CN106874761A - A kind of Android system malicious application detection method and system - Google Patents

A kind of Android system malicious application detection method and system Download PDF

Info

Publication number
CN106874761A
CN106874761A CN201611256933.2A CN201611256933A CN106874761A CN 106874761 A CN106874761 A CN 106874761A CN 201611256933 A CN201611256933 A CN 201611256933A CN 106874761 A CN106874761 A CN 106874761A
Authority
CN
China
Prior art keywords
behavior
sample set
application
authority
feature
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611256933.2A
Other languages
Chinese (zh)
Inventor
刘元安
范文浩
桑耀辉
吴帆
张洪光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
Original Assignee
Beijing University of Posts and Telecommunications
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications filed Critical Beijing University of Posts and Telecommunications
Priority to CN201611256933.2A priority Critical patent/CN106874761A/en
Publication of CN106874761A publication Critical patent/CN106874761A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

本发明公开了一种安卓系统恶意应用检测方法及系统,包括:通过逆向工程反编译应用程序得到权限特征;通过动态行为采集和定义的行为链模型匹配得到行为特征。将大量的权限特征和行为特征组合生成特征数据样本集;机器学习算法利用特征数据样本集生成分类器;将未知应用程序的特征输入分类器,得出未知应用是否为恶意应用的结论。本发明提出基于逆向工程和动态行为采集的行为链模型,然后通过机器学习算法对未知应用的进行检测,从而实现对恶意应用的有效识别,准确率高,可见本发明提供的检测方法及系统效率高且不需要修改系统源代码可用性好。

The invention discloses a method and a system for detecting malicious applications in an Android system, comprising: obtaining authority characteristics through reverse engineering and decompiling application programs; and obtaining behavior characteristics through dynamic behavior collection and defined behavior chain model matching. Combine a large number of permission features and behavioral features to generate a feature data sample set; machine learning algorithms use the feature data sample set to generate a classifier; input the features of an unknown application into the classifier to draw a conclusion whether the unknown application is a malicious application. The present invention proposes a behavior chain model based on reverse engineering and dynamic behavior collection, and then detects unknown applications through machine learning algorithms, thereby realizing effective identification of malicious applications with high accuracy. It can be seen that the detection method and system efficiency provided by the present invention High availability and no need to modify the system source code.

Description

一种安卓系统恶意应用检测方法及系统Method and system for detecting malicious applications in Android system

技术领域technical field

本发明涉及移动互联网信息安全领域,特别是指一种安卓系统恶意应用检测方法及系统。The invention relates to the field of mobile Internet information security, in particular to a method and system for detecting malicious applications in an Android system.

背景技术Background technique

随着智能手机的快速普及,人们进入了移动互联网的时代。基于应用商店的发布模式成为移动应用的重要模式,移动应用产业得到了快速的增长。由于移动应用可从移动终端获得大量的敏感信息,且其本身能通过移动市场及广告商产生高利润,移动应用频频遭到了黑客的攻击,移动应用安全事件频发。鱼龙混杂的第三方应用市场,海量的移动应用缺乏集中有效的安全审查等,都导致大量的恶意移动应用被发布在移动应用市场。如何从海量的移动应用中精确地识别出可能会给移动终端带来安全隐患的恶意应用,成为移动应用安全研究的重要问题之一。With the rapid popularization of smart phones, people have entered the era of mobile Internet. The publishing model based on the application store has become an important model of mobile applications, and the mobile application industry has grown rapidly. Because mobile applications can obtain a large amount of sensitive information from mobile terminals, and they can generate high profits through the mobile market and advertisers, mobile applications are frequently attacked by hackers, and mobile application security incidents occur frequently. The mixed third-party application market and the lack of centralized and effective security review for a large number of mobile applications have led to a large number of malicious mobile applications being released in the mobile application market. How to accurately identify malicious applications that may bring security risks to mobile terminals from a large number of mobile applications has become one of the important issues in mobile application security research.

现阶段恶意应用检测的主要手段可以分为静态检测和动态检测。静态检测方法:FlowDroid通过分析目标程序字节码文件和组件的生命周期,可以实现静态的污点分析,并生成函数调用图。TaintDroid提出了系统级的动态污点分析工具,通过标记敏感信息,实现对隐私数据的信息流实时监控;但是静态检测方法需要不断的更新恶意应用的特征库,且仅能识别已知的恶意应用程序。At present, the main methods of malicious application detection can be divided into static detection and dynamic detection. Static detection method: FlowDroid can implement static taint analysis and generate a function call graph by analyzing the target program bytecode file and the life cycle of components. TaintDroid proposes a system-level dynamic taint analysis tool, which realizes real-time monitoring of information flow of private data by marking sensitive information; however, static detection methods need to continuously update the signature database of malicious applications, and can only identify known malicious applications .

动态检测方法:Kynoid在TaintDroid的基础上,可以实现对应用与数据之间的信息流的动态检测,提供实时的监控,防止隐私的泄露;基于TaintDroid动态检测方法需要修改安卓操作系统源代码,导致该方法难以推广应用。Dynamic detection method: Based on TaintDroid, Kynoid can realize dynamic detection of information flow between applications and data, provide real-time monitoring, and prevent privacy leakage; based on TaintDroid dynamic detection method, it is necessary to modify the source code of the Android operating system, resulting in This method is difficult to popularize and apply.

发明内容Contents of the invention

有鉴于此,本发明的目的在于提出一种高效率、低开销且不需要修改安卓系统源代码的安卓系统恶意应用检测方法及系统。In view of this, the object of the present invention is to propose a method and system for detecting malicious applications in the Android system with high efficiency, low overhead and no need to modify the source code of the Android system.

基于上述目的本发明提供的安卓系统恶意应用检测方法,包括:Based on the above purpose, the Android system malicious application detection method provided by the present invention includes:

通过逆向工程反编译应用程序的安装文件,得到权限特征;Decompile the installation file of the application through reverse engineering to obtain the permission characteristics;

通过动态行为捕获技术得到所述应用程序的行为记录,将所述行为记录与定义的行为链模型进行匹配得到行为特征;Obtaining the behavior record of the application program through the dynamic behavior capture technology, and matching the behavior record with the defined behavior chain model to obtain the behavior feature;

将行为特征与所述权限特征组合成最终特征;Combining the behavioral signature with said authority signature into a final signature;

将多个已知应用程序的最终特征生成特征数据样本集,机器学习算法利用所述特征数据样本集生成分类器;The final features of multiple known applications are used to generate a feature data sample set, and a machine learning algorithm uses the feature data sample set to generate a classifier;

将得到未知应用程序的最终特征输入生成的分类器,得出所述未知应用是否为恶意应用的结论。The final features of the unknown application are input into the generated classifier to draw a conclusion whether the unknown application is a malicious application.

进一步的,所述将多个已知应用程序的最终特征生成特征数据样本集,机器学习算法利用所述特征数据样本集化生成分类器的方法包括:Further, the method of generating a feature data sample set from the final features of multiple known application programs, and using the feature data sample set by a machine learning algorithm to generate a classifier includes:

将多个已知正常应用程序和恶意应用程序的最终特征生成特征数据样本集;Generate feature data sample sets from the final features of multiple known normal applications and malicious applications;

将所述特征数据样本集化分为特征训练样本集和特征测试样本集;Dividing the feature data sample set into a feature training sample set and a feature test sample set;

所述机器学习算法利用所述特征训练样本集生成分类器,所述特征测试样本集测试评估生成的分类器。The machine learning algorithm uses the feature training sample set to generate a classifier, and the feature test sample set tests and evaluates the generated classifier.

进一步的,所述通过逆向工程反编译应用程序的安装文件,得到权限特征的方法包括:Further, the method for decompiling the installation file of the application program through reverse engineering to obtain the permission feature includes:

使用反编译工具对所述应用程序的安装文件进行反编译,得到所述权限特征;Using a decompiler tool to decompile the installation file of the application program to obtain the permission feature;

定义权限特征向量P=(μ1,μ2…μi…μk),其中,k表示安卓操作系统中系统权限的总个数,μi表示该应用是否申请了第i个权限,i<1,μi∈{0,1},0表示没有申请权限,1表示申请了权限。Define permission feature vector P=(μ 1 , μ2...μ i ...μ k ), where k represents the total number of system permissions in the Android operating system, μ i represents whether the application has applied for the i-th permission, i<1 , μ i ∈ {0,1}, 0 means no application permission, 1 means application permission.

进一步的,所述将所述行为记录与定义的行为链模型进行匹配得到行为特征的方法包括:Further, the method for matching the behavior record with the defined behavior chain model to obtain the behavior characteristics includes:

将得到的所述行为记录与定义的所述行为链模型做匹配,可以得到每一个行为链的触发次数;Match the obtained behavior record with the defined behavior chain model to obtain the trigger times of each behavior chain;

将所有行为链的触发次数做归一化处理,可以得到行为特征向量S=(σ12…σi…σm),其中,m表示行为链模型的总个数,σi表示第i个行为链模型的每千条行为记录中的触发次数, By normalizing the triggering times of all behavior chains, the behavior feature vector S=(σ 12 ...σ i ...σ m ), where m represents the total number of behavior chain models, and σ i represents the The number of triggers per thousand behavior records of i behavior chain models,

所示将行为特征与所述权限特征组合成最终特征包括:Combining the behavioral features with the rights features shown into the final features includes:

将权限特征向量P与行为特征向量S组合成一个最终的特征向量F:Combining the permission feature vector P and the behavior feature vector S into a final feature vector F:

F=(μ12…μi…μk,σ12…σi…σm)。F=(μ 1 , μ 2 ... μ i ... μ k , σ 1 , σ 2 ... σ i ... σ m ).

进一步的,所述通过动态行为捕获技术得到所述应用程序的行为记录的方法包括:Further, the method for obtaining the behavior record of the application program through the dynamic behavior capture technology includes:

将本地动态库文件注入到目标应用程序的进程空间内;Inject the local dynamic library file into the process space of the target application;

加载所述本地动态库;Load the local dynamic library;

修改Java层API(Application Programming Interface,应用程序编程接口)在Dalvik虚拟机实例中的对应的Method结构体;Modify the corresponding Method structure of the Java layer API (Application Programming Interface, application programming interface) in the Dalvik virtual machine instance;

通过动态绑定,拦截API(Application Programming Interface应用程序编程接口)调用,即获取所述应用程序的行为记录。Through dynamic binding, API (Application Programming Interface application programming interface) calls are intercepted, that is, behavior records of the application program are obtained.

另一方面本发明还提供安卓系统恶意应用检测系统,包括:On the other hand, the present invention also provides an Android system malicious application detection system, including:

获取权限特征单元,用于通过逆向工程反编译应用程序的安装文件,得到权限特征;Obtaining the permission feature unit, which is used to decompile the installation file of the application program through reverse engineering to obtain the permission feature;

获取行为特征单元,用于通过动态行为捕获技术得到所述应用程序的行为记录,将所述行为记录与定义的行为链模型进行匹配得到行为特征;Obtaining a behavior feature unit, used to obtain the behavior record of the application program through dynamic behavior capture technology, and match the behavior record with the defined behavior chain model to obtain the behavior feature;

生成最终特征单元,用于将匹配的行为特征与所述权限特征组合成最终特征;generating a final feature unit for combining the matching behavior feature and the authority feature into a final feature;

生成分类器单元,用于将多个已知正常应用程序和恶意应用程序的最终特征生成特征数据样本集,将所述特征数据样本集化分为特征训练样本集和特征测试样本集,机器学习算法利用所述特征训练样本数据集生成分类器,所述特征测试样本集用于测试评估生成的分类器;A classifier unit is generated, which is used to generate a feature data sample set from the final features of multiple known normal applications and malicious applications, and divide the feature data sample set into a feature training sample set and a feature test sample set, machine learning The algorithm utilizes the feature training sample data set to generate a classifier, and the feature test sample set is used to test and evaluate the generated classifier;

检测单元,用于将未知应用程序的最终特征输入生成的分类器,检测所述未知应用是否为恶意应用。The detection unit is configured to input the final features of the unknown application into the generated classifier to detect whether the unknown application is a malicious application.

进一步的,所述生成分类器单元包括:Further, the generating classifier unit includes:

生成特征数据样本集模块,用于将多个已知正常应用程序和恶意应用程序的最终特征生成特征数据样本集;Generate a feature data sample set module, which is used to generate a feature data sample set from the final features of multiple known normal applications and malicious applications;

划分样本集模块,用于将所述特征数据样本集化分为特征训练样本集和特征测试样本集;A sample set division module, configured to divide the feature data sample set into a feature training sample set and a feature test sample set;

训练分类器模块,用于所述机器学习算法利用所述特征训练样本集生成分类器,所述特征测试样本集用于测试评估生成的分类器。The training classifier module is used for the machine learning algorithm to use the feature training sample set to generate a classifier, and the feature test sample set is used to test and evaluate the generated classifier.

所述获取权限特征单元,进一步用于使用反编译工具对所述应用程序的安装文件进行反编译;The feature unit for obtaining permission is further used to decompile the installation file of the application program using a decompilation tool;

以及用于得到所述权限特征后,定义权限特征向量P=(μ12…μi…μk),其中,k表示安卓操作系统中系统权限的总个数,μi表示该应用是否申请了第i个权限,i<1,μi∈{0,1},0表示没有申请权限,1表示申请了权限。And after obtaining the permission feature, define the permission feature vector P=(μ 1 , μ 2 ... μ i ... μ k ), where k represents the total number of system permissions in the Android operating system, and μ i represents the application Whether to apply for the i-th permission, i<1, μ i ∈ {0,1}, 0 means no permission is applied, 1 means permission is applied.

进一步的,所述获取行为特征单元,进一步用于将得到的所述行为记录与定义的所述行为链模型做匹配,可以得到每一个行为链的触发次数;Further, the acquiring behavior feature unit is further used to match the obtained behavior record with the defined behavior chain model, so as to obtain the trigger times of each behavior chain;

以及用于将所有行为链的触发次数做归一化处理,可以得到行为特征向量S=(σ12…σi…σm),其中,m表示行为链模型的总个数,σi表示第i个行为链模型的每千条行为记录中的触发次数, And used to normalize the trigger times of all behavior chains, the behavior feature vector S=(σ 12 ...σ i ...σ m ), where m represents the total number of behavior chain models, σ i represents the number of triggers per thousand behavior records of the i-th behavior chain model,

所述生成最终特征单元,进一步用于将权限特征向量P与行为特征向量S组合成一个最终的特征向量F:The generating final feature unit is further used to combine the permission feature vector P and the behavior feature vector S into a final feature vector F:

F=(μ12…μi…μk,σ12…σi…σm)。F=(μ 1 , μ 2 ... μ i ... μ k , σ 1 , σ 2 ... σ i ... σ m ).

进一步的,所述获取行为特征单元包括:获取行为记录模块,用于将本地动态库文件注入到目标应用程序的进程空间内;进一步用于加载所述本地动态库;修改Java层API在Dalvik虚拟机实例中的对应的Method结构体;以及用于通过动态绑定,拦截API调用,即获取所述应用程序的行为记录。Further, the acquisition behavior feature unit includes: an acquisition behavior recording module, which is used to inject the local dynamic library file into the process space of the target application; further used to load the local dynamic library; modify the Java layer API in the Dalvik virtual The corresponding Method structure in the machine instance; and used for intercepting the API call through dynamic binding, that is, obtaining the behavior record of the application program.

从上面可以看出本发明提供的安卓系统恶意应用检测方法通过提出基于逆向工程和动态行为采集的行为链模型,从移动应用中获得数据;通过机器学习算法对未知应用的进行检测,从而实现对恶意应用的有效识别,准确率较高,弥补了传统静态检测方法难以检测未知应用的不足;且本发明提供的安卓系统恶意应用检测方法不需要修改安卓系统源代码,克服了动态检测方法需要修改安卓操作系统源代码的缺陷,可用性好,并且本方法通过云端检测有效降低移动终端性能开销。It can be seen from the above that the Android system malicious application detection method provided by the present invention obtains data from mobile applications by proposing a behavior chain model based on reverse engineering and dynamic behavior collection; and detects unknown applications through machine learning algorithms, thereby realizing the detection of unknown applications. The effective identification of malicious applications has a high accuracy rate, which makes up for the shortcomings of traditional static detection methods that are difficult to detect unknown applications; and the Android system malicious application detection method provided by the present invention does not need to modify the source code of the Android system, which overcomes the need to modify the dynamic detection method. The source code defect of the Android operating system has good usability, and the method effectively reduces the performance overhead of the mobile terminal through cloud detection.

附图说明Description of drawings

图1为本发明提供的安卓系统恶意应用检测方法的一个实施例流程图;Fig. 1 is a flowchart of an embodiment of the Android system malicious application detection method provided by the present invention;

图2为本发明提供的安卓系统恶意应用检测方法的另一个实施例流程图;Fig. 2 is the flow chart of another embodiment of the Android system malicious application detection method provided by the present invention;

图3为本发明提供的安卓系统恶意应用检测系统的一个实施例示意图。Fig. 3 is a schematic diagram of an embodiment of a system for detecting malicious applications in the Android system provided by the present invention.

具体实施方式detailed description

为使本发明的目的、技术方案和优点更加清楚明白,以下结合具体实施例,并参照附图,对本发明进一步详细说明。In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be described in further detail below in conjunction with specific embodiments and with reference to the accompanying drawings.

如图1所示为本发明提供的安卓系统恶意应用检测方法的一个实施例流程图,该检测方法包括:As shown in Figure 1, it is a flow chart of an embodiment of the Android system malicious application detection method provided by the present invention, and the detection method includes:

步骤101,通过逆向工程反编译应用程序的安装文件,得到权限特征;Step 101, decompile the installation file of the application program through reverse engineering to obtain the permission feature;

步骤102,通过动态行为捕获技术得到所述应用程序的行为记录,将所述行为记录与定义的行为链模型进行匹配得到行为特征;Step 102, obtain the behavior record of the application program through the dynamic behavior capture technology, and match the behavior record with the defined behavior chain model to obtain the behavior feature;

步骤103,将行为特征与所述权限特征组合成最终特征;Step 103, combining the behavior feature and the authority feature into a final feature;

步骤104,将多个已知应用程序的最终特征生成特征数据样本集,机器学习算法利用所述特征数据样本集化生成分类器;Step 104, generating a feature data sample set from the final features of multiple known applications, and a machine learning algorithm uses the feature data sample set to generate a classifier;

步骤105,将得到未知应用程序的最终特征输入生成的分类器,得出所述未知应用是否为恶意应用的结论。Step 105 , inputting the final features of the unknown application into the generated classifier to draw a conclusion on whether the unknown application is a malicious application.

从上面可以看出本发明提供的安卓系统恶意应用检测方法通过提出基于逆向工程和动态行为采集的行为链模型,从移动应用中获得数据,通过机器学习算法对未知应用的进行检测,从而实现对恶意应用的有效识别,准确率较高;本发明提供的安卓系统恶意应用检测方法不需要修改安卓系统源代码,可用性好,并且本方法通过云端检测有效降低移动终端性能开销。It can be seen from the above that the Android system malicious application detection method provided by the present invention obtains data from mobile applications by proposing a behavior chain model based on reverse engineering and dynamic behavior collection, and detects unknown applications through machine learning algorithms, thereby realizing the detection of unknown applications. Effective identification of malicious applications has a high accuracy rate; the method for detecting malicious applications in the Android system does not need to modify the source code of the Android system, has good usability, and the method effectively reduces the performance overhead of the mobile terminal through cloud detection.

进一步的如图2所示为本发明提供的安卓系统恶意应用检测方法的另一个实施例流程图:Further, as shown in Figure 2, another embodiment flow chart of the Android system malicious application detection method provided by the present invention:

其中,步骤101,通过逆向工程反编译应用程序的安装文件,得到权限特征的方法进一步包括:Wherein, in step 101, the method of decompiling the installation file of the application program through reverse engineering to obtain the permission feature further includes:

步骤101a,使用反编译工具对所述应用程序的安装文件进行反编译;Step 101a, using a decompilation tool to decompile the installation file of the application program;

步骤101b,得到所述权限特征,定义权限特征向量P=(μ12…μi…μk),其中,k表示安卓操作系统中系统权限的总个数,μi表示应用是否申请了第i个权限,i<1,μi∈{0,1},0表示没有申请权限,1表示申请了权限。Step 101b, obtain the permission feature, and define the permission feature vector P=(μ 1 , μ 2 ... μ i ... μ k ), where k represents the total number of system permissions in the Android operating system, and μ i represents whether the application applies for i<1, μ i ∈ {0,1}, 0 means no permission application, 1 means permission application.

当一个应用程序需要执行有潜在风险的操作时,必须先向操作系统申请对应的权限,比如读取通讯录需要android.permission.READ_CONTACTS权限,发送短信息需要android.permission.SEND_SMS权限。因此,一个应用程序在安装时所申请的权限,可以在一定程度上体现这个应用程序的行为与动机。When an application needs to perform potentially risky operations, it must first apply to the operating system for corresponding permissions. For example, reading the address book requires the android.permission.READ_CONTACTS permission, and sending SMS requires the android.permission.SEND_SMS permission. Therefore, the permissions applied for by an application when it is installed can reflect the behavior and motivation of the application to a certain extent.

逆向工程是通过不运行程序代码而通过词法分析、语法分析、控制流分析、数据流分析等各种方式对程序文件进行处理,从而生成程序的反汇编代码,然后通过读取反汇编代码来了解程序功能。通过对安卓应用程序安装文件进行逆向处理可以获取程序源代码和应用的权限申请信息。Reverse engineering is to process the program file through lexical analysis, syntax analysis, control flow analysis, data flow analysis and other methods without running the program code, so as to generate the disassembly code of the program, and then understand it by reading the disassembly code program function. The source code of the program and the permission application information of the application can be obtained by reverse processing the installation file of the Android application.

安卓应用程序的安装文件是一个APK(Android Package),每一个APK文件都包含一个AndroidManifest.xml文件,该文件记录了该应用程序在安装时需要向操作系统申请的权限。The installation file of the Android application program is an APK (Android Package), and each APK file includes an AndroidManifest.xml file, which records the permissions that the application program needs to apply to the operating system when it is installed.

步骤101a,使用反编译工具对所述应用程序的安装文件进行反编译具体包括:Step 101a, using a decompilation tool to decompile the installation file of the application specifically includes:

使用apktool工具对APK文件进行反编译,反编译之后得到的文件夹内容;Use the apktool tool to decompile the APK file, and obtain the contents of the folder after decompilation;

使用Smali2JavaUI工具将得到的文件夹内容的smali文件转换为java文件,java文件包含有权限特征。Use the Smali2JavaUI tool to convert the smali file of the obtained folder content into a java file, and the java file contains permission features.

进一步的,步骤102,通过动态行为捕获技术得到所述应用程序的行为记录,将所述行为记录与定义的行为链模型进行匹配得到行为特征具体包括:Further, in step 102, obtain the behavior record of the application program through the dynamic behavior capture technology, and match the behavior record with the defined behavior chain model to obtain the behavior characteristics, which specifically include:

步骤102a,基于进程注入行为记录采集:将本地动态库文件注入到目标应用程序的进程空间内;加载所述本地动态库;修改Java层API(Application ProgrammingInterface,应用程序编程接口)在Dalvik虚拟机实例中的对应的Method结构体;通过动态绑定,拦截API调用,即获取所述应用程序的行为记录。Step 102a, based on the process injection behavior record collection: the local dynamic library file is injected into the process space of the target application program; the local dynamic library is loaded; the Java layer API (Application Programming Interface, application programming interface) is modified in the Dalvik virtual machine instance The corresponding Method structure in ; through dynamic binding, API calls are intercepted, that is, the behavior records of the application are obtained.

进程注入是通过打包的第三方动态链接库加载到指定进程的内存映射中,并调用其中的入口函数从而执行预先设定好的逻辑。进程注入成功后,通过查看进程的内存映射表可以看到自己打包的动态链接库文件。Process injection is to load the packaged third-party dynamic link library into the memory map of the specified process, and call the entry function in it to execute the preset logic. After the process injection is successful, you can see the dynamic link library file packaged by yourself by looking at the memory mapping table of the process.

通过动态行为捕获技术,安卓应用程序调用安卓API时将会产生行为信息记录,如调用时间、API类名、API方法名、线程号、参数、上下文等信息。可以采用JSON对行为采集信息打包,利于在进程间与网络中的快速传输。Through dynamic behavior capture technology, Android applications will generate behavior information records when calling Android APIs, such as call time, API class name, API method name, thread number, parameters, context and other information. Behavior collection information can be packaged using JSON, which facilitates rapid transmission between processes and the network.

同时执行步骤102b,定义的行为链模型为:At the same time step 102b is executed, the defined behavior chain model is:

L=(B1,B2,…,Bn)L=(B 1 ,B 2 ,…,B n )

L表示行为链,B表示行为,n表示所述行为链的行为个数。L represents a behavior chain, B represents a behavior, and n represents the number of behaviors in the behavior chain.

行为是指应用程序在运行时执行了一段指令,获取手机的GPS定位是一个行为,发起HTTP请求也是一个行为,然而一个行为本身并不具备恶意性,比如一个应用程序获取手机的GPS定位既有可能是在帮助用户导航,也有可能是在泄露用户的位置信息,因此,将多个行为以特定的顺序组合成行为链,通过分析行为链,能更加有效的得到应用程序的行为意图。Behavior means that the application program executes a certain command when it is running. Obtaining the GPS location of the mobile phone is an action, and initiating an HTTP request is also an action. However, an action itself is not malicious. It may be helping the user to navigate, or it may be leaking the user's location information. Therefore, multiple behaviors are combined into a behavior chain in a specific order. By analyzing the behavior chain, the behavior intention of the application can be obtained more effectively.

步骤102c将所述行为记录与定义的行为链模型进行匹配得到行为特征,具体包括:Step 102c matches the behavior record with the defined behavior chain model to obtain behavior characteristics, specifically including:

将得到的包含调用时间、API类名、API方法名、线程号、参数、上下文等信息的大量的行为记录与定义的所述行为链模型做匹配,可以得到每一个行为链L的触发次数;Match the obtained large amount of behavior records including call time, API class name, API method name, thread number, parameters, context and other information with the defined behavior chain model, and the number of triggers of each behavior chain L can be obtained;

将所有行为链的触发次数做归一化处理,可以得到行为特征向量S=(σ12…σi…σm),其中,m表示行为链模型的总个数,σi表示第i个行为链模型的每千条行为记录中的触发次数, By normalizing the triggering times of all behavior chains, the behavior feature vector S=(σ 12 ...σ i ...σ m ), where m represents the total number of behavior chain models, and σ i represents the The number of triggers per thousand behavior records of i behavior chain models,

步骤103,将行为特征与所述权限特征组合成最终特征,具体包括:征将权限特征向量P与行为特征向量S组合成一个最终的特征向量F:Step 103, combining the behavior feature and the permission feature into a final feature, specifically including: combining the permission feature vector P and the behavior feature vector S into a final feature vector F:

F=(μ12…μi…μk,σ12…σi…σm)。F=(μ 1 , μ 2 ... μ i ... μ k , σ 1 , σ 2 ... σ i ... σ m ).

步骤104,将多个已知应用程序的最终特征生成特征数据样本集,机器学习算法利用所述特征数据样本集化生成分类器具体包括:Step 104, generating a feature data sample set from the final features of multiple known application programs, and using the feature data sample set by a machine learning algorithm to generate a classifier specifically includes:

步骤104a将多个已知正常应用程序和恶意应用程序的最终特征生成特征数据样本集;Step 104a generates a feature data sample set from the final features of multiple known normal applications and malicious applications;

步骤104b,将所述特征数据样本集化分为特征训练样本集和特征测试样本集;Step 104b, dividing the feature data sample set into a feature training sample set and a feature test sample set;

步骤104c,机器学习算法利用所述特征训练样本集生成分类器,所述特征测试样本集用于测试评估生成的分类器;Step 104c, the machine learning algorithm uses the feature training sample set to generate a classifier, and the feature test sample set is used to test and evaluate the generated classifier;

分类器通过对已知类别训练集的分析,从中发现分类规则,以此预测新数据的类别。本发明可以采用贝叶斯分类器,分类原理是通过某对象的先验概率,利用贝叶斯公式计算出其后验概率,即该对象属于某一类的概率,选择具有最大后验概率的类作为该对象所属的类。The classifier discovers classification rules by analyzing the training set of known categories, so as to predict the category of new data. The present invention can adopt Bayesian classifier, and classification principle is to use the priori probability of certain object, utilize Bayesian formula to calculate its posteriori probability, namely the probability that this object belongs to a certain class, select the one with maximum posteriori probability class as the class to which this object belongs.

在步骤103中可以得到任意应用程序的所有对应的特征向量F,在大量不同的已知应用程序上重复这些操作,可以得到特征向量数据样本集。可以将特征数据样本集按9:1的比例分成特征训练样本集和特征测试样本集。用征训练样本集训练贝叶斯分类器得到用于检测恶意程序的分类器。In step 103, all corresponding feature vectors F of any application program can be obtained, and these operations can be repeated on a large number of different known application programs to obtain a feature vector data sample set. The feature data sample set can be divided into a feature training sample set and a feature test sample set at a ratio of 9:1. The Bayesian classifier is trained with the feature training sample set to obtain a classifier for detecting malicious programs.

步骤105,将得到未知应用程序的最终特征输入生成的分类器,得出所述未知应用是否为恶意应用的结论具体包括:Step 105, inputting the final features of the unknown application into the generated classifier to draw a conclusion on whether the unknown application is a malicious application specifically includes:

检测未知应用时,得到待测应用程序的最终特征向量,然后将待测应用程序的最终特征向量,输入到训练完成的贝叶斯分类器,得出该未知应用是否为恶意应用的结论。When detecting an unknown application, the final feature vector of the application to be tested is obtained, and then the final feature vector of the application to be tested is input into the trained Bayesian classifier to draw a conclusion whether the unknown application is a malicious application.

通过一个具体实施例进一步说明本发明提供的检测方法,例如:The detection method provided by the present invention is further described by a specific embodiment, for example:

从安卓系统权限中选出了30个潜在风险较高的权限。然后反编译应用程序的安装文件,通过分析AndroidManifest.xml文件得到该应用申请的权限,生成权限特征向量P。30 potentially high-risk permissions were selected from the Android system permissions. Then decompile the installation file of the application program, obtain the permission applied by the application by analyzing the AndroidManifest.xml file, and generate the permission feature vector P.

P=(0,1,1,1,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,0,0,1,1,0,0,1,1)P=(0,1,1,1,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,0,0 ,1,1,0,0,1,1)

通过动态行为捕获可以得到安卓应用程序的大量行为记录,每一条记录都包含API方法名、调用时间、方法参数、方法返回值、进程号、线程号的上下文信息。Through dynamic behavior capture, a large number of behavior records of Android applications can be obtained. Each record contains context information such as API method name, call time, method parameters, method return value, process number, and thread number.

以发起HTTP(HyperText Transfer Protocol超文本传输协议)请求为例建立行为链模型,应用程序通过一系列方法调用能完成HTTP请求的发起:(1)构造URL(UniformResoure Locator统一资源定位器)对象(2)调用URL对象的openConnection方法获取HttpURLConnection对象(3)调用HttpURLConnection对象的getInputStream方法获取输入字节流(4)调用InputStream对象的read方法。由此可以得到HTTP请求的行为链模型L=(B1,B2,B3,B4)。Taking the initiation of HTTP (HyperText Transfer Protocol hypertext transfer protocol) request as an example to establish a behavior chain model, the application can complete the initiation of HTTP request through a series of method calls: (1) Construct URL (UniformResoure Locator Uniform Resource Locator) object (2 ) Call the openConnection method of the URL object to obtain the HttpURLConnection object (3) Call the getInputStream method of the HttpURLConnection object to obtain the input byte stream (4) Call the read method of the InputStream object. Thus, the behavior chain model L=(B 1 , B 2 , B 3 , B 4 ) of the HTTP request can be obtained.

根据同样的方法,可以定义多个有潜在风险的行为链模型,例如定义10个行为链模型。According to the same method, multiple potentially risky behavior chain models can be defined, for example, 10 behavior chain models can be defined.

将得到的行为链模型与大量的行为记录进行匹配,可以得到每一个行为链L的触发次数,并生成行为特征向量S:S=(142,49,82,73,17,251,109,207,29,41)Match the obtained behavior chain model with a large number of behavior records to get the trigger times of each behavior chain L and generate behavior feature vector S: S=(142,49,82,73,17,251,109,207,29,41)

由权限特征向量P和行为特征向量S可以得到最终的特征向量F:F=(0,1,1,1,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,0,0,1,1,0,0,1,1,142,49,82,73,17,251,109,207,29,41)。The final feature vector F can be obtained from the permission feature vector P and the behavior feature vector S: F=(0,1,1,1,0,0,0,0,0,1,1,0,0,0,1 ,1,0,0,1,0,1,0,0,0,1,1,0,0,1,1,142,49,82,73,17,251,109,207,29,41).

通过以上步骤可以得到任意安卓应用程序的特征向量,例如可以选择200个恶意应用和200个正常应用作为样本集,分别分析这400个应用程序,将得到的400个特征向量作为特征向量数据样本集,可以将特征数据样本集按9:1的比例分成特征训练样本集和特征测试样本集,用征训练样本集训练贝叶斯分类器得到训练完成的用于检测恶意程序的贝叶斯分类器。The feature vectors of any Android application can be obtained through the above steps. For example, 200 malicious applications and 200 normal applications can be selected as sample sets, and the 400 applications are analyzed separately, and the obtained 400 feature vectors are used as feature vector data sample sets , the feature data sample set can be divided into a feature training sample set and a feature test sample set in a ratio of 9:1, and the Bayesian classifier is trained with the feature training sample set to obtain a trained Bayesian classifier for detecting malicious programs .

检测未知应用时,得到待测应用程序的特征向量,然后将待测应用程序的特征向量,输入到训练完成的贝叶斯分类器,得出该未知应用是否为恶意应用的结论。When detecting an unknown application, the feature vector of the application to be tested is obtained, and then the feature vector of the application to be tested is input into the trained Bayesian classifier to draw a conclusion whether the unknown application is a malicious application.

可见本发明提供的安卓系统恶意应用检测方法通过提出基于逆向工程和动态行为采集的行为链模型,从移动应用中获得数据;通过机器学习算法对未知应用的进行检测,从而实现对恶意应用的有效识别,准确率较高,弥补了传统静态检测方法难以检测未知应用的不足;本发明提供的安卓系统恶意应用检测方法不需要修改安卓系统源代码,克服了动态检测方法需要修改安卓操作系统源代码的缺陷;并且本发明提供的检测方法采用动态分析与静态分析相结合,优势互补,通过云端检测,降低移动终端性能开销,可见本发明提供一种高效率、低开销且不需要修改安卓系统源代码的安卓系统恶意应用检测方法。It can be seen that the Android system malicious application detection method provided by the present invention obtains data from mobile applications by proposing a behavior chain model based on reverse engineering and dynamic behavior collection; detects unknown applications through machine learning algorithms, thereby realizing effective detection of malicious applications. Recognition has a high accuracy rate, which makes up for the shortcomings of traditional static detection methods that are difficult to detect unknown applications; the Android system malicious application detection method provided by the present invention does not need to modify the source code of the Android system, and overcomes the need to modify the source code of the Android operating system in the dynamic detection method and the detection method provided by the present invention uses a combination of dynamic analysis and static analysis to complement each other's advantages. Through cloud detection, the performance overhead of the mobile terminal is reduced. It can be seen that the present invention provides a high-efficiency, low-cost and does not need to modify the source of the Android system. Code-based Android system malicious application detection method.

另一方面本发明还提供安卓系统恶意应用检测系统,如图3所示为本发明提供的安卓系统恶意应用检测系统实施例示意图,该系统包括:On the other hand, the present invention also provides a malicious application detection system for the Android system, as shown in FIG. 3 , a schematic diagram of an embodiment of the malicious application detection system for the Android system provided by the present invention. The system includes:

获取权限特征单元301,用于通过逆向工程反编译应用程序的安装文件,得到权限特征;Obtaining the permission feature unit 301, used to decompile the installation file of the application program through reverse engineering to obtain the permission feature;

获取行为特征单元302,用于通过动态行为捕获技术得到所述应用程序的行为记录,将所述行为记录与定义的行为链模型进行匹配得到行为特征;Obtaining a behavior feature unit 302, configured to obtain a behavior record of the application program through a dynamic behavior capture technology, and match the behavior record with a defined behavior chain model to obtain a behavior feature;

生成最终特征单元303,用于将匹配的行为特征与所述权限特征组合成最终特征;Generate a final feature unit 303, which is used to combine the matching behavior feature and the authority feature into a final feature;

生成分类器单元304,用于将多个已知应用程序的最终特征生成特征数据样本集,机器学习算法利用特征数据样本集;Generate a classifier unit 304, which is used to generate a feature data sample set from the final features of multiple known application programs, and the machine learning algorithm utilizes the feature data sample set;

检测单元305,用于将未知应用程序的最终特征输入生成的分类器,检测所述未知应用是否为恶意应用。The detection unit 305 is configured to input the final features of the unknown application into the generated classifier to detect whether the unknown application is a malicious application.

其中,获取权限特征单元301,进一步用于使用反编译工具对所述应用程序的安装文件进行反编译;以及用于得到所述权限特征后,定义权限特征向量P=(μ12…μi…μk),其中,k表示安卓操作系统中系统权限的总个数,μi表示该应用是否申请了第i个权限,i<1,μi∈{0,1},0表示没有申请权限,1表示申请了权限。Wherein, the obtaining permission feature unit 301 is further used to decompile the installation file of the application program using a decompilation tool; and after obtaining the permission feature, define the permission feature vector P=(μ 1 , μ 2 … μ i … μ k ), where k represents the total number of system permissions in the Android operating system, μ i represents whether the application has applied for the i-th permission, i<1, μ i ∈ {0,1}, 0 represents No application permission, 1 means application permission.

所述定义的行为链模型为:The defined behavior chain model is:

L=(B1,B2,…,Bn)L=(B 1 ,B 2 ,…,B n )

L表示行为链,B表示行为,n表示所述行为链的行为个数。L represents a behavior chain, B represents a behavior, and n represents the number of behaviors in the behavior chain.

获取行为特征单元302,进一步用于将得到的所述行为记录与定义的所述行为链模型做匹配,可以得到每一个行为链L的触发次数;Obtaining the behavior feature unit 302, further used to match the obtained behavior record with the defined behavior chain model, so as to obtain the trigger times of each behavior chain L;

以及用于将所有行为链的触发次数做归一化处理,可以得到行为特征向量S=(σ12…σi…σm),其中,m表示行为链模型的总个数,σi表示第i个行为链模型的每千条行为记录中的触发次数, And used to normalize the trigger times of all behavior chains, the behavior feature vector S=(σ 12 ...σ i ...σ m ), where m represents the total number of behavior chain models, σ i represents the number of triggers per thousand behavior records of the i-th behavior chain model,

生成最终特征单元303,进一步用于将权限特征向量P与行为特征向量S组合成一个最终的特征向量F:Generate the final feature unit 303, which is further used to combine the permission feature vector P and the behavior feature vector S into a final feature vector F:

F=(μ12…μi…μk,σ12…σi…σm)。F=(μ 1 , μ 2 ... μ i ... μ k , σ 1 , σ 2 ... σ i ... σ m ).

进一步的,获取权限特征单元301包括:获取行为记录模块,用于将本地动态库文件注入到目标应用程序的进程空间内;进一步用于加载所述本地动态库;修改Java层API在Dalvik虚拟机实例中的对应的Method结构体;以及用于通过动态绑定,拦截API调用,即获取所述应用程序的行为记录。Further, the acquisition permission feature unit 301 includes: an acquisition behavior recording module, which is used to inject the local dynamic library file into the process space of the target application; further used to load the local dynamic library; modify the Java layer API in the Dalvik virtual machine The corresponding Method structure in the instance; and used for intercepting API calls through dynamic binding, that is, obtaining behavior records of the application program.

进一步的,生成分类器单元304包括:Further, generating classifier unit 304 includes:

生成特征数据样本集模块,用于将多个已知正常应用程序和恶意应用程序的最终特征生成特征数据样本集;Generate a feature data sample set module, which is used to generate a feature data sample set from the final features of multiple known normal applications and malicious applications;

划分样本集模块,用于将所述特征数据样本集化分为特征训练样本集和特征测试样本集;A sample set division module, configured to divide the feature data sample set into a feature training sample set and a feature test sample set;

训练分类器模块,用于所述机器学习算法利用所述特征训练样本集生成分类器,所述特征测试样本集用于测试评估生成的分类器。The training classifier module is used for the machine learning algorithm to use the feature training sample set to generate a classifier, and the feature test sample set is used to test and evaluate the generated classifier.

可见本发明提供的安卓系统恶意应用检测方法及系统通过提出基于逆向工程和动态行为采集的行为链模型,从移动应用中获得数据;通过机器学习算法对未知应用的进行检测,从而实现对恶意应用的有效识别,准确率较高,弥补了传统静态检测方法难以检测未知应用的不足;本发明提供的安卓系统恶意应用检测方法不需要修改安卓系统源代码,克服了动态检测方法需要修改安卓操作系统源代码的缺陷;并且本发明提供的检测方法采用动态分析与静态分析相结合,优势互补,通过云端检测,降低移动终端性能开销,可见本发明提供了高效率、低开销且不需要修改安卓系统源代码的安卓系统恶意应用检测方法及系统。It can be seen that the Android system malicious application detection method and system provided by the present invention obtain data from mobile applications by proposing a behavior chain model based on reverse engineering and dynamic behavior collection; detect unknown applications through machine learning algorithms, thereby realizing detection of malicious applications. The effective identification of the system has a high accuracy rate, which makes up for the shortcomings of the traditional static detection method that is difficult to detect unknown applications; the Android system malicious application detection method provided by the present invention does not need to modify the source code of the Android system, and overcomes the need to modify the Android operating system in the dynamic detection method source code defects; and the detection method provided by the present invention combines dynamic analysis and static analysis, complementary advantages, through cloud detection, reduces mobile terminal performance overhead, it can be seen that the present invention provides high efficiency, low overhead and does not need to modify the Android system The source code Android system malicious application detection method and system.

所属领域的普通技术人员应当理解:以上任何实施例的讨论仅为示例性的,并非旨在暗示本公开的范围(包括权利要求)被限于这些例子;在本发明的思路下,以上实施例或者不同实施例中的技术特征之间也可以进行组合,步骤可以以任意顺序实现,并存在如上所述的本发明的不同方面的许多其它变化,为了简明它们没有在细节中提供。Those of ordinary skill in the art should understand that: the discussion of any of the above embodiments is exemplary only, and is not intended to imply that the scope of the present disclosure (including claims) is limited to these examples; under the idea of the present invention, the above embodiments or Combinations between technical features in different embodiments are also possible, steps may be carried out in any order, and there are many other variations of the different aspects of the invention as described above, which are not presented in detail for the sake of brevity.

本发明提供的安卓系统恶意应用检测方法及系统通过提出基于逆向工程和动态行为采集的行为链模型,从移动应用中获得数据;通过机器学习算法对未知应用的进行检测,从而实现对恶意应用的有效识别,准确率较高,弥补了传统静态检测方法难以检测未知应用的不足;本发明提供的安卓系统恶意应用检测方法不需要修改安卓系统源代码,克服了动态检测方法需要修改安卓操作系统源代码的缺陷;并且本发明提供的检测方法采用动态分析与静态分析相结合,优势互补,通过云端检测,降低移动终端性能开销,可见本发明提供了高效率、低开销且不需要修改安卓系统源代码的安卓系统恶意应用检测方法及系统。The Android system malicious application detection method and system provided by the present invention obtain data from mobile applications by proposing a behavior chain model based on reverse engineering and dynamic behavior collection; detect unknown applications through machine learning algorithms, thereby realizing detection of malicious applications Effective identification, high accuracy, making up for the shortcomings of traditional static detection methods that are difficult to detect unknown applications; the Android system malicious application detection method provided by the present invention does not need to modify the source code of the Android system, and overcomes the need to modify the source code of the Android operating system in the dynamic detection method code defects; and the detection method provided by the present invention combines dynamic analysis and static analysis, complementary advantages, through cloud detection, reduces mobile terminal performance overhead, it can be seen that the present invention provides high efficiency, low overhead and does not need to modify the Android system source Code and Android system malicious application detection method and system.

另外,为简化说明和讨论,并且为了不会使本发明难以理解,在所提供的附图中可以示出或可以不示出与集成电路(IC)芯片和其它部件的公知的电源/接地连接。此外,可以以框图的形式示出装置,以便避免使本发明难以理解,并且这也考虑了以下事实,即关于这些框图装置的实施方式的细节是高度取决于将要实施本发明的平台的(即,这些细节应当完全处于本领域技术人员的理解范围内)。在阐述了具体细节(例如,电路)以描述本发明的示例性实施例的情况下,对本领域技术人员来说显而易见的是,可以在没有这些具体细节的情况下或者这些具体细节有变化的情况下实施本发明。因此,这些描述应被认为是说明性的而不是限制性的。In addition, well-known power/ground connections to integrated circuit (IC) chips and other components may or may not be shown in the provided figures, for simplicity of illustration and discussion, and so as not to obscure the present invention. . Furthermore, devices may be shown in block diagram form in order to avoid obscuring the invention, and this also takes into account the fact that details regarding the implementation of these block diagram devices are highly dependent on the platform on which the invention is to be implemented (i.e. , these details should be well within the understanding of those skilled in the art). Where specific details (eg, circuits) have been set forth to describe example embodiments of the invention, it will be apparent to those skilled in the art that other embodiments may be implemented without or with variations from these specific details. Implement the present invention down. Accordingly, these descriptions should be regarded as illustrative rather than restrictive.

尽管已经结合了本发明的具体实施例对本发明进行了描述,但是根据前面的描述,这些实施例的很多替换、修改和变型对本领域普通技术人员来说将是显而易见的。例如,其它存储器架构(例如,动态RAM(DRAM))可以使用所讨论的实施例。Although the invention has been described in conjunction with specific embodiments of the invention, many alternatives, modifications and variations of those embodiments will be apparent to those of ordinary skill in the art from the foregoing description. For example, other memory architectures such as dynamic RAM (DRAM) may use the discussed embodiments.

本发明的实施例旨在涵盖落入所附权利要求的宽泛范围之内的所有这样的替换、修改和变型。因此,凡在本发明的精神和原则之内,所做的任何省略、修改、等同替换、改进等,均应包含在本发明的保护范围之内。Embodiments of the present invention are intended to embrace all such alterations, modifications and variations that fall within the broad scope of the appended claims. Therefore, any omissions, modifications, equivalent replacements, improvements, etc. within the spirit and principles of the present invention shall be included within the protection scope of the present invention.

Claims (10)

1. a kind of Android system malicious application detection method, it is characterised in that including:
By the installation file of reverse-engineering decompiling application program, authority feature is obtained;
The behavior record of the application program is obtained by dynamic behaviour capture technique, by the behavior record and the behavior for defining Chain model match obtaining behavioural characteristic;
By behavioural characteristic and the authority combinations of features into final feature;
The final feature of multiple known applications is generated into characteristic sample set, machine learning algorithm utilizes the characteristic Grader is generated according to sample set;
The grader of the final feature input generation of Unknown Applications will be obtained, obtains whether the unknown applications are that malice should Conclusion.
2. Android system malicious application detection method according to claim 1, it is characterised in that it is described will should known to multiple Characteristic sample set is generated with the final feature of program, machine learning algorithm generates classification using the characteristic sample set The method of device includes:
The final feature of normal application known to multiple and malicious application is generated into characteristic sample set;
The characteristic sample set is divided into features training sample set and characteristic test sample set;
The machine learning algorithm generates grader using the features training sample set, and the characteristic test sample set is used to survey The grader of examination assessment generation.
3. Android system malicious application detection method according to claim 2, it is characterised in that described by reverse-engineering The installation file of decompiling application program, the method for obtaining authority feature includes:
Decompiling is carried out to the installation file of the application program using decompiling instrument;
The authority feature is obtained, authority characteristic vector P=(μ are defined12…μi…μk), wherein, k represents Android operation system The total number of middle System Privileges, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents no Shen Please authority, 1 represent applied for authority.
4. Android system malicious application detection method according to claim 3, it is characterised in that described by behavior note Record carries out matching the method for obtaining behavioural characteristic with the behavior chain model for defining to be included:
The behavior record that will be obtained is matched with the behavior chain model of definition, can obtain touching for each behavioral chain Hair number of times;
The triggering times of all behavioral chains are done into normalized, behavioural characteristic vector S=(σ can be obtained12…σi…σm), Wherein, m represents the total number of behavior chain model, σiRepresent the triggering time in i-th every thousand of behavior chain model behavior record Number,
It is shown to include behavioural characteristic into final feature with the authority combinations of features:
Authority characteristic vector P and behavioural characteristic vector S are combined into a final characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
5. the Android system malicious application detection method according to claim 1-4 any one, it is characterised in that described logical The method for crossing the behavior record that dynamic behaviour capture technique obtains the application program includes:
Local dynamic library file is injected into the process space of destination application;
Load the local dynamic base;
Corresponding Method structures of the Java layers of API of modification in Dalvik virtual machine example;
By dynamic binding, API Calls are intercepted, that is, obtain the behavior record of the application program.
6. a kind of Android system malicious application detecting system, it is characterised in that including:
Authority feature unit is obtained, for the installation file by reverse-engineering decompiling application program, authority feature is obtained;
Obtain behavioural characteristic unit, the behavior record for obtaining the application program by dynamic behaviour capture technique, by institute State behavior record match obtaining behavioural characteristic with the behavior chain model of definition;
Final feature unit is generated, for the behavioural characteristic and the authority combinations of features into final feature that will match;
Generation grader unit, for the final feature of multiple known applications to be generated into characteristic sample set, engineering Practise algorithm and generate grader using the characteristic sample set;
Detection unit, for by the grader of the final feature input generation of Unknown Applications, detecting that the unknown applications are No is malicious application.
7. Android system malicious application detecting system according to claim 6, it is characterised in that the generation grader list Unit includes:
Generation characteristic sample set module, for by the final feature of normal application known to multiple and malicious application Generation characteristic sample set;
Sample set module is divided, for the characteristic sample set to be divided into features training sample set and characteristic test sample Collection;
Training classifier modules, grader is generated for the machine learning algorithm using the features training sample set, described The grader of characteristic test sample set test assessment generation.
8. Android system malicious application detecting system according to claim 7, it is characterised in that the acquisition authority feature Unit, is further used for carrying out decompiling to the installation file of the application program using decompiling instrument, obtains the authority Feature;
And for defining authority characteristic vector P=(μ12…μi…μk), wherein, k represents System Privileges in Android operation system Total number, μiRepresent whether the application has applied for i-th authority, i < 1, μi∈ { 0,1 }, 0 represents without application authority, 1 table Show and applied for authority.
9. Android system malicious application detecting system according to claim 8, it is characterised in that the acquisition behavioural characteristic Unit, the behavior record for being further used for obtaining is matched with the behavior chain model of definition, can be obtained each The triggering times of individual behavioral chain;
And for the triggering times of all behavioral chains to be done into normalized, behavioural characteristic vector S=(σ can be obtained12… σi…σm), wherein, m represents the total number of behavior chain model, σiIn representing i-th every thousand of behavior chain model behavior record Triggering times,
The final feature unit of generation, is further used for for authority characteristic vector P and behavioural characteristic vector S being combined into one most Whole characteristic vector F:
F=(μ12…μi…μk, σ12…σi…σm)。
10. the Android system malicious application detecting system according to claim 6-9 any one, it is characterised in that described Obtaining behavioural characteristic unit includes:Behavior record module is obtained, for local dynamic library file to be injected into destination application The process space in;It is further used for the loading local dynamic base, Java layers of API is in Dalvik virtual machine example for modification Corresponding Method structures;And for by dynamic binding, intercepting API Calls, that is, obtain the behavior of the application program Record.
CN201611256933.2A 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system Pending CN106874761A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611256933.2A CN106874761A (en) 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611256933.2A CN106874761A (en) 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system

Publications (1)

Publication Number Publication Date
CN106874761A true CN106874761A (en) 2017-06-20

Family

ID=59165355

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611256933.2A Pending CN106874761A (en) 2016-12-30 2016-12-30 A kind of Android system malicious application detection method and system

Country Status (1)

Country Link
CN (1) CN106874761A (en)

Cited By (24)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358101A (en) * 2017-06-28 2017-11-17 暨南大学 It is a kind of that software detecting method and system are extorted based on permission mode
CN107577943A (en) * 2017-09-08 2018-01-12 北京奇虎科技有限公司 Sample prediction method, device and server based on machine learning
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium
CN108021806A (en) * 2017-11-24 2018-05-11 北京奇虎科技有限公司 A kind of recognition methods of malice installation kit and device
CN108595953A (en) * 2018-04-04 2018-09-28 厦门雷德蒙软件开发有限公司 Method for carrying out risk assessment on mobile phone application
CN108681671A (en) * 2018-05-21 2018-10-19 中国科学技术大学 A kind of Android mobile attacks source tracing method
CN108810018A (en) * 2018-07-12 2018-11-13 南方电网科学研究院有限责任公司 Mobile application detection cloud platform
CN109086200A (en) * 2018-07-13 2018-12-25 南京大学 A kind of validity test frame based on the modification of Android virtual machine
CN109101817A (en) * 2018-08-13 2018-12-28 亚信科技(成都)有限公司 A kind of identification malicious file class method for distinguishing and calculate equipment
CN109271780A (en) * 2017-07-17 2019-01-25 卡巴斯基实验室股份制公司 Method, system and the computer-readable medium of machine learning malware detection model
CN109711171A (en) * 2018-05-04 2019-05-03 360企业安全技术(珠海)有限公司 Software vulnerability location method and device, system, storage medium, and electronic device
CN109753799A (en) * 2018-12-14 2019-05-14 厦门安胜网络科技有限公司 A kind of method that Android application program is anti-tamper, system and computer storage medium
CN109918907A (en) * 2019-01-30 2019-06-21 国家计算机网络与信息安全管理中心 Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium
CN109992514A (en) * 2019-04-01 2019-07-09 国家计算机网络与信息安全管理中心 Mobile application dynamic analysing method based on visual content
CN110008698A (en) * 2018-01-04 2019-07-12 深圳市腾讯计算机系统有限公司 Method for detecting virus and device
CN110162963A (en) * 2019-04-26 2019-08-23 肖银皓 A method of identifying power application program
CN110213200A (en) * 2018-02-28 2019-09-06 腾讯科技(深圳)有限公司 A kind of risk behavior hold-up interception method and relevant device
CN110472415A (en) * 2018-12-13 2019-11-19 成都亚信网络安全产业技术研究院有限公司 A kind of determination method and device of rogue program
CN110858247A (en) * 2018-08-23 2020-03-03 北京京东尚科信息技术有限公司 Android malicious application detection method, system, device and storage medium
CN112084497A (en) * 2020-09-11 2020-12-15 国网山西省电力公司营销服务中心 Embedded Linux system malicious program detection method and device
CN113127870A (en) * 2021-04-08 2021-07-16 重庆电子工程职业学院 Rapid intelligent comparison and safety detection method for mobile malicious software big data
CN113343219A (en) * 2021-05-31 2021-09-03 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN114792006A (en) * 2022-03-29 2022-07-26 西安电子科技大学 Android cross-application program collusion safety analysis method and system based on LSTM
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104376262A (en) * 2014-12-08 2015-02-25 中国科学院深圳先进技术研究院 Android malware detecting method based on Dalvik command and authority combination
CN104866763A (en) * 2015-05-28 2015-08-26 天津大学 Permission-based Android malicious software hybrid detection method
CN105426760A (en) * 2015-11-05 2016-03-23 工业和信息化部电信研究院 Detection method and apparatus for malicious android application

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
严勇: "基于动态监控的 Android 恶意软件检测方法", 《信息安全与通信保密》 *

Cited By (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107358101B (en) * 2017-06-28 2020-05-08 暨南大学 A ransomware detection method and system based on permission mode
CN107358101A (en) * 2017-06-28 2017-11-17 暨南大学 It is a kind of that software detecting method and system are extorted based on permission mode
CN109271780A (en) * 2017-07-17 2019-01-25 卡巴斯基实验室股份制公司 Method, system and the computer-readable medium of machine learning malware detection model
CN109271780B (en) * 2017-07-17 2022-05-24 卡巴斯基实验室股份制公司 Method, system, and computer readable medium for machine learning malware detection model
CN107577943A (en) * 2017-09-08 2018-01-12 北京奇虎科技有限公司 Sample prediction method, device and server based on machine learning
CN107832590A (en) * 2017-11-06 2018-03-23 珠海市魅族科技有限公司 Terminal control method and device, terminal and computer-readable recording medium
CN108021806A (en) * 2017-11-24 2018-05-11 北京奇虎科技有限公司 A kind of recognition methods of malice installation kit and device
CN110008698A (en) * 2018-01-04 2019-07-12 深圳市腾讯计算机系统有限公司 Method for detecting virus and device
CN110008698B (en) * 2018-01-04 2024-11-22 深圳市腾讯计算机系统有限公司 Virus detection method and device
CN110213200B (en) * 2018-02-28 2022-07-01 腾讯科技(深圳)有限公司 Risk behavior interception method and related equipment
CN110213200A (en) * 2018-02-28 2019-09-06 腾讯科技(深圳)有限公司 A kind of risk behavior hold-up interception method and relevant device
CN108595953A (en) * 2018-04-04 2018-09-28 厦门雷德蒙软件开发有限公司 Method for carrying out risk assessment on mobile phone application
CN109711171A (en) * 2018-05-04 2019-05-03 360企业安全技术(珠海)有限公司 Software vulnerability location method and device, system, storage medium, and electronic device
CN108681671A (en) * 2018-05-21 2018-10-19 中国科学技术大学 A kind of Android mobile attacks source tracing method
CN108810018A (en) * 2018-07-12 2018-11-13 南方电网科学研究院有限责任公司 Mobile application detection cloud platform
CN109086200A (en) * 2018-07-13 2018-12-25 南京大学 A kind of validity test frame based on the modification of Android virtual machine
CN109086200B (en) * 2018-07-13 2020-04-14 南京大学 An Effective Testing Framework Based on Android Virtual Machine Modification
CN109101817A (en) * 2018-08-13 2018-12-28 亚信科技(成都)有限公司 A kind of identification malicious file class method for distinguishing and calculate equipment
CN109101817B (en) * 2018-08-13 2023-09-01 亚信科技(成都)有限公司 Method for identifying malicious file category and computing device
CN110858247A (en) * 2018-08-23 2020-03-03 北京京东尚科信息技术有限公司 Android malicious application detection method, system, device and storage medium
CN110472415A (en) * 2018-12-13 2019-11-19 成都亚信网络安全产业技术研究院有限公司 A kind of determination method and device of rogue program
CN110472415B (en) * 2018-12-13 2021-08-10 成都亚信网络安全产业技术研究院有限公司 Malicious program determination method and device
CN109753799A (en) * 2018-12-14 2019-05-14 厦门安胜网络科技有限公司 A kind of method that Android application program is anti-tamper, system and computer storage medium
CN109918907A (en) * 2019-01-30 2019-06-21 国家计算机网络与信息安全管理中心 Linux platform proceeding internal memory malicious code evidence collecting method, controller and medium
EP3918500B1 (en) * 2019-03-05 2024-04-24 Siemens Industry Software Inc. Machine learning-based anomaly detections for embedded software applications
CN109992514A (en) * 2019-04-01 2019-07-09 国家计算机网络与信息安全管理中心 Mobile application dynamic analysing method based on visual content
CN109992514B (en) * 2019-04-01 2023-04-07 国家计算机网络与信息安全管理中心 Mobile application dynamic analysis method based on visual content
CN110162963A (en) * 2019-04-26 2019-08-23 肖银皓 A method of identifying power application program
CN112084497A (en) * 2020-09-11 2020-12-15 国网山西省电力公司营销服务中心 Embedded Linux system malicious program detection method and device
CN113127870A (en) * 2021-04-08 2021-07-16 重庆电子工程职业学院 Rapid intelligent comparison and safety detection method for mobile malicious software big data
CN113343219A (en) * 2021-05-31 2021-09-03 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN113343219B (en) * 2021-05-31 2023-03-07 烟台中科网络技术研究所 Automatic and efficient high-risk mobile application program detection method
CN114792006A (en) * 2022-03-29 2022-07-26 西安电子科技大学 Android cross-application program collusion safety analysis method and system based on LSTM

Similar Documents

Publication Publication Date Title
CN106874761A (en) A kind of Android system malicious application detection method and system
CN108595955B (en) An Android mobile phone malicious application detection system and method
Zhang et al. Efficient, context-aware privacy leakage confinement for android applications without firmware modding
Feng et al. Mobidroid: A performance-sensitive malware detection system on mobile platform
Yang et al. Leakminer: Detect information leakage on android with static taint analysis
Lin et al. Automated forensic analysis of mobile applications on Android devices
KR101143999B1 (en) Apparatus and method for analyzing application based on application programming interface
CN105184160B (en) A kind of method of the Android phone platform application program malicious act detection based on API object reference relational graphs
CN103544430B (en) Operation environment safety method and electronic operation system
US20130117855A1 (en) Apparatus for automatically inspecting security of applications and method thereof
Karami et al. Behavioral analysis of android applications using automated instrumentation
CN104504337A (en) Method for detecting malicious application disclosing Android data
CN104200155A (en) Monitoring device and method for protecting user privacy based on iPhone operating system (iOS)
CN112084497A (en) Embedded Linux system malicious program detection method and device
CN103927485A (en) Android application program risk assessment method based on dynamic monitoring
CN104408366A (en) Android application permission usage behavior tracking method based on plug-in technology
CN104809397A (en) Android malicious software detection method and system based on dynamic monitoring
CN110298171B (en) Intelligent detection and security protection methods for mobile Internet big data applications
CN105677574A (en) Android application vulnerability detection method and system based on function control flow
Boxler et al. Static taint analysis tools to detect information flows
Li et al. Large-scale third-party library detection in android markets
Huang et al. Code coverage measurement for Android dynamic analysis tools
Chester et al. M-perm: A lightweight detector for android permission gaps
CN116932381A (en) Automatic evaluation method for security risk of applet and related equipment
Wang et al. Combining structured static code information and dynamic symbolic traces for software vulnerability prediction

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170620

RJ01 Rejection of invention patent application after publication