏洞挖掘、移动安全。
  • 基金资助:
    国家自然科学基金资助项目(61271252)。

Android malware application detection using deep learning

SU Zhida, ZHU Yuefei, LIU Long   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing, Zhengzhou Henan 450001, China
  • Received:2016-11-17 Revised:2017-02-20 Online:2017-06-10 Published:2017-06-14
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61271252).

摘要: 针对传统安卓恶意程序检测技术检测准确率低,对采用了重打包和代码混淆等技术的安卓恶意程序无法成功识别等问题,设计并实现了DeepDroid算法。首先,提取安卓应用程序的静态特征和动态特征,结合静态特征和动态特征生成应用程序的特征向量;然后,使用深度学习算法中的深度置信网络(DBN)对收集到的训练集进行训练,生成深度学习网络;最后,利用生成的深度学习网络对待测安卓应用程序进行检测。实验结果表明,在使用相同测试集的情况下,DeepDroid算法的正确率比支持向量机(SVM)算法高出3.96个百分点,比朴素贝叶斯(Naive Bayes)算法高出12.16个百分点,比K最邻近(KNN)算法高出13.62个百分点。DeepDroid算法结合了安卓应用程序的静态特征和动态特征,采用了动态检测和静态检测相结合的检测方法,弥补了静态检测代码覆盖率不足和动态检测误报率高的缺点,在特征识别的部分采用DBN算法使得网络训练速度得到保证的同时还有很高的检测正确率。

关键词: 安卓, 恶意软件检测, 恶意代码分析, 深度学习

Abstract: The traditional Android malware detection algorithms have low detection accuracy, which can not successfully identify the Android malware by using the technologies of repacking and code obfuscation. In order to solve the problems, the DeepDroid algorithm was proposed. Firstly, the static and dynamic features of Android application were extracted and the Android application features were created by combining static features and dynamic features. Secondly, the Deep Belief Network (DBN) of deep learning algorithm was used to train the collected training set for generating deep learning network. Finally, untrusted Android application was detected by the generated deep learning network. The experimental results show that, when using the same test set, the correct rate of DeepDroid algorithm is 3.96 percentage points higher than that of Support Vector Machine (SVM) algorithm, 12.16 percentage points higher than that of Naive Bayes algorithm, 13.62 percentage points higher than that of K-Nearest Neighbor (KNN) algorithm. The proposed DeepDroid algorithm has combined the static features and dynamic features of Android application. The DeepDroid algorithm has made up for the disadvantages that code coverage of static detection is not enough and the false positive rate of dynamic detection is high by using the detection method combined dynamic detection and static detection. By using the DBN algorithm in feature recognition, the proposed DeepDroid algorithm has guaranteed high network training speed and high detection accuracy at the same time.

Key words: Android, malware detection, malicious code analysis, deep learning

中图分类号: