基于系统调用的安卓恶意应用检测方法
|
摘要
针对恶意应用静态检测方法精度低的问题,以安卓(Android)应用运行时产生的系统调用为研究对象,提出1种恶意应用动态检测方法。将Android移动应用在沙盒环境下通过事件仿真获得的系统调用序列进行特征化,设计了基于系统调用次数和基于系统调用依赖图的2种特征表示方法。采用集成学习方法构建分类器,区分恶意应用和正常应用。采用来自于第三方应用市场的3 000个样本进行了实验验证。结果表明,基于系统调用依赖图的特征表示方法优于基于系统调用次数的特征表示方法,采用集成分类器具有较好的检测精度,达95.84%。
A dynamic Android malware detection approach is proposed aiming at the low accuracy of static malware detection approaches by researching the system calls of Android applies. The system calls achieved by stimulated events of Android applies from the sandbox are characterized,and two feature representation methods are designed based on system call frequency and system call dependency respectively. Malware and goodware are distinguished by a classifier constructed by ensemble method.The two methods are tested on 3 000 Android applications from the third-part market.The experimental results show that,the feature representation method based on system call dependency is better than that based on system call frequency,and the ensemble-based classifier has a good detection accuracy of 95.84%.
A dynamic Android malware detection approach is proposed aiming at the low accuracy of static malware detection approaches by researching the system calls of Android applies. The system calls achieved by stimulated events of Android applies from the sandbox are characterized,and two feature representation methods are designed based on system call frequency and system call dependency respectively. Malware and goodware are distinguished by a classifier constructed by ensemble method.The two methods are tested on 3 000 Android applications from the third-part market.The experimental results show that,the feature representation method based on system call dependency is better than that based on system call frequency,and the ensemble-based classifier has a good detection accuracy of 95.84%.
引文
[1]胡扬波,王成现,袁杰.配网抢修移动应用系统的设计与实现[J].江苏电机工程,2014,33(3):49-52.Hu Yangbo,Wang Chengxian,Yuan Jie.Design and realization of a mobile application system for electric distribution network rush repair[J].Jiangsu Electrical Engineering,2014,33(3):49-52.
[2]李云鹏,季晨宇,范国祥.基于物联网技术的用电侧移动营销系统设计[J].江苏电机工程,2015,34(5):80-84.Li Yunpeng,Ji Chenyu,Fan Guoxiang.Designing of mobile marketing system based on the internet of things technique[J].Jiangsu Electrical Engineering,2015,34(5):80-84.
[3]Chan P P F,Hui L C K,Yiu S M.Droid Checker:Analyzing Android applications for capability leak[C]//The5th ACM Conference on Security and Privacy in Wireless and Mobile Networks.New York,USA:ACM,2012:125-136.
[4]黄伟,陈昊,郭雅娟,等.基于集成分类的恶意应用检测方法[J].南京理工大学学报,2016,40(1):35-40.Huang Wei,Chen Hao,Guo Yajuan,et al.Mobile malware detection approach using ensemble classification[J].Journal of Nanjing University of Science and Technology,2016,40(1):35-40.
[5]杨欢,张玉清,胡予濮,等.基于多类特征的Android应用恶意行为检测系统[J].计算机学报,2014,37(1):15-27.Yang Huan,Zhang Yuqing,Hu Yupu,et al.A malware behavior detection system of Android applications based on multi-class features[J].Chinese Journal of Computers,2014,37(1):15-27.
[6]Enck W,Gilbert P,Han S,et al.Taint Droid:An information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems(TOCS),2014,32(2):1-29.
[7]Yuan Zhenlong,Lu Yu,Wang Zhen,et al.Droid-sec:Deep learning in Android malware detection[J].ACM SIGCOMM Computer Communication ReviewSIGCOMM’14,2014,44(4):371-372.
[8]Tam K,Khan S J,Fattori A,et al.Copper Droid:Automatic reconstruction of Android malware behaviors[C]//Network and Distributed System Security Symposium.London,UK:Internet Society,2015:1-15.
[9]Fredrikson M,Jha S,Christodorescu M,et al.Synthesizing near-optimal malware specifications from suspicious behaviors[C]//2010 IEEE Symposium on Security and Privacy(SP).Fajardo,USA:IEEE Computer Society,2010:41-50.
[10]Farid D M,Zhang L,Hossain A,et al.An adaptive ensemble classifier for mining concept drifting data streams[J].Expert Systems with Applications,2013,40(15):5895-5906.
[2]李云鹏,季晨宇,范国祥.基于物联网技术的用电侧移动营销系统设计[J].江苏电机工程,2015,34(5):80-84.Li Yunpeng,Ji Chenyu,Fan Guoxiang.Designing of mobile marketing system based on the internet of things technique[J].Jiangsu Electrical Engineering,2015,34(5):80-84.
[3]Chan P P F,Hui L C K,Yiu S M.Droid Checker:Analyzing Android applications for capability leak[C]//The5th ACM Conference on Security and Privacy in Wireless and Mobile Networks.New York,USA:ACM,2012:125-136.
[4]黄伟,陈昊,郭雅娟,等.基于集成分类的恶意应用检测方法[J].南京理工大学学报,2016,40(1):35-40.Huang Wei,Chen Hao,Guo Yajuan,et al.Mobile malware detection approach using ensemble classification[J].Journal of Nanjing University of Science and Technology,2016,40(1):35-40.
[5]杨欢,张玉清,胡予濮,等.基于多类特征的Android应用恶意行为检测系统[J].计算机学报,2014,37(1):15-27.Yang Huan,Zhang Yuqing,Hu Yupu,et al.A malware behavior detection system of Android applications based on multi-class features[J].Chinese Journal of Computers,2014,37(1):15-27.
[6]Enck W,Gilbert P,Han S,et al.Taint Droid:An information-flow tracking system for realtime privacy monitoring on smartphones[J].ACM Transactions on Computer Systems(TOCS),2014,32(2):1-29.
[7]Yuan Zhenlong,Lu Yu,Wang Zhen,et al.Droid-sec:Deep learning in Android malware detection[J].ACM SIGCOMM Computer Communication ReviewSIGCOMM’14,2014,44(4):371-372.
[8]Tam K,Khan S J,Fattori A,et al.Copper Droid:Automatic reconstruction of Android malware behaviors[C]//Network and Distributed System Security Symposium.London,UK:Internet Society,2015:1-15.
[9]Fredrikson M,Jha S,Christodorescu M,et al.Synthesizing near-optimal malware specifications from suspicious behaviors[C]//2010 IEEE Symposium on Security and Privacy(SP).Fajardo,USA:IEEE Computer Society,2010:41-50.
[10]Farid D M,Zhang L,Hossain A,et al.An adaptive ensemble classifier for mining concept drifting data streams[J].Expert Systems with Applications,2013,40(15):5895-5906.
© 2004-2018 中国地质图书馆版权所有 京ICP备05064691号 京公网安备11010802017129号 地址:北京市海淀区学院路29号 邮编:100083 电话:办公室:(+86 10)66554848;文献借阅、咨询服务、科技查新:66554700 |