基于行为特征和语义特征的多模态Android恶意软件检测方法

doi:10.16180/j.cnki.issn1007-7820.2024.05.010

摘要/Abstract

摘要：

现有的Android恶意软件检测方法只考虑单一种类的特征,并不能全面描述Android软件的特征。为解决此类问题,文中从权限、字节码概率矩阵和函数调用图3种类型特征出发,提出了一种基于行为特征和语义特征的多模态Android恶意软件检测方法。同时,为了解决函数节点特征表示问题,文中针对函数调用图的生成过程提出了一种新的节点特征生成方法。为了丰富操作码语义信息,提出了一种基于2-gram的字节概率矩阵生成方法。通过实验证明了文中方法相较于其他方法可更加全面地描述Android软件的特征,检测准确率达到95.2%,相较于已有方法准确率平均提升了22%,有效提高了Android恶意软件的检测能力。

关键词: Android, 特征融合, 权限, 字节概率矩阵, 函数调用图, 卷积神经网络, 恶意软件检测, 多模态

Abstract:

Existing methods for detecting Android malware only consider a single kind of features, which do not fully describe the features of Android software. In order to solve the above problems, this study presents a multimodal Android malware detection method based on the permissions, byte code probability matrix and function call graph. At the same time, in order to solve the problem of feature representation of function nodes, a new node feature generation method is presented in this study in the generation of function call graph. In order to enrich the semantic information of opcode, a byte probability matrix generation method based on 2-gram is presented. The experiment proves that the method described the characteristics of Android software more comprehensively than other methods, and the detection accuracy rate reached 95.2%. Compared with the existing methods, the accuracy of this method has been improved by 22% on average, effectively improving the detection ability of Android malware.

Key words: Android, feature fusion, permission, byte probability matrix, function call graph, convolution neural network, malware detection, multimodal

中图分类号:

TP183

朱晋恺, 方兰婷, 季小文, 黄杰. 基于行为特征和语义特征的多模态Android恶意软件检测方法[J]. 电子科技, 2024, 37(5): 71-78.

ZHU Jinkai, FANG Lanting, JI Xiaowen, HUANG Jie. Multimodal Android Malware Detection Method Based on Behavioral and Semantic Characteristics[J]. Electronic Science and Technology, 2024, 37(5): 71-78.

图/表 8

图1

图2

图3

图4

表1

表2

表3

表4

参考文献 35

[1]	潘建文, 崔展齐, 林高毅, 等. Android恶意应用静态检测方法研究综述[J]. 计算机研究与发展, 2023, 60(8):1875-1894.
	Pan Jianwen, Cui Zhanqi, Lin Gaoyi, et al. A review of static android malware detection methods[J]. Journal of Computer Research and Development, 2023, 60(8):1875-1894.
[2]	Wang C D. An Android malware dynamic detection method based on service call cooccurrence matrices[J]. Annals of Telecommunications, 2017, 72(9-10):607-615.
[3]	范铭, 刘烃, 刘均, 等. 安卓恶意软件检测方法综述[J]. 中国科学(信息科学), 2020, 50(8):1148-1177.
	Fan Ming, Liu Ting, Liu Jun, et al. Android malware detection:A survey[J]. Science in China(Information of S-ciences), 2020, 50(8):1148-1177.
[4]	王志文, 刘广起, 韩晓晖, 等. 基于机器学习的恶意软件识别研究综述[J]. 小型微型计算机系统, 2022, 43(12):2628-2637.
	Wang Zhiwen, Liu Guangqi, Han Xiaohui, et al. Survey on machine-learning-based malware identification research[J]. Journal of Chinese Computer Systems, 2022, 43(12):2628-2637.
[5]	瞿俊, 顾刘军. 基于朴素贝叶斯的安卓恶意软件检测研究[J]. 信息网络安全, 2020(S1):27-30.
	Qu Jun, Gu Liujun. Android malware detection research based on naive Bayesian[J]. Netinfo Security, 2020(S1):27-30.
[6]	Teufl P. Malware detection by applying knowledge discovery processes to application metadata on the Android market(Google Play)[J]. Security and Communication Networks, 2016, 9(5):389-419.
[7]	褚堃, 万良, 马丹, 等. 深度可分离卷积在Android恶意软件分类的应用研究[J]. 计算机应用研究, 2022, 39(5):1534-1540.
	Chu Kun, Wan Liang, Ma Dan, et al. Research on application of depthwise separable convolution in Android malware classification[J]. Application Research of Computers, 2022, 39(5):1534-1540.
[8]	张雪涛, 王金双, 孙蒙. 基于GCN的安卓恶意软件检测模型[J]. 软件导刊, 2020, 19(7):187-193.
	Zhang Xuetao, Wang Jinshuang, Sun Meng. GCN-based Android malware detection model[J]. Software Guide, 2020, 19(7):187-193.
[9]	李璐. 基于函数调用图的Android恶意软件检测[J]. 现代计算机, 2018, 19(12):28-33.
	Li Lu. Android malware detection based on function call graph[J]. Modern Computer, 2018, 19(12):28-33.
[10]	潘梦竹, 李千目, 邱天. 深度多模态表示学习的研究综述[J]. 计算机工程与应用, 2023, 59(2):48-64. doi: 10.3778/j.issn.1002-8331.2206-0145
	Pan Mengzhu, Li Qianmu, Qiu Tian. Survey of research on deep multimodal representation learning[J]. Computer Engineering and Applications, 2023, 59(2):48-64. doi: 10.3778/j.issn.1002-8331.2206-0145
[11]	Guen K T, Kang B J, Mina R, et al. A multimodal deep learning method for android malware detection using various features[J]. IEEE Transactions on Information Forensics and Security, 2019, 14(3):773-788.
[12]	Mohamed G, Abdelmalek A. A new wrapper-based feature selection technique with fireworks algorithm for Android malware detection[J]. International Journal of Software Science and Computational Intelligence, 2022, 14(1):1-19.
[13]	Íbrahim Doĝru A, Önder M. AppPerm analyzer:Malware detection system based on Android permissions and permission groups[J]. International Journal of Software Engineering and Knowledge Engineering, 2020, 30(3):24-30.
[14]	Altaher A, Barukab O M. Intelligent hybrid approach for Android malware detection based on permissions and API calls[J]. International Journal of Advanced Computer Science and Applications, 2017, 8(6):60-67.
[15]	Lu Y, Zulie P, Jingju L, et al. Android malware detectiontechnology based on improved Bayesian classification[C]. Shenyang: The Third International Conference on Instrumentation,Measurement,Computer,Communication and Control, 2013:112-130.
[16]	Khariwal K, Gupta R, Singh J, et al. R-MFDroid:Android malware detection using ranked manifest file components[J]. International Journal of Innovative Technology and Exploring Engineering, 2021, 10(7):55-64.
[17]	Wu D J, Mao C H, Wei H M, et al. DroidMat:Android malware detection through manifest and API calls tracing[C]. Tokyo: The Seventh Asia Joint Conference onInformation Security, 2012:172-180.
[18]	Thongsuwan S, Jaiyen S, Padcharoen A, et al. ConvXGB:A new deep learning model for classification problems based on CNN and XGBoost[J]. Nuclear Engineering and Technology, 2021, 53(2):522-531.
[19]	Fang W, Zhang L, Wang C, et al. AMC-MDL:A novel approach of Android malware classification using multimodel deep learning[C]. Calgary: IEEE International Conference on Dependable,Autonomic and Secure Computing,International Conference on Pervasive Intelligence and Computing,International Conference on Cloud and Big Data Computing,International Conference on Cyber Science and Technology Congress, 2020:108-127.
[20]	Jerome Q, Allix K, State R, et al. Using opcode-sequences to detect malicious Android applications[C]. New South Wales: IEEE International Conference on Communications, 2014:76-90.
[21]	Ding Y, Hu J, Xu W, et al. A deep feature fusion method for Android malware detection[C]. Kobe: International Conference on Machine Learning and Cybernetics IEEE, 2019:1121-1134.
[22]	Yan J P, Qi Y, Rao Q F. LSTM-based hierarchical denoising network for Android malware detection[J]. Security and Communication Networks, 2018, 20(8):1-18.
[23]	Amin M, Tanveer T A, Tehseen M, et al. Static malware detection and attribution in android bytecode throughan end-to-end deep system[J]. Future Generation Computer Systems, 2020, 10(2):112-126.
[24]	Shikha B, Sunil K M. GENDroid:A graph-based ensemble classifier for detecting Android malware[J]. International Journal of Information and Computer Security, 2022, 18(3-4):327-347.
[25]	Cai M, Jiang Y, Gao C, et al. Learning features from enhanced function call graphs for Android malware detection[J]. Neurocomputing, 2021, 42(3):301-307.
[26]	杨铭, 张健. 基于图像识别的恶意软件静态检测模型[J]. 信息网络安全, 2021, 21(10):25-32.
	Yang Ming, Zhang Jian. Static detection model based on image recognition[J]. Netinfo Security, 2021, 21(10):25-32.
[27]	朱斌, 刘子龙. 基于新型初始模块的卷积神经网络图像分类方法[J]. 电子科技, 2021, 34(2):52-56.
	Zhu Bin, Liu Zilong. Image classification method using convolutional neural network based on new initial module[J]. Electronic Science and Technology, 2021, 34(2):52-56.
[28]	程俊华, 曾国辉, 刘瑾. 基于深度学习的复杂背景图像分类方法研[J]. 电子科技, 2020, 33(12):59-66.
	Cheng Junhua, Zeng Guohui, Liu Jin. Research on complex background image classification method based on deep learning[J]. Electronic Science and Technology, 2020, 33(12):59-66.
[29]	张锐, 杨吉云. 基于权限相关性的Android恶意软件检测[J]. 计算机应用, 2014, 34(5):1322-1325. doi: 10.11772/j.issn.1001-9081.2014.05.1322
	Zhang Rui, Yang Jiyun. Android malware detection based on permission correlation[J]. Journal of Computer Applications, 2014, 34(5):1322-1325. doi: 10.11772/j.issn.1001-9081.2014.05.1322
[30]	王思远, 张仰森, 曾健荣, 等. Android恶意软件检测方法综述[J]. 计算机应用与软件, 2021, 38(9):1-9.
	Wang Siyuan, Zhang Yangsen, Zeng Jianrong, et al. Overview of Android malware detection methods[J]. Computer Applications and Software, 2021, 38(9):1-9.
[31]	李剑, 朱月俊. 基于权限的安卓恶意软件检测方法[J]. 信息安全研究, 2017, 3(9):817-822.
	Li Jian, Zhu Yuejun. Detection method of Android malware by using permission[J]. Journal of Information Security Research, 2017, 3(9):817-822.
[32]	张雪涛, 孙蒙, 王金双. 基于操作码的安卓恶意代码多粒度快速检测方法[J]. 网络与信息安全学报, 2019, 5(6):85-94.
	Zhang Xuetao, Sun Meng, Wang Jinshuang. Multigranularity Android malware fast detection based on opcode[J]. Chinese Journal of Network and Information Security, 2019, 5(6):85-94.
[33]	陈铁明, 徐志威. 基于API调用序列的Android恶意代码检测方法研究[J]. 浙江工业大学学报, 2018, 46(2):147-154.
	Chen Tieming, Xu Zhiwei. Research on detection of Android malicious code based on API call sequence[J]. Journal of Zhejiang University of Technology, 2018, 46(2):147-154.
[34]	陈铁明, 项彬彬, 吕明琪, 等. 基于字节码图像和深度学习的Android恶意应用检测[J]. 电信科学, 2019, 35(1):9-17. doi: 10.11959/j.issn.1000-0801.2019022
	Chen Tieming, Xiang Binbin, Lv Mingqi, et al. Android malware detection method based on bytecode image and deep learning[J]. Telecommunications Science, 2019, 35(1):9-17. doi: 10.11959/j.issn.1000-0801.2019022
[35]	李自清. 基于函数调用图的Android恶意代码检测方法研究[J]. 计算机测量与控制 2017, 25(10):198-201,205.
	Li Ziqing. Android malicious code detection method based on function call graph[J]. Computer Measurement and Control, 2017, 25(10):198-201,205.

序号	危险权限名称
1	CAMERA
2	READ_CONTACTS
3	GET_ACCOUNTS
4	RECORD_AUDIO
5	READ_SMS
6	USE_SIP

方法	准确率	精准率	召回率	F1分数
基于权限的方法^[31]	0.626	0.650	0.596	0.623
基于操作码的方法^[32]	0.749	0.761	0.758	0.760
基于API调用序列的方法^[33]	0.669	0.642	0.657	0.649
基于字节码图像的方法^[34]	0.843	0.866	0.793	0.828
基于函数调用图的方法^[35]	0.867	0.871	0.864	0.868
本文方法	0.952	0.964	0.950	0.957

方法	准确率	精准率	召回率	F1分数
GCN	0.866	0.871	0.864	0.868
GAT	0.870	0.862	0.871	0.867
GraphSAGE	0.883	0.896	0.861	0.878

特征	准确率	精准率	召回率	F1分数
A+B	0.908	0.897	0.905	0.901
A+C	0.926	0.929	0.913	0.921
B+C	0.941	0.940	0.937	0.939
A+B+C	0.952	0.964	0.950	0.957