计算机应用 ›› 2018, Vol. 38 ›› Issue (1): 56-60.DOI: 10.11772/j.issn.1001-9081.2017071835

• 2017年全国开放式分布与并行计算学术年会(DPCS 2017)论文 • 上一篇    下一篇

基于非用户操作序列的恶意软件检测方法

罗文塽, 曹天杰   

  1. 中国矿业大学 计算机科学与技术学院, 江苏 徐州 221116
  • 收稿日期:2017-07-25 修回日期:2017-08-01 出版日期:2018-01-10 发布日期:2018-01-22
  • 通讯作者: 罗文塽
  • 作者简介:罗文塽(1993-),女,江苏扬州人,硕士研究生,主要研究方向:网络安全、移动终端安全;曹天杰(1967-),男,江苏徐州人,教授,博士,主要研究方向:密码学、信息安全。
  • 基金资助:
    国家自然科学基金资助项目(61303263)。

Malware detection approach based on non-user operating sequence

LUO Wenshuang, CAO Tianjie   

  1. School of Computer Science and Technology, China University of Mining and Technology, Xuzhou Jiangsu 221116, China
  • Received:2017-07-25 Revised:2017-08-01 Online:2018-01-10 Published:2018-01-22
  • Supported by:
    This work is partially supported by the National Natural Science Foundation of China (61303263).

摘要: 针对Android恶意软件持续大幅增加的现状以及恶意软件检测能力不足这一问题,提出了一种基于非用户操作序列的静态检测方法。首先,通过对恶意软件进行逆向工程分析,提取出恶意软件的应用程序编程接口(API)调用信息;然后,采用广度优先遍历算法构建恶意软件的函数调用流程图;进而,从函数流程图中提取出其中的非用户操作序列形成恶意行为库;最后,采用编辑距离算法计算待检测样本与恶意行为库中的非用户操作序列的相似度进行恶意软件识别。在对360个恶意样本和300的正常样本进行的检测中,所提方法可达到90.8%的召回率和90.3%的正确率。与Android恶意软件检测系统Androguard相比,所提方法在恶意样本检测中召回率提高了30个百分点;与FlowDroid方法相比,所提方法在正常样本检测中准确率提高了11个百分点,在恶意样本检测中召回率提高了4.4个百分点。实验结果表明,所提方法提高了恶意软件检测的召回率,有效提升恶意软件的检测效果。

关键词: Android, 恶意软件, 静态检测, 函数调用图, 应用程序编程接口调用

Abstract: Considering rapid growth of Android malware and poor capability of detecting malware, a static detection method based on non-user operation sequences was proposed. Firstly, the Application Programming Interface (API) call information of malware was extracted by reverse engineering analysis. Secondly, the malware's function-call graph was established by using breadth-first traversal algorithm; then, non-user operation sequence was extracted from the function-call graph to form malicious behavior database. Finally, the similarity of the detected sample and non-user operation sequence in the malicious behavior database was calculated by using the edit distance algorithm for malware identification. In the detection of 360 malicious samples and 300 normal samples, the proposed method could reach the recall rate of 90.8% and the accuracy rate of 90.3%. Compared with the Android malware detection system Androguard, the recall rate of the proposed method increased by 30 percentage points in the detection of malicious samples; and compared with the FlowDroid method, the precision rate increased by 11 percentage points in the detection of normal sample and the recall rate increased by 4.4 percentage points in the detection of malicious samples. The experimental results show that the proposed method improves the recall rate of malware detection and promotes the detection effect of malware.

Key words: Android, malware, static detection, function-call graph, Application Programming Interface (API) call

中图分类号: