CN106503552A - The Android malware detecting system that is excavated with pattern of traffic based on signature and method - Google Patents

Abstract

Disclosed herein is a kind of based on the Android malware detecting system and method signed with pattern of traffic excavation, the system includes signature analysis component and data-flow analysis component；Wherein, signature analysis component includes signature generation module, malware signature database and signatures match module；Data-flow analysis component excavates module, pattern of traffic matching module and pattern of traffic rule base comprising data-flow analysis module, pattern of traffic.During work, sign computing and pattern of traffic excavation are carried out to known malware first, malware signature storehouse and pattern of traffic rule base is set up, then, software under testing is allowed to carry out signatures match and data flow rule match, so as to judge whether software under testing is malice privacy leakage software.Instant invention overcomes the detection of traditional data stream needs the inferior position that carries out manual confirmation, improve detection efficiency, it is to avoid the wrong report problem that " abusing one's power " problem is brought.

Description

Based on signature with pattern of traffic excavate Android malware detecting system and Method

Technical field

The present invention relates to pattern of traffic excavation applications, more particularly to a kind of excavated based on signature and pattern of traffic Android malware detecting system and method.

Background technology

Android is operation system of smart phone most widely used at present, in 2014, the sales volume of Android phone The 81% of global mobile phone sales quota has just been accounted for, 1,000,000,000 have been reached.On the other hand, the opening of android system is being subject to Application developer also brings the safety problem of many while favor.Currently, Android platform has that to steal user in a large number hidden Private Malware, seriously threaten user use safety.

The Android malware detection method of main flow has two kinds, dynamic analysing method and Static Analysis Method.Dynamic Analysis method builds the running environment of Android, can simulate the real behavior feature of software under testing, this detection method essence Degree is high, but due to needing software dynamic operation, it is therefore desirable to expend resource.Static Analysis Method feature is without the need for software under testing Whether operation, it belong to Malware, the weak point of this method by signature or controlling stream, data flow come analysis software It is easily to produce wrong report.

The Static Analysis Technology of existing Android software can be divided three classes:Based on the detection scheme of authority, based on biography The detection scheme and the detection scheme based on machine learning of system static analysis means.

Based on the detection scheme of authority, these schemes are by extracting Manifest file applications in Android application softwaries Authority information be analyzed, judge by the rules of competence set up in advance whether application is malicious application.Kirin instruments lead to The authority combination of predefined one group regular hazard recognition is crossed, but it provides only the high-risk power that 9 malicious application races frequently use , then as examination criteria, power of test is limited for limit gauge.Other main flow document employs the method for data mining and excavates malice Relation in application between applied authority, in this, as rule, detects application to be measured.But in actual development, developer Often apply for excessive authority, with the difficulty for mitigating exploitation and safeguard, " abusing one's power " problem of this generally existing is easily caused Detection scheme based on authority produces wrong report, although that is, the authority using certain system resource has been applied in application, does not exist In code execute, and based on authority detection if it find that application application authority consistent with safety regulation, then just may cause Often software is reported by mistake.To sum up, the detection scheme based on authority cannot solve the problems, such as the wrong report that " abusing one's power " phenomenon is brought.

Detection scheme based on traditional static analysis means mainly has signature detection and data stream analysis techniques.Classical Signature detection can carry out MD5 computings or SHA computings to whole rogue program or portion of program code, by computing after eigenvalue Signature as this document.If it find that software under testing signature is matched with the malware signature that collects in advance it is determined that disliking Meaning software.The scanning speed of this method is fast, and precision is high, have the disadvantage can only the specific Malware of killing, the method The Malware obscured by mutation is invalid.A kind of multistage signature system is proposed for this problem, Zhiyuan Wang et al., It is used for collecting, detecting that Android malware, system are numbered the API of Android first, then, scans apk to be measured System API in file, represents these API with numbering, afterwards, generates MD5 and signs, then production method is signed step by step, class is signed, Apk signs, and can effectively detect that some beat again the Malware of bag, Code obfuscation using the method.But this method It is not the analysis of data flow aspect, it is impossible to enough resist using the Code obfuscation based on API.Zhemin Yang、Zhibo Zhao, C. Fritz, W Klieber et al. each proposes the analytical tool based on data flow, although data-flow analysis can Whole application software code is covered, the accuracy of analysis is higher, but on the one hand this full code analysis are than relatively time-consuming, another Aspect, the result of data-flow analysis can not provide whether software is Malware, often also need to artificial judgment, confirm data Whether stream is malicious data flow.To sum up, the signature technology of main flow is a kind of technology for uniquely representing software features, it is impossible to right Software under testing carries out depth analysis, and therefore testing result is inevitably disturbed by malware technologies such as Code obfuscations, The defect of data stream analysis techniques is the time-consuming problem and need manually to carry out final result determination that full code analysis cause. For known Malware, also there is duplicate detection in data-flow analysis.

Based on the detection scheme of machine learning, by learning to the static nature of Malware, such as learn authority Feature, API features etc., make machine learning algorithm draw disaggregated model, then carry out malware detection.The shortcoming of this scheme It is for the requirement of characteristic of division is higher, effective precision for directly determining classification of feature.Most of machine learning sides Used as characteristic information, therefore, they can not solve the wrong report that " abusing one's power " phenomenon is brought to method still access right.

Content of the invention

The technical problem to be solved is for involved defect in background technology, there is provided a kind of based on label Android malware detecting system and method that name is excavated with pattern of traffic.

The present invention is employed the following technical solutions for solving above-mentioned technical problem：

Based on the Android malware detecting system that signature is excavated with pattern of traffic, comprising signature analysis component and number According to stream analytic unit；

The signature analysis component includes signature generation module, malware signature database and signatures match module；

The signature generation module is used for the signature for generating Android application softwaries；

The malware signature database is used for the signature for storing all default malice Android application softwaries；

The signatures match module is used for deposit in the signature and malware signature database of the Android application softwaries of input The signature of storage is mated；

The data-flow analysis component excavates module, pattern of traffic coupling mould comprising data-flow analysis module, pattern of traffic Block and pattern of traffic rule base；

The data-flow analysis module is used for analyzing the Android application softwaries of input and whether there is pattern of traffic, if deposited Extracting the pattern of traffic in the Android application softwaries of input；

The pattern of traffic excavates module to be used for confidence level in all default malice Android application softwaries more than default Confidence threshold value and support screen more than the pattern of traffic of support threshold set in advance；

The pattern of traffic rule base is used for storage and excavates the pattern of traffic that module is screened through pattern of traffic；

The pattern of traffic matching module is used for the pattern of traffic and pattern of traffic of the Android application softwaries of input Pattern of traffic in rule base is mated.

The invention also discloses a kind of Android malware detecting system that is excavated with pattern of traffic based on signature Detection method, comprises the steps of：

Step 1）, all default malice Android application softwaries are carried out with signature training and are trained with pattern of traffic, generated and dislike Meaning software signature data base and pattern of traffic rule base；

Step 2）, Android application softwaries to be measured are input into the signature generation module in signature analysis component, are generated to be measured The signature of Android application softwaries, and it is input to signatures match module；

Step 3）, signatures match module is by the label in the signature of Android application softwaries to be measured and malware signature database Name is mated, if there is the signature consistent with the signature of Android application softwaries to be measured in hostile signature data base, judges The signature of the Android application softwaries to be measured be Malware, detection of end；Otherwise, execution step 4）；

Step 4）, Android application softwaries to be measured are delivered to the data-flow analysis module in data-flow analysis component, data flow point Analysis module analysis Android application softwaries to be measured, are extracted to be measured if there is pattern of traffic with the presence or absence of pattern of traffic The pattern of traffic of Android application softwaries, execution step 5）；It is judged to fail-safe software if it there is no pattern of traffic, ties Beam is detected；

Step 5）, the pattern of traffic of Android application softwaries to be measured is input into data stream matches module, data stream matches mould The pattern of traffic of Android application softwaries to be measured is mated by block with the pattern of traffic in pattern of traffic rule base, If there is the pattern of traffic consistent with the pattern of traffic of Android application softwaries to be measured in pattern of traffic rule base, Android application softwaries to be measured are judged as malicious application, detection of end；Otherwise, it is determined that Android application softwaries to be measured are risk Application, detection of end.

The step 1）Comprise the following steps that:

Step 1.1）, successively all default malice Android application softwaries are input into signature analysis component；

Step 1.2）, the malice Android application software life that signature analysis component is input into each using signature generation module Into MD5 sign, and sign and software name be stored in malware signature database；

Step 1.3）, successively all default malice Android application softwaries are input into data-flow analysis component；

Step 1.4）, data-flow analysis component is applied soft using data-flow analysis module to each malice Android of input Part carries out data-flow analysis, draws the pattern of traffic of each malice Android application software, and which is transported to data flow successively Mode excavation module；

Step 1.5）, pattern of traffic excavates module by confidence level in the pattern of traffic of each malice Android application software It is more than default confidence threshold value and support is screened more than the pattern of traffic of support threshold set in advance, and will Which is stored in pattern of traffic rule base.

The present invention adopts above technical scheme compared with prior art, with following technique effect：

(1) by the present invention in that with signature technology and pattern of traffic digging technology, not using the authority information of application software, keeping away The wrong report problem of " abusing one's power " phenomenon generation is exempted from；

(2) present invention compensate for signature technology presence by combining signature technology and pattern of traffic digging technology, it is difficult to The shortcoming of accurate analysis is carried out to Code obfuscation class Malware, meanwhile, the use of signature analysis component also improves main flow number According to the duplicate detection problem that stream analytical plan is present, detection speed is improve；

(3) by the present invention in that being excavated with pattern of traffic, improving common data stream analytical plan needs lacking for manual confirmation Point, high degree of automation.

Description of the drawings

Fig. 1 is the Android malware detecting system Organization Chart excavated with pattern of traffic based on signature；

Fig. 2 is present system testing process.

Specific embodiment

Below in conjunction with the accompanying drawings technical scheme is described in further detail：

Disclosed herein is a kind of Android malware detecting system that is excavated with pattern of traffic based on signature, is a kind of quiet State analyzes detecting system, and it is without the need for software under testing dynamic operation.The system includes 2 components:Signature analysis component and data flow Analytic unit.The speed that known malware is investigated by signature analysis group piece optimization system, by data-flow analysis component Analysis can obtain the frequent mode of malware data stream, in this, as the detection of the unknown software of rules guide.Separately below to 2 Individual component is introduced.

1) signature analysis component

Signature analysis component includes signature generation module, malware signature database and signatures match module；Wherein, signature life It is used for the signature for generating Android application softwaries into module；Malware signature database is used for storing all default malice The signature of Android application softwaries；Signatures match module is used for the signature and Malware of the Android application softwaries of input The signature stored in signature database is mated.

The core of signature analysis component is signature generation module, for generating the signature value of Android application softwaries, signature Algorithm is integrally signed to apk using MD5 signature algorithms.Signature generation module is ensure that per a by computing of signing The application software of signature can obtain different signature values.Therefore, if unknown software signature and a certain malware signature one Cause, then illustrate that unknown software is exactly this Malware.

The function of signature analysis component is:Signature value is generated to a certain amount of Malware, is stored in be formed in data base and is disliked Meaning software signature data base, in detection, signs to unknown Software Create, and which is carried out in malware signature storehouse Match somebody with somebody, if there is coupling, i.e., unknown software signature is consistent with certain malware signature, then unknown software is assert for Malware, If conversely, arbitrarily signature is all inconsistent in unknown software signature and storehouse, unknown software is transferred in data-flow analysis component Data-flow analysis module is analyzed.

2) data-flow analysis component

Data-flow analysis component comprising data-flow analysis module, pattern of traffic excavate module, pattern of traffic matching module and Pattern of traffic rule base；Wherein, data-flow analysis module is used for analyzing the Android application softwaries of input with the presence or absence of data Stream mode, if it does, the pattern of traffic in extracting the Android application softwaries of input；Pattern of traffic excavates module For by confidence level in all default malice Android application softwaries is more than default confidence threshold value and support is more than pre- The pattern of traffic of the support threshold for first setting is screened；Pattern of traffic rule base is used for storage and digs through pattern of traffic The pattern of traffic that pick module is screened；Pattern of traffic matching module is used for the number of the Android application softwaries of input Mated with the pattern of traffic in pattern of traffic rule base according to stream mode.

Data-flow analysis component is the core component of system, and the assembly function is:Complete the data flow point to Malware These frequent data item stream mode are stored in data base as rule by analysis, the frequent data item stream mode for excavating Malware, constitute number According to stream mode rule base.Afterwards, the component will also carry out data-flow analysis to the unknown software of signatures match failure, by its data Stream mode (if not existing, assert which is fail-safe software) is mated in data flow rule base, if finding identical data Stream mode then regards as Malware, conversely, regarding as non-risk software, there is privacy leakage risk.Data-flow analysis component bag Module containing data-flow analysis, pattern of traffic excavate module and pattern of traffic rule base.

Data-flow analysis module completes the decompiling of Android application softwaries, data flow diagram and builds and stain analysis work( Energy.The form of Android application software installation kits is apk files, and it is actually a compressed file, data-flow analysis module Data-flow analysis to be carried out first has to for apk files to carry out decompiling, parses various configuration files therein and code file, Source code is recovered or is indicated with the form of intermediate code (IR).Afterwards, in labelling program code various sensitive datas (ratio Such as contact person, SMS information, mail etc.), construction procedures data flow diagram, then according to this figure, carries out stain analysis, follows the trail of Labeled sensitive data.If analyzed software has the data flow for revealing privacy, the module can draw shape such as { source, sink }, such binary set.Each binary set is a potential privacy leakage path.source It is the api function in system with sink, wherein source is the entrance function that stain data enter analysis process, usually Android system is used for reading the api function such as short message reading of sensitive data, reads mail etc..Sink be stain data from The export function of analysis process is opened, and note is sent usually in android system, opens the api function that URL etc. sends data. The privacy leakage of Android application softwaries is inside program, because existing, { source, sink } is such to be read, send Path is possibly realized just can sensitive data leakage.

By data-flow analysis being carried out to a certain amount of Malware, can obtain the road that every money Malware reveals privacy Footpath, i.e., pattern of traffic as many { source, sink }.Pattern of traffic excavates module and is directed to substantial amounts of malice { source, sink } pattern of traffic is associated excavation, it is therefore an objective to find out the road of the leakage privacy that Malware is frequently used , that is, there is frequently certain several { source, sink } set, by these frequent data item stream mode as judging malice privacy in footpath Reveal the rule of software.

In order to be associated excavate firstly the need of define 2 threshold values, one be confidence threshold value p (Confidence) and prop up Degree of holding threshold value p (Support), the two threshold values are used for garbled data stream mode, if the confidence level p of a data stream mode (Confidence) and support p (Support) is above given threshold value, then just by this data stream mode as rule, It is added in pattern of traffic rule base.

The computing formula of p (Confidence) and p (Support) is as follows, and wherein p (source, sink) is the data The probability that stream mode { source, sink } occurs in all pattern of traffics.P (sink | source) it is with source letters During number is as all pattern of traffics of entrance function, there is probability of the sink functions as export function.count(source, Sink) it is number of times that { source, the sink } pattern of traffic occurs in all set of modes, p (source) is with this The pattern of traffic probability that in all pattern of traffic set occur of the source functions as entrance function.T is represented and is passed through Analyze entirety { source, the sink } pattern of traffic obtained by a certain amount of Malware.

(1) p(Support)= p(source, sink) = count(source, sink)/T

(2) p(Confidence)= p(sink | source) = p(source, sink)/p(source)

After confidence level that Malware every kind of { source, sink } occurs and support has been calculated, every two values are all big In the pattern of traffic of previously given threshold value, will be added in pattern of traffic rule base.Complete pattern of traffic rule After storehouse is set up, in the case that unknown software fails coupling in signature component, with its data flow of data-flow analysis module analysis Pattern, is then mated with the rule in data flow rule base, if there is consistent { source, sink } pattern, is then illustrated Software under testing occurs in that the privacy leakage path frequently occurred in Malware, it is possible to assert that the unknown software is malice privacy Software is revealed, conversely, illustrating that the software has leakage privacy risk, but is not Malware.Certainly, if unknown software is passed through After data-flow analysis module analysis, there is no leakage path, then just directly assert that the software is fail-safe software.

The system architecture diagram of the present invention and using step as shown in figure 1, system chooses a certain amount of Malware first, Signature computing is carried out by device of signing and draws malware signature database, then allow Malware to enter by data-flow analysis module Row data-flow analysis, draws the pattern of traffic of these Malwares, then excavates module using pattern of traffic and is excavated, The pattern of traffic that Malware is frequently used is excavated, they are stored in pattern of traffic rule base.Obtaining above-mentioned two Have detected for unknown software is can be carried out behind rule-like storehouse.

Detection idiographic flow such as Fig. 2 of the present invention, comprises the steps of：

Step 1）, all default malice Android application softwaries are carried out with signature training and are trained with pattern of traffic, generated and dislike Meaning software signature data base and pattern of traffic rule base；

Step 2）, Android application softwaries to be measured are input into the signature generation module in signature analysis component, are generated to be measured The signature of Android application softwaries, and it is input to signatures match module；

Step 3）, signatures match module is by the label in the signature of Android application softwaries to be measured and malware signature database Name is mated, if there is the signature consistent with the signature of Android application softwaries to be measured in hostile signature data base, judges The signature of the Android application softwaries to be measured be Malware, detection of end；Otherwise, execution step 4）；

Step 4）, Android application softwaries to be measured are delivered to the data-flow analysis module in data-flow analysis component, data flow point Analysis module analysis Android application softwaries to be measured, are extracted to be measured if there is pattern of traffic with the presence or absence of pattern of traffic The pattern of traffic of Android application softwaries, execution step 5）；It is judged to fail-safe software if it there is no pattern of traffic, ties Beam is detected；

Step 5）, the pattern of traffic of Android application softwaries to be measured is input into data stream matches module, data stream matches mould The pattern of traffic of Android application softwaries to be measured is mated by block with the pattern of traffic in pattern of traffic rule base, If there is the pattern of traffic consistent with the pattern of traffic of Android application softwaries to be measured in pattern of traffic rule base, Android application softwaries to be measured are judged as malicious application, detection of end；Otherwise, it is determined that Android application softwaries to be measured are risk Application, detection of end.

The step 1）Comprise the following steps that:

Step 1.1）, successively all default malice Android application softwaries are input into signature analysis component；

Step 1.2）, the malice Android application software life that signature analysis component is input into each using signature generation module Into MD5 sign, and sign and software name be stored in malware signature database；

Step 1.3）, successively all default malice Android application softwaries are input into data-flow analysis component；

Step 1.4）, data-flow analysis component is applied soft using data-flow analysis module to each malice Android of input Part carries out data-flow analysis, draws the pattern of traffic of each malice Android application software, and which is transported to data flow successively Mode excavation module；

Step 1.5）, pattern of traffic excavates module by confidence level in the pattern of traffic of each malice Android application software It is more than default confidence threshold value and support is screened more than the pattern of traffic of support threshold set in advance, and will Which is stored in pattern of traffic rule base..

The system of this paper overcomes the inferior position that the detection of traditional data stream needs to carry out manual confirmation, improves detection efficiency, Compared to malware detection method of the tradition based on authority, the system avoids the wrong report problem that " abusing one's power " problem is brought.With When, the system passes through signature technology so that detection repeats the speed of Malware and obtains significant increase.

Those skilled in the art of the present technique it is understood that unless otherwise defined, all terms used herein（Including skill Art term and scientific terminology）There is the general understanding identical meaning with the those of ordinary skill in art of the present invention.Also It should be understood that those terms defined in such as general dictionary should be understood that have with the context of prior art in The consistent meaning of meaning, and unless defined as here, will not be explained with idealization or excessively formal implication.

Above-described specific embodiment, has been carried out further to the purpose of the present invention, technical scheme and beneficial effect Describe in detail, the be should be understood that specific embodiment that the foregoing is only the present invention is not limited to this Bright, all any modification, equivalent substitution and improvements that within the spirit and principles in the present invention, is done etc. should be included in the present invention Protection domain within.

Claims (3)

1. the Android malware detecting system that is excavated with pattern of traffic based on signature, it is characterised in that comprising signature point Analysis component and data-flow analysis component；

The signature analysis component includes signature generation module, malware signature database and signatures match module；

The signature generation module is used for the signature for generating Android application softwaries；

The malware signature database is used for the signature for storing all default malice Android application softwaries；

The signatures match module is used for deposit in the signature and malware signature database of the Android application softwaries of input The signature of storage is mated；

The data-flow analysis component excavates module, pattern of traffic coupling mould comprising data-flow analysis module, pattern of traffic Block and pattern of traffic rule base；

The data-flow analysis module is used for analyzing the Android application softwaries of input and whether there is pattern of traffic, if deposited Extracting the pattern of traffic in the Android application softwaries of input；

The pattern of traffic excavates module to be used for confidence level in all default malice Android application softwaries more than default Confidence threshold value and support screen more than the pattern of traffic of support threshold set in advance；

The pattern of traffic rule base is used for storage and excavates the pattern of traffic that module is screened through pattern of traffic；

The pattern of traffic matching module is used for the pattern of traffic and pattern of traffic of the Android application softwaries of input Pattern of traffic in rule base is mated.

2. the detection method of the Android malware detecting system that is excavated with pattern of traffic based on signature, it is characterised in that Comprise the steps of：

Step 1）, all default malice Android application softwaries are carried out with signature training and are trained with pattern of traffic, generated and dislike Meaning software signature data base and pattern of traffic rule base；

Step 2）, Android application softwaries to be measured are input into the signature generation module in signature analysis component, are generated to be measured The signature of Android application softwaries, and it is input to signatures match module；

Step 3）, signatures match module is by the label in the signature of Android application softwaries to be measured and malware signature database Name is mated, if there is the signature consistent with the signature of Android application softwaries to be measured in hostile signature data base, judges The signature of the Android application softwaries to be measured be Malware, detection of end；Otherwise, execution step 4）；

Step 4）, Android application softwaries to be measured are delivered to the data-flow analysis module in data-flow analysis component, data flow point Analysis module analysis Android application softwaries to be measured, are extracted to be measured if there is pattern of traffic with the presence or absence of pattern of traffic The pattern of traffic of Android application softwaries, execution step 5）；It is judged to fail-safe software if it there is no pattern of traffic, ties Beam is detected；

Step 5）, the pattern of traffic of Android application softwaries to be measured is input into data stream matches module, data stream matches mould The pattern of traffic of Android application softwaries to be measured is mated by block with the pattern of traffic in pattern of traffic rule base, If there is the pattern of traffic consistent with the pattern of traffic of Android application softwaries to be measured in pattern of traffic rule base, Android application softwaries to be measured are judged as malicious application, detection of end；Otherwise, it is determined that Android application softwaries to be measured are risk Application, detection of end.

3. the Android malware detecting system that is excavated with pattern of traffic based on signature according to claim 2 Detection method, it is characterised in that the step 1）Comprise the following steps that:

Step 1.1）, successively all default malice Android application softwaries are input into signature analysis component；

Step 1.2）, the malice Android application software life that signature analysis component is input into each using signature generation module Into MD5 sign, and sign and software name be stored in malware signature database；

Step 1.3）, successively all default malice Android application softwaries are input into data-flow analysis component；

Step 1.4）, data-flow analysis component is applied soft using data-flow analysis module to each malice Android of input Part carries out data-flow analysis, draws the pattern of traffic of each malice Android application software, and which is transported to data flow successively Mode excavation module；

Step 1.5）, pattern of traffic excavates module by confidence level in the pattern of traffic of each malice Android application software It is more than default confidence threshold value and support is screened more than the pattern of traffic of support threshold set in advance, and will Which is stored in pattern of traffic rule base.