一种Android恶意行为检测算法

doi:10.3969/j.issn.1001-2400.2015.03.002

J4 ›› 2015, Vol. 42 ›› Issue (3): 8-14.doi: 10.3969/j.issn.1001-2400.2015.03.002

一种Android恶意行为检测算法

王志强1;张玉清2;刘奇旭2;黄庭培2

(1. 西安电子科技大学综合业务网理论及关键技术国家重点实验室，陕西西安 710071；
2. 中国科学院大学国家计算机网络入侵防范中心，北京 101408)

收稿日期:2014-03-07 出版日期:2015-06-20 发布日期:2015-07-27
作者简介:王志强(1985-)，男，西安电子科技大学博士研究生，E-mail:wangzq@nipc.org.cn．
基金资助:
国家自然科学基金资助项目(61272481, 61303239)

Algorithm to detect Android malicious behaviors

WANG Zhiqiang1;ZHANG Yuqing2;LIU Qixu2;HUANG Tingpei2

(1. State Key Lab. of Integrated Service Networks, Xidian Univ., Xi'an 710071, China;
2. National Computer Network Intrusion Protection Center, University of Chinese Academy of Sciences, Beijing 100190, China)

Received:2014-03-07 Online:2015-06-20 Published:2015-07-27

摘要/Abstract

摘要：

提出一种新的Android恶意行为检测算法，该算法使用系统调用序列和控制流序列表征Android应用程序的行为，通过分析已知恶意软件样本库，训练出一个恶意软件特征基和阈值，再计算Android应用程序与特征基的相似度，根据阈值判断目标是否为恶意软件．根据该算法，开发了一个Android恶意软件检测系统SCADect，并在华为U8860真机上对3000个测试样本进行分类，准确率达到96.8％; 针对包含混淆和加密操作的8簇237个恶意样本，该系统的检出率达到89％，明显优于工具Androguard．实验结果表明，SCADect能够抵抗混淆和加密攻击，提高恶意软件检测的准确率和降低误报率．

关键词: 智能手机, 恶意软件, 分类, 相似度

Abstract:

The paper presents a novel Android malware behavioral detection algorithm. The algorithm characterizes Android applications’ behaviors by system call sequences and control flow sequences, trains a malware feature base and a threshold by analyzing known malware samples. Then, we calculate the similarities between the feature base and Android applications, and detect malware by comparing the similarities with the threshold. Finally, an Android malware detection system named SCADect is developed according to the algorithm. The detection accuracy of detecting 3000 samples is up to 96.8％, and the detection rate of classifying 8-cluster obfuscated malware including 237 samples can reach 89％, obviously better than the tool Androguard. The results show that the SCADect is able to resist obfuscated and cryptographic attacks, improves the detection accuracy and reduces the false negative rate.

Key words: smartphones, malware, classification, similarity

王志强;张玉清;刘奇旭;黄庭培. 一种Android恶意行为检测算法[J]. J4, 2015, 42(3): 8-14.

WANG Zhiqiang;ZHANG Yuqing;LIU Qixu;HUANG Tingpei. Algorithm to detect Android malicious behaviors[J]. J4, 2015, 42(3): 8-14.

参考文献

［1］曹莹, 刘家辰, 苗启广, 等. AdaBoost恶意程序行为检测新算法［J］. 西安电子科技大学学报, 2013, 40(6): 116-124.
Cao Ying, Liu Jiachen, Miao Qiguang, et al. Improved Behavior-based Malware Detection Algorithm with AdaBoost ［J］. Journal of Xidian University, 2013, 40(6): 116-124.
［2］ Natani P, Vidyarthi D. An Overview of Detection Techniques for Metamorphic Malware ［C］//Proceedings of the International Conference on Intelligent Computing, Networking, and Informatics. Raipur: Springer India, 2013: 637-643.
［3］ Santos I, Brezo F, Ugarte X, et al. Opcode Sequences as Representation of Executables for Data-mining-based Unknown Malware Detection ［J］. Information Sciences, 2013, 231(1): 64-82.
［4］ Zhao Z, Wang J, Bai J. Malware Detection Method Based on the Control-flow Construct Feature of Software ［J］. IET Information Security, 2014, 8(1): 18-24.
［5］ Bose A, Hu X, Shin K G, et al. Behavioral Detection of Malware on Mobile Handsets ［C］//Proceedings of the 6th International Conference on Mobile Systems, Applications and Services. New York: ACM, 2008: 225-238.
［6］ Schmidt D, Bye R, Schmidt G, et al. Static Analysis of Executables for Collaborative Malware Detection on Android ［C］//Proceedings of the IEEE International Conference on Communications. Piscataway: IEEE, 2009: 1-5.
［7］ Shabtai A, Fledel Y, Elovici Y. Automated Static Code Analysis for Classifying Android Applications Using Machine Learning ［C］//Proceedings of the IEEE International Conference on Computational Intelligence and Security. Los Alamitos: IEEE, 2010: 329-333.
［8］ Xie L, Zhang X W, Seifert P, et al. PBMDS: a Behavior-based Malware Detection System for Cellphone Devices ［C］//Proceedings of the Third ACM Conference on Wireless Network Security. New York: ACM, 2010: 37-48.
［9］ Burguera I, Zurutuza U, Nadjm-Tehrani S. Crowdroid: Behavior-based Malware Detection System for Android ［C］//Proceedings of the 1st ACM Workshop: Security and Privacy in Smartphones and Mobile Devices. New York: ACM, 2011: 15-25.
［10］ Google. Android Official Market ［DB/OL］. ［2014-02-27］. https://play.google.com/store.
［11］ Torvalds L. Linux System Call Table ［EB/OL］. ［2014-02-27］. http://osinside.net/syscall/system_call_table.htm.
［12］ Kranenburg P, Levin D. Strace ［CP/OL］. ［2014-02-27］. http://sourceforge.net/projects/strace.
［13］ Cesare S, Xiang Y. Classification of Malware Using Structured Control Flow ［C］//Proceedings of the 8th Australasian Symposium on Parallel and Distributed Computing. Brisbane: Australian Computer Society, 2010: 61-70.
［14］ Apel M, Bockermann C, Meier M. Measuring Similarity of Malware Behavior ［C］//Proceedings of the 34th Conference on Local Computer Networks. Los Alamitos: IEEE Computer Society, 2009:891-898.
［15］ Cilibrasi R, Vitanyi B. Clustering by Compression ［J］. IEEE Transactions on Information Theory, 2005, 51(4): 1523-1545.
［16］ Zhou Y, Jiang X. Android Malware Genome Project ［EB/OL］. ［2014-02-27］. http://www.malgenomeproject.org.
［17］ Desnos A. Androguard Malware Database ［DB/OL］. ［2014-02-27］. https://code.google.com/p/androguard/wiki/DatabaseAndroidMalwares.
［18］ Parkour M. Contagiodump ［EB/OL］. ［2014-02-27］. http://contagiodump.blogspot.com.

[1]	李卓, 王童彤, 刘开华. 基于智能规则存储匹配模型的包分类算法研究[J]. 西安电子科技大学学报, 2024, 51(6): 149-158.
[2]	徐海涛, 刘玉哲, 闫欣怡, 李娇娇, 薛长斌. 一种高光谱与LiDAR特征耦合的融合分类网络[J]. 西安电子科技大学学报, 2024, 51(6): 73-83.
[3]	慕彩红, 张富贵, 闫香蓉, 刘逸. 子空间与存储体的高光谱图像跨域小样本分类[J]. 西安电子科技大学学报, 2024, 51(5): 82-96.
[4]	戚连刚, 张义权, 国强, 王亚妮, KALIUZHNYI Mykola. 一种提升均匀自由度的稀疏阵列设计[J]. 西安电子科技大学学报, 2024, 51(4): 67-77.
[5]	翟凤文, 孙芳林, 金静. 多尺度卷积结合Transformer的抑郁脑电分类研究[J]. 西安电子科技大学学报, 2024, 51(2): 182-195.
[6]	曾勇, 郭晓亚, 马佰和, 刘志宏, 马建峰. 联邦加密流量分类中的细粒度防御方法[J]. 西安电子科技大学学报, 2024, 51(1): 157-164.
[7]	董勐,高一鸣,潘伟涛,邱智亮,杨建磊,邸志雄,郑凌. RELIC-GNN:一种高效的状态寄存器识别算法[J]. 西安电子科技大学学报, 2023, 50(3): 142-150.
[8]	谢雯,滑文强,焦李成,王若男. 采用深度学习的极化SAR地物分类方法综述[J]. 西安电子科技大学学报, 2023, 50(3): 151-170.
[9]	郭刚,杨超,陈明哲,马建峰. 结合机器学习的SSR代理下App流量识别方法[J]. 西安电子科技大学学报, 2023, 50(2): 138-146.
[10]	任佳兴, 曹玉东, 曹睿, 闫佳. 一种采用动态子空间的小样本图像分类算法[J]. 西安电子科技大学学报, 2022, 49(5): 166-174.
[11]	井佩光,李亚鑫,苏育挺. 一种多模态特征编码的短视频多标签分类方法[J]. 西安电子科技大学学报, 2022, 49(4): 109-117.
[12]	周鹏,杨军. 索引边缘几何卷积神经网络用于点云分类[J]. 西安电子科技大学学报, 2022, 49(2): 207-217.
[13]	秦宁宁,吴忆松,杨乐. 动态模糊匹配下的多元相似度定位算法[J]. 西安电子科技大学学报, 2021, 48(4): 27-35.
[14]	周建宇,位寅生,许荣庆. 一种改进模糊C均值聚类的电离层杂波分类方法[J]. 西安电子科技大学学报, 2021, 48(2): 35-41.
[15]	段崇棣,韩超垒,杨志伟,张庆君. 一种杂波分类辅助的近海岸模糊杂波抑制方法[J]. 西安电子科技大学学报, 2021, 48(2): 64-71.

一种Android恶意行为检测算法

Algorithm to detect Android malicious behaviors

PDF (PC)

赞

可视化

被引次数

摘要/Abstract

引用本文

使用本文

参考文献

相关文章 15

Metrics

本文评价

推荐阅读 0